{"_id":{"$oid":"69184e3f0999409cf96ec55a"},"file_info":{"path":"/home/apogean/projects/malware/windows/samples/dll_sample.dll","name":"dll_sample.dll","size":"52224 bytes","analysis_date":"2025-11-13 12:35:21"},"hashes":{"md5":"40784dca35fa06d4c4cb932e101e56ab","sha1":"b105724b5bee4ad43b23cf35d8d29ff231f94aec","sha256":"cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62"},"metadata":{"md5":"40784dca35fa06d4c4cb932e101e56ab","sha1":"b105724b5bee4ad43b23cf35d8d29ff231f94aec","sha256":"cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62","analysis":"static","os":"windows","format":"pe","arch":"i386","path":"/home/apogean/projects/malware/windows/samples/dll_sample.dll"},"attack_tactics":[{"tactic":"DEFENSE EVASION","technique":"Obfuscated Files or Information","id":"T1027"},{"tactic":"DISCOVERY","technique":"File and Directory Discovery","id":"T1083"},{"tactic":"EXECUTION","technique":"Shared Modules","id":"T1129"}],"maec_categories":[{"category":"malware-category","value":"launcher"}],"mbc_behaviors":[{"objective":"DATA","behavior":"Encode Data::XOR","code":"C0026.002"},{"objective":"DEFENSE EVASION","behavior":"Obfuscated Files or Information::Encoding-Standard Algorithm","code":"E1027.m02"},{"objective":"DISCOVERY","behavior":"Code Discovery::Enumerate PE Sections","code":"B0046.001"},{"objective":"DISCOVERY","behavior":"File and Directory Discovery","code":"E1083"},{"objective":"FILE SYSTEM","behavior":"Create Directory","code":"C0046"},{"objective":"FILE SYSTEM","behavior":"Delete File","code":"C0047"},{"objective":"FILE SYSTEM","behavior":"Get File Attributes","code":"C0049"},{"objective":"FILE SYSTEM","behavior":"Read File","code":"C0051"},{"objective":"FILE SYSTEM","behavior":"Writes File","code":"C0052"},{"objective":"PROCESS","behavior":"Create Process","code":"C0017"},{"objective":"PROCESS","behavior":"Terminate Process","code":"C0018"}],"capabilities":[{"capability":"encode data using XOR","namespace":"data-manipulation/encoding/xor"},{"capability":"contains PDB path","namespace":"executable/pe/pdb"},{"capability":"create directory","namespace":"host-interaction/file-system/create"},{"capability":"delete file","namespace":"host-interaction/file-system/delete"},{"capability":"check if file exists","namespace":"host-interaction/file-system/exists"},{"capability":"get file attributes (2 matches)","namespace":"host-interaction/file-system/meta"},{"capability":"read file on Windows","namespace":"host-interaction/file-system/read"},{"capability":"write file on Windows (4 matches)","namespace":"host-interaction/file-system/write"},{"capability":"create process on Windows (3 matches)","namespace":"host-interaction/process/create"},{"capability":"terminate process","namespace":"host-interaction/process/terminate"},{"capability":"enumerate PE sections","namespace":"load-code/pe"},{"capability":"parse PE header","namespace":"load-code/pe"},{"capability":"resolve function by parsing PE exports","namespace":"load-code/pe"}]}
{"_id":{"$oid":"693183ff21f7c0a343defdc6"},"file_info":{"path":"/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe","name":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe","size":"228352 bytes","analysis_date":"2025-12-04 12:52:06"},"hashes":{"md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f"},"metadata":{"md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","analysis":"static","os":"any","format":"dotnet","arch":"any","path":"/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c836…"},"attack_tactics":[{"tactic":"COLLECTION","technique":"Clipboard Data","id":"T1115"},{"tactic":"","technique":"Data from Information Repositories","id":"T1213"},{"tactic":"","technique":"Input Capture::Keylogging","id":"T1056.001"},{"tactic":"","technique":"Screen Capture","id":"T1113"},{"tactic":"","technique":"Web Browsers","id":"T1555.003"},{"tactic":"DEFENSE EVASION","technique":"Deobfuscate/Decode Files or Information","id":"T1140"},{"tactic":"","technique":"File and Directory Permissions Modification","id":"T1222"},{"tactic":"","technique":"Hide Artifacts","id":"T1564"},{"tactic":"","technique":"Hide Artifacts::Hidden Window","id":"T1564.003"},{"tactic":"","technique":"Impair Defenses::Disable or Modify Tools","id":"T1562.001"},{"tactic":"","technique":"Indicator Removal::File Deletion","id":"T1070.004"},{"tactic":"","technique":"Modify Registry","id":"T1112"},{"tactic":"","technique":"Obfuscated Files or Information","id":"T1027"},{"tactic":"","technique":"Delivery","id":"T1027.004"},{"tactic":"","technique":"Reflective Code Loading","id":"T1620"},{"tactic":"DISCOVERY","technique":"Account Discovery","id":"T1087"},{"tactic":"","technique":"Application Window Discovery","id":"T1010"},{"tactic":"","technique":"File and Directory Discovery","id":"T1083"},{"tactic":"","technique":"Process Discovery","id":"T1057"},{"tactic":"","technique":"Query Registry","id":"T1012"},{"tactic":"","technique":"Software Discovery","id":"T1518"},{"tactic":"","technique":"System Information Discovery","id":"T1082"},{"tactic":"","technique":"System Location Discovery","id":"T1614"},{"tactic":"","technique":"System Network Configuration Discovery","id":"T1016"},{"tactic":"","technique":"System Owner/User Discovery","id":"T1033"},{"tactic":"EXECUTION","technique":"Windows Management Instrumentation","id":"T1047"},{"tactic":"IMPACT","technique":"Resource Hijacking","id":"T1496"},{"tactic":"","technique":"/ Startup Folder","id":"T1547.001"},{"tactic":"","technique":"Association","id":"T1546.001"},{"tactic":"","technique":"Scheduled Task/Job::Scheduled Task","id":"T1053.005"},{"tactic":"PRIVILEGE ESCALATION","technique":"Access Token Manipulation","id":"T1134"}],"maec_categories":[{"category":"malware-category","value":"launcher"}],"mbc_behaviors":[{"objective":"COLLECTION","behavior":"Keylogging::Application Hook","code":"F0002.001"},{"objective":"COLLECTION","behavior":"Keylogging::Polling","code":"F0002.002"},{"objective":"COLLECTION","behavior":"Screen Capture::WinAPI","code":"E1113.m01"},{"objective":"COMMAND AND CONTROL","behavior":"C2 Communication::Receive Data","code":"B0030.002"},{"objective":"COMMAND AND CONTROL","behavior":"C2 Communication::Send Data","code":"B0030.001"},{"objective":"COMMUNICATION","behavior":"HTTP Communication","code":"C0002"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Create Request","code":"C0002.012"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Get Response","code":"C0002.017"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Read Header","code":"C0002.014"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Send Request","code":"C0002.003"},{"objective":"COMMUNICATION","behavior":"Socket Communication::Create TCP Socket","code":"C0001.011"},{"objective":"COMMUNICATION","behavior":"Socket Communication::TCP Client","code":"C0001.008"},{"objective":"CRYPTOGRAPHY","behavior":"Decrypt Data","code":"C0031"},{"objective":"CRYPTOGRAPHY","behavior":"Encrypt Data","code":"C0027"},{"objective":"CRYPTOGRAPHY","behavior":"Generate Pseudo-random Sequence::Use API","code":"C0021.003"},{"objective":"DATA","behavior":"Check String","code":"C0019"},{"objective":"DATA","behavior":"Decode Data::Base64","code":"C0053.001"},{"objective":"DATA","behavior":"Encode Data::Base64","code":"C0026.001"},{"objective":"DEFENSE EVASION","behavior":"Disable or Evade Security Tools","code":"F0004"},{"objective":"DEFENSE EVASION","behavior":"Self Deletion::COMSPEC Environment Variable","code":""},{"objective":"DEFENSE EVASION","behavior":"[F0007.001]","code":""},{"objective":"DISCOVERY","behavior":"File and Directory Discovery","code":"E1083"},{"objective":"DISCOVERY","behavior":"System Information Discovery","code":"E1082"},{"objective":"DISCOVERY","behavior":"Taskbar Discovery","code":"B0043"},{"objective":"FILE SYSTEM","behavior":"Copy File","code":"C0045"},{"objective":"FILE SYSTEM","behavior":"Create Directory","code":"C0046"},{"objective":"FILE SYSTEM","behavior":"Delete Directory","code":"C0048"},{"objective":"FILE SYSTEM","behavior":"Delete File","code":"C0047"},{"objective":"FILE SYSTEM","behavior":"Get File Attributes","code":"C0049"},{"objective":"FILE SYSTEM","behavior":"Move File","code":"C0063"},{"objective":"FILE SYSTEM","behavior":"Read File","code":"C0051"},{"objective":"FILE SYSTEM","behavior":"Set File Attributes","code":"C0050"},{"objective":"FILE SYSTEM","behavior":"Writes File","code":"C0052"},{"objective":"OPERATING SYSTEM","behavior":"Console","code":"C0033"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Delete Registry Key","code":"C0036.002"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Delete Registry Value","code":"C0036.007"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Query Registry Key","code":"C0036.005"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Query Registry Value","code":"C0036.006"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Set Registry Key","code":"C0036.001"},{"objective":"OPERATING SYSTEM","behavior":"Wallpaper","code":"C0035"},{"objective":"PERSISTENCE","behavior":"Registry Run Keys / Startup Folder","code":"F0012"},{"objective":"PROCESS","behavior":"Create Mutex","code":"C0042"},{"objective":"PROCESS","behavior":"Create Process","code":"C0017"},{"objective":"PROCESS","behavior":"Create Thread","code":"C0038"},{"objective":"PROCESS","behavior":"Suspend Thread","code":"C0055"},{"objective":"PROCESS","behavior":"Terminate Process","code":"C0018"}],"capabilities":[{"capability":"self delete (3 matches)","namespace":"anti-analysis/anti-forensic/self-de…"},{"capability":"get geographical location","namespace":"collection"},{"capability":"save image in .NET","namespace":"collection"},{"capability":"gather firefox profile information","namespace":"collection/browser"},{"capability":"reference SQL statements (2 matches)","namespace":"collection/database/sql"},{"capability":"reference WMI statements","namespace":"collection/database/wmi"},{"capability":"log keystrokes (2 matches)","namespace":"collection/keylog"},{"capability":"log keystrokes via application hook","namespace":"collection/keylog"},{"capability":"log keystrokes via polling (2","namespace":"collection/keylog"},{"capability":"matches)","namespace":"│"},{"capability":"collection/network","namespace":"│ capture screenshot"},{"capability":"│ receive data","namespace":"communication"},{"capability":"send data","namespace":"communication"},{"capability":"manipulate network credentials in","namespace":"communication/authentication"},{"capability":".NET","namespace":"│"},{"capability":"communication/http","namespace":"│ reference HTTP User-Agent string"},{"capability":"│ create HTTP request","namespace":"communication/http/client"},{"capability":"receive HTTP response","namespace":"communication/http/client"},{"capability":"create TCP socket (3 matches)","namespace":"communication/socket/tcp"},{"capability":"act as TCP client","namespace":"communication/tcp/client"},{"capability":"create zip archive in .NET (3","namespace":"data-manipulation/compression"},{"capability":"matches)","namespace":"│"},{"capability":"data-manipulation/encoding/base64","namespace":"│ decode data using Base64 via WinAPI"},{"capability":"│ reference Base64 string","namespace":"data-manipulation/encoding/base64"},{"capability":"encrypt or decrypt data via BCrypt (2","namespace":"data-manipulation/encryption"},{"capability":"matches)","namespace":"│"},{"capability":"data-manipulation/encryption/dpapi","namespace":"│ generate random numbers in .NET"},{"capability":"│ contains PDB path","namespace":"executable/pe/pdb"},{"capability":"extract resource via kernel32","namespace":"executable/resource"},{"capability":"functions","namespace":"│"},{"capability":"host-interaction/clipboard","namespace":"│ monitor clipboard content"},{"capability":"│ read clipboard data (2 matches)","namespace":"host-interaction/clipboard"},{"capability":"manipulate console buffer (8 matches)","namespace":"host-interaction/console"},{"capability":"query environment variable (3","namespace":"host-interaction/environment-variab…"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/file-system","namespace":"│ get common file path (7 matches)"},{"capability":"│ copy file (7 matches)","namespace":"host-interaction/file-system/copy"},{"capability":"create directory (8 matches)","namespace":"host-interaction/file-system/create"},{"capability":"delete directory (2 matches)","namespace":"host-interaction/file-system/delete"},{"capability":"delete file (12 matches)","namespace":"host-interaction/file-system/delete"},{"capability":"check if directory exists (15","namespace":"host-interaction/file-system/exists"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/file-system/exists","namespace":"│ enumerate files in .NET (6 matches)"},{"capability":"│ get file attributes","namespace":"host-interaction/file-system/meta"},{"capability":"get file size (5 matches)","namespace":"host-interaction/file-system/meta"},{"capability":"set file attributes (2 matches)","namespace":"host-interaction/file-system/meta"},{"capability":"move file (2 matches)","namespace":"host-interaction/file-system/move"},{"capability":"read file on Windows (7 matches)","namespace":"host-interaction/file-system/read"},{"capability":"write file on Windows (11 matches)","namespace":"host-interaction/file-system/write"},{"capability":"enumerate gui resources (2 matches)","namespace":"host-interaction/gui"},{"capability":"change the wallpaper","namespace":"host-interaction/gui/session"},{"capability":"hide the Windows taskbar","namespace":"host-interaction/gui/taskbar/hide"},{"capability":"get disk information","namespace":"host-interaction/hardware/storage"},{"capability":"get disk size","namespace":"host-interaction/hardware/storage"},{"capability":"allocate unmanaged memory in .NET (3","namespace":"host-interaction/memory"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/memory","namespace":"│ (14 matches)"},{"capability":"│ create or open mutex on Windows","namespace":"host-interaction/mutex"},{"capability":"get networking interfaces","namespace":"host-interaction/network/interface"},{"capability":"get hostname (2 matches)","namespace":"host-interaction/os/hostname"},{"capability":"get OS version in .NET","namespace":"host-interaction/os/version"},{"capability":"get process image filename (5","namespace":"host-interaction/process"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/process/create","namespace":"│ handles and window (14 matches)"},{"capability":"│ create process on Windows (22","namespace":"host-interaction/process/create"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/process/list","namespace":"│ find process by PID (2 matches)"},{"capability":"│ find process by name","namespace":"host-interaction/process/list"},{"capability":"acquire debug privileges","namespace":"host-interaction/process/modify"},{"capability":"terminate process (14 matches)","namespace":"host-interaction/process/terminate"},{"capability":"query or enumerate registry key (7","namespace":"host-interaction/registry"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/registry","namespace":"│ matches)"},{"capability":"│ delete registry key","namespace":"host-interaction/registry/delete"},{"capability":"delete registry value (2 matches)","namespace":"host-interaction/registry/delete"},{"capability":"get session integrity level (3","namespace":"host-interaction/session"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/session","namespace":"│ create thread (3 matches)"},{"capability":"│ suspend thread (9 matches)","namespace":"host-interaction/thread/suspend"},{"capability":"access WMI data in .NET","namespace":"host-interaction/wmi"},{"capability":"reference cryptocurrency strings","namespace":"impact/cryptocurrency"},{"capability":"disable system features via registry","namespace":"impact/features"},{"capability":"on Windows","namespace":"│"},{"capability":"load-code/dotnet","namespace":"│ matches)"},{"capability":"│ load .NET assembly","namespace":"load-code/dotnet"},{"capability":"compile CSharp in .NET","namespace":"load-code/dotnet/csharp"},{"capability":"persist via default file association","namespace":"persistence/registry"},{"capability":"registry key (2 matches)","namespace":"│"},{"capability":"persistence/registry/run","namespace":"│ schedule task via schtasks (2"},{"capability":"│ matches)","namespace":"│"},{"capability":"runtime","namespace":"│ compiled to the .NET platform"}]}
{"_id":{"$oid":"697dd9b63d04a01d9782709c"},"file_info":{},"hashes":{},"metadata":{"md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","analysis":"static","os":"any","format":"dotnet","arch":"any","path":"/home/apogean/projects/malware/windows/all_runs/360e6f2288b6c836…"},"attack_tactics":[{"tactic":"COLLECTION","technique":"Clipboard Data","id":"T1115"},{"tactic":"","technique":"Data from Information Repositories","id":"T1213"},{"tactic":"","technique":"Input Capture::Keylogging","id":"T1056.001"},{"tactic":"","technique":"Screen Capture","id":"T1113"},{"tactic":"","technique":"Web Browsers","id":"T1555.003"},{"tactic":"DEFENSE EVASION","technique":"Deobfuscate/Decode Files or Information","id":"T1140"},{"tactic":"","technique":"File and Directory Permissions Modification","id":"T1222"},{"tactic":"","technique":"Hide Artifacts","id":"T1564"},{"tactic":"","technique":"Hide Artifacts::Hidden Window","id":"T1564.003"},{"tactic":"","technique":"Impair Defenses::Disable or Modify Tools","id":"T1562.001"},{"tactic":"","technique":"Indicator Removal::File Deletion","id":"T1070.004"},{"tactic":"","technique":"Modify Registry","id":"T1112"},{"tactic":"","technique":"Obfuscated Files or Information","id":"T1027"},{"tactic":"","technique":"Delivery","id":"T1027.004"},{"tactic":"","technique":"Reflective Code Loading","id":"T1620"},{"tactic":"DISCOVERY","technique":"Account Discovery","id":"T1087"},{"tactic":"","technique":"Application Window Discovery","id":"T1010"},{"tactic":"","technique":"File and Directory Discovery","id":"T1083"},{"tactic":"","technique":"Process Discovery","id":"T1057"},{"tactic":"","technique":"Query Registry","id":"T1012"},{"tactic":"","technique":"Software Discovery","id":"T1518"},{"tactic":"","technique":"System Information Discovery","id":"T1082"},{"tactic":"","technique":"System Location Discovery","id":"T1614"},{"tactic":"","technique":"System Network Configuration Discovery","id":"T1016"},{"tactic":"","technique":"System Owner/User Discovery","id":"T1033"},{"tactic":"EXECUTION","technique":"Windows Management Instrumentation","id":"T1047"},{"tactic":"IMPACT","technique":"Resource Hijacking","id":"T1496"},{"tactic":"","technique":"/ Startup Folder","id":"T1547.001"},{"tactic":"","technique":"Association","id":"T1546.001"},{"tactic":"","technique":"Scheduled Task/Job::Scheduled Task","id":"T1053.005"},{"tactic":"PRIVILEGE ESCALATION","technique":"Access Token Manipulation","id":"T1134"}],"maec_categories":[{"category":"malware-category","value":"launcher"}],"mbc_behaviors":[{"objective":"COLLECTION","behavior":"Keylogging::Application Hook","code":"F0002.001"},{"objective":"COLLECTION","behavior":"Keylogging::Polling","code":"F0002.002"},{"objective":"COLLECTION","behavior":"Screen Capture::WinAPI","code":"E1113.m01"},{"objective":"COMMAND AND CONTROL","behavior":"C2 Communication::Receive Data","code":"B0030.002"},{"objective":"COMMAND AND CONTROL","behavior":"C2 Communication::Send Data","code":"B0030.001"},{"objective":"COMMUNICATION","behavior":"HTTP Communication","code":"C0002"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Create Request","code":"C0002.012"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Get Response","code":"C0002.017"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Read Header","code":"C0002.014"},{"objective":"COMMUNICATION","behavior":"HTTP Communication::Send Request","code":"C0002.003"},{"objective":"COMMUNICATION","behavior":"Socket Communication::Create TCP Socket","code":"C0001.011"},{"objective":"COMMUNICATION","behavior":"Socket Communication::TCP Client","code":"C0001.008"},{"objective":"CRYPTOGRAPHY","behavior":"Decrypt Data","code":"C0031"},{"objective":"CRYPTOGRAPHY","behavior":"Encrypt Data","code":"C0027"},{"objective":"CRYPTOGRAPHY","behavior":"Generate Pseudo-random Sequence::Use API","code":"C0021.003"},{"objective":"DATA","behavior":"Check String","code":"C0019"},{"objective":"DATA","behavior":"Decode Data::Base64","code":"C0053.001"},{"objective":"DATA","behavior":"Encode Data::Base64","code":"C0026.001"},{"objective":"DEFENSE EVASION","behavior":"Disable or Evade Security Tools","code":"F0004"},{"objective":"DEFENSE EVASION","behavior":"Self Deletion::COMSPEC Environment Variable","code":""},{"objective":"DEFENSE EVASION","behavior":"[F0007.001]","code":""},{"objective":"DISCOVERY","behavior":"File and Directory Discovery","code":"E1083"},{"objective":"DISCOVERY","behavior":"System Information Discovery","code":"E1082"},{"objective":"DISCOVERY","behavior":"Taskbar Discovery","code":"B0043"},{"objective":"FILE SYSTEM","behavior":"Copy File","code":"C0045"},{"objective":"FILE SYSTEM","behavior":"Create Directory","code":"C0046"},{"objective":"FILE SYSTEM","behavior":"Delete Directory","code":"C0048"},{"objective":"FILE SYSTEM","behavior":"Delete File","code":"C0047"},{"objective":"FILE SYSTEM","behavior":"Get File Attributes","code":"C0049"},{"objective":"FILE SYSTEM","behavior":"Move File","code":"C0063"},{"objective":"FILE SYSTEM","behavior":"Read File","code":"C0051"},{"objective":"FILE SYSTEM","behavior":"Set File Attributes","code":"C0050"},{"objective":"FILE SYSTEM","behavior":"Writes File","code":"C0052"},{"objective":"OPERATING SYSTEM","behavior":"Console","code":"C0033"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Delete Registry Key","code":"C0036.002"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Delete Registry Value","code":"C0036.007"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Query Registry Key","code":"C0036.005"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Query Registry Value","code":"C0036.006"},{"objective":"OPERATING SYSTEM","behavior":"Registry::Set Registry Key","code":"C0036.001"},{"objective":"OPERATING SYSTEM","behavior":"Wallpaper","code":"C0035"},{"objective":"PERSISTENCE","behavior":"Registry Run Keys / Startup Folder","code":"F0012"},{"objective":"PROCESS","behavior":"Create Mutex","code":"C0042"},{"objective":"PROCESS","behavior":"Create Process","code":"C0017"},{"objective":"PROCESS","behavior":"Create Thread","code":"C0038"},{"objective":"PROCESS","behavior":"Suspend Thread","code":"C0055"},{"objective":"PROCESS","behavior":"Terminate Process","code":"C0018"}],"capabilities":[{"capability":"self delete (3 matches)","namespace":"anti-analysis/anti-forensic/self-de…"},{"capability":"get geographical location","namespace":"collection"},{"capability":"save image in .NET","namespace":"collection"},{"capability":"gather firefox profile information","namespace":"collection/browser"},{"capability":"reference SQL statements (2 matches)","namespace":"collection/database/sql"},{"capability":"reference WMI statements","namespace":"collection/database/wmi"},{"capability":"log keystrokes (2 matches)","namespace":"collection/keylog"},{"capability":"log keystrokes via application hook","namespace":"collection/keylog"},{"capability":"log keystrokes via polling (2","namespace":"collection/keylog"},{"capability":"matches)","namespace":"│"},{"capability":"collection/network","namespace":"│ capture screenshot"},{"capability":"│ receive data","namespace":"communication"},{"capability":"send data","namespace":"communication"},{"capability":"manipulate network credentials in","namespace":"communication/authentication"},{"capability":".NET","namespace":"│"},{"capability":"communication/http","namespace":"│ reference HTTP User-Agent string"},{"capability":"│ create HTTP request","namespace":"communication/http/client"},{"capability":"receive HTTP response","namespace":"communication/http/client"},{"capability":"create TCP socket (3 matches)","namespace":"communication/socket/tcp"},{"capability":"act as TCP client","namespace":"communication/tcp/client"},{"capability":"create zip archive in .NET (3","namespace":"data-manipulation/compression"},{"capability":"matches)","namespace":"│"},{"capability":"data-manipulation/encoding/base64","namespace":"│ decode data using Base64 via WinAPI"},{"capability":"│ reference Base64 string","namespace":"data-manipulation/encoding/base64"},{"capability":"encrypt or decrypt data via BCrypt (2","namespace":"data-manipulation/encryption"},{"capability":"matches)","namespace":"│"},{"capability":"data-manipulation/encryption/dpapi","namespace":"│ generate random numbers in .NET"},{"capability":"│ contains PDB path","namespace":"executable/pe/pdb"},{"capability":"extract resource via kernel32","namespace":"executable/resource"},{"capability":"functions","namespace":"│"},{"capability":"host-interaction/clipboard","namespace":"│ monitor clipboard content"},{"capability":"│ read clipboard data (2 matches)","namespace":"host-interaction/clipboard"},{"capability":"manipulate console buffer (8 matches)","namespace":"host-interaction/console"},{"capability":"query environment variable (3","namespace":"host-interaction/environment-variab…"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/file-system","namespace":"│ get common file path (7 matches)"},{"capability":"│ copy file (7 matches)","namespace":"host-interaction/file-system/copy"},{"capability":"create directory (8 matches)","namespace":"host-interaction/file-system/create"},{"capability":"delete directory (2 matches)","namespace":"host-interaction/file-system/delete"},{"capability":"delete file (12 matches)","namespace":"host-interaction/file-system/delete"},{"capability":"check if directory exists (15","namespace":"host-interaction/file-system/exists"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/file-system/exists","namespace":"│ enumerate files in .NET (6 matches)"},{"capability":"│ get file attributes","namespace":"host-interaction/file-system/meta"},{"capability":"get file size (5 matches)","namespace":"host-interaction/file-system/meta"},{"capability":"set file attributes (2 matches)","namespace":"host-interaction/file-system/meta"},{"capability":"move file (2 matches)","namespace":"host-interaction/file-system/move"},{"capability":"read file on Windows (7 matches)","namespace":"host-interaction/file-system/read"},{"capability":"write file on Windows (11 matches)","namespace":"host-interaction/file-system/write"},{"capability":"enumerate gui resources (2 matches)","namespace":"host-interaction/gui"},{"capability":"change the wallpaper","namespace":"host-interaction/gui/session"},{"capability":"hide the Windows taskbar","namespace":"host-interaction/gui/taskbar/hide"},{"capability":"get disk information","namespace":"host-interaction/hardware/storage"},{"capability":"get disk size","namespace":"host-interaction/hardware/storage"},{"capability":"allocate unmanaged memory in .NET (3","namespace":"host-interaction/memory"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/memory","namespace":"│ (14 matches)"},{"capability":"│ create or open mutex on Windows","namespace":"host-interaction/mutex"},{"capability":"get networking interfaces","namespace":"host-interaction/network/interface"},{"capability":"get hostname (2 matches)","namespace":"host-interaction/os/hostname"},{"capability":"get OS version in .NET","namespace":"host-interaction/os/version"},{"capability":"get process image filename (5","namespace":"host-interaction/process"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/process/create","namespace":"│ handles and window (14 matches)"},{"capability":"│ create process on Windows (22","namespace":"host-interaction/process/create"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/process/list","namespace":"│ find process by PID (2 matches)"},{"capability":"│ find process by name","namespace":"host-interaction/process/list"},{"capability":"acquire debug privileges","namespace":"host-interaction/process/modify"},{"capability":"terminate process (14 matches)","namespace":"host-interaction/process/terminate"},{"capability":"query or enumerate registry key (7","namespace":"host-interaction/registry"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/registry","namespace":"│ matches)"},{"capability":"│ delete registry key","namespace":"host-interaction/registry/delete"},{"capability":"delete registry value (2 matches)","namespace":"host-interaction/registry/delete"},{"capability":"get session integrity level (3","namespace":"host-interaction/session"},{"capability":"matches)","namespace":"│"},{"capability":"host-interaction/session","namespace":"│ create thread (3 matches)"},{"capability":"│ suspend thread (9 matches)","namespace":"host-interaction/thread/suspend"},{"capability":"access WMI data in .NET","namespace":"host-interaction/wmi"},{"capability":"reference cryptocurrency strings","namespace":"impact/cryptocurrency"},{"capability":"disable system features via registry","namespace":"impact/features"},{"capability":"on Windows","namespace":"│"},{"capability":"load-code/dotnet","namespace":"│ matches)"},{"capability":"│ load .NET assembly","namespace":"load-code/dotnet"},{"capability":"compile CSharp in .NET","namespace":"load-code/dotnet/csharp"},{"capability":"persist via default file association","namespace":"persistence/registry"},{"capability":"registry key (2 matches)","namespace":"│"},{"capability":"persistence/registry/run","namespace":"│ schedule task via schtasks (2"},{"capability":"│ matches)","namespace":"│"},{"capability":"runtime","namespace":"│ compiled to the .NET platform"}]}
{"_id":{"$oid":"69e716dd59a6632dae07ddfa"},"sha256":"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_7y0wi49q/2_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_7y0wi49q/2_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_7y0wi49q/2_very_verbose.txt"}},"outputs":{"normal":"┌───────────┬──────────────────────────────────────────────────────────────────┐\n│ md5       │ be0930fc1d862072effdd01493361fb5                                 │\n│ sha1      │ e421261bf9c56bc5390d1f1b5be10f4fa53ba34c                         │\n│ sha256    │ e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8 │\n│ analysis  │ static                                                           │\n│ os        │ any                                                              │\n│ format    │ dotnet                                                           │\n│ arch      │ i386                                                             │\n│ path      │ /home/apogean/projects/malware/windows/all_runs/2                │\n└───────────┴──────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic               ┃ ATT&CK Technique                               ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ DEFENSE EVASION             │ Reflective Code Loading [T1620]                │\n│ DISCOVERY                   │ File and Directory Discovery [T1083]           │\n└─────────────────────────────┴────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective        ┃ MBC Behavior                                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ CRYPTOGRAPHY         │ Generate Pseudo-random Sequence::Use API [C0021.003]  │\n│ DISCOVERY            │ Analysis Tool Discovery::Process detection            │\n│                      │ [B0013.001]                                           │\n│                      │ File and Directory Discovery [E1083]                  │\n│ FILE SYSTEM          │ Create Directory [C0046]                              │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                             ┃ Namespace                           ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ reference analysis tools strings       │ anti-analysis                       │\n│ generate random numbers in .NET (9     │ data-manipulation/prng              │\n│ matches)                               │                                     │\n│ access .NET resource                   │ executable/resource                 │\n│ get common file path                   │ host-interaction/file-system        │\n│ create directory                       │ host-interaction/file-system/create │\n│ check if directory exists              │ host-interaction/file-system/exists │\n│ check if file exists                   │ host-interaction/file-system/exists │\n│ invoke .NET assembly method (2         │ load-code/dotnet                    │\n│ matches)                               │                                     │\n│ load .NET assembly                     │ load-code/dotnet                    │\n│ compiled to the .NET platform          │ runtime/dotnet                      │\n└────────────────────────────────────────┴─────────────────────────────────────┘\n\n","verbose":"md5                     be0930fc1d862072effdd01493361fb5                        \nsha1                    e421261bf9c56bc5390d1f1b5be10f4fa53ba34c                \nsha256                  e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950…\npath                    /home/apogean/projects/malware/windows/all_runs/2       \ntimestamp               2026-04-26 23:28:52.816720                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    i386                                                    \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIKH7B9s/rules                                   \nfunction count          455                                                     \nlibrary function count  0                                                       \ntotal feature count     28675                                                   \n\nreference analysis tools strings\nnamespace  anti-analysis\nscope      file         \n\ngenerate random numbers in .NET (9 matches)\nnamespace  data-manipulation/prng\nscope      function              \nmatches    token(0x6000145)      \n           token(0x6000172)      \n           token(0x6000192)      \n           token(0x6000193)      \n           token(0x6000194)      \n           token(0x6000195)      \n           token(0x6000196)      \n           token(0x6000197)      \n           token(0x6000198)      \n\naccess .NET resource\nnamespace  executable/resource\nscope      function           \nmatches    token(0x60001AF)   \n\nget common file path\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x60000CB)            \n\ncreate directory\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    token(0x60000CB)                   \n\ncheck if directory exists\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x60000CB)                   \n\ncheck if file exists\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x60000CA)                   \n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000123)\n           token(0x6000154)\n\nload .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x60000EA)\n\ncompiled to the .NET platform\nnamespace  runtime/dotnet\nscope      file          \n\n\n\n","very_verbose":"md5                     be0930fc1d862072effdd01493361fb5                        \nsha1                    e421261bf9c56bc5390d1f1b5be10f4fa53ba34c                \nsha256                  e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950…\npath                    /home/apogean/projects/malware/windows/all_runs/2       \ntimestamp               2026-04-26 23:29:01.820826                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    i386                                                    \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIqYtxZp/rules                                   \nfunction count          455                                                     \nlibrary function count  0                                                       \ntotal feature count     28675                                                   \n\nreference analysis tools strings\nnamespace   anti-analysis                                                       \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \nmbc         Discovery::Analysis Tool Discovery::Process detection [B0013.001]   \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /(?<!\\w)ida?(\\.exe)?$/i\n    - \"IDAT\" @ file+0x4E849, file+0x5E849, file+0x8E849, file+0xBE849, and 4 more...\n\ngenerate random numbers in .NET (9 matches)\nnamespace  data-manipulation/prng                                            \nauthor     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com     \nscope      function                                                          \nmbc        Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\nfunction @ token(0x6000145)\n  or:\n    api: System.Random::NextDouble @ token(0x6000145)+0x34, token(0x6000145)+0x1C5\nfunction @ token(0x6000172)\n  or:\n    api: System.Random::Next @ token(0x6000172)+0x2B6\nfunction @ token(0x6000192)\n  or:\n    api: System.Random::Next @ token(0x6000192)+0x6\nfunction @ token(0x6000193)\n  or:\n    api: System.Random::Next @ token(0x6000193)+0x6\nfunction @ token(0x6000194)\n  or:\n    api: System.Random::Next @ token(0x6000194)+0x6\nfunction @ token(0x6000195)\n  or:\n    api: System.Random::Next @ token(0x6000195)+0x6\nfunction @ token(0x6000196)\n  or:\n    api: System.Random::Next @ token(0x6000196)+0x6\nfunction @ token(0x6000197)\n  or:\n    api: System.Random::Next @ token(0x6000197)+0x6\nfunction @ token(0x6000198)\n  or:\n    api: System.Random::Next @ token(0x6000198)+0x6\n\naccess .NET resource\nnamespace  executable/resource\nauthor     @mr-tz             \nscope      function           \nfunction @ token(0x60001AF)\n  and:\n    format: dotnet\n    or:\n      api: System.Resources.ResourceManager::ctor @ token(0x60001AF)+0x4C\n\nget common file path\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ token(0x60000CB)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000CB)+0x26\n\ncreate directory\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ token(0x60000CB)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000CB)+0x18\n\ncheck if directory exists\nnamespace  host-interaction/file-system/exists            \nauthor     michael.hunhoff@mandiant.com                   \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nfunction @ token(0x60000CB)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000CB)+0x7\n\ncheck if file exists\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ token(0x60000CA)\n  or:\n    api: System.IO.File::Exists @ token(0x60000CA)+0x37\n\n(internal) .NET file limitation\nnamespace    internal/limitation/dynamic                        \nauthor       @v1bh475u                                          \nscope        file                                               \ndescription  This dynamic analysis trace describes a .NET file. \n                                                                \n             capa rules are not yet tuned for the .NET runtime, \n             so its analysis may be incomplete or misleading.   \n                                                                \nor:\n  format: dotnet\n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet                                     \nauthor     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\nscope      function                                             \natt&ck     Defense Evasion::Reflective Code Loading [T1620]     \nfunction @ token(0x6000123)\n  and:\n    format: dotnet\n    or:\n      api: System.Reflection.MethodBase::Invoke @ token(0x6000123)+0x1A\nfunction @ token(0x6000154)\n  and:\n    format: dotnet\n    or:\n      api: System.Type::InvokeMember @ token(0x6000154)+0x9E\n\nload .NET assembly\nnamespace  load-code/dotnet                                \nauthor     anushka.virgaonkar@mandiant.com                 \nscope      function                                        \natt&ck     Defense Evasion::Reflective Code Loading [T1620]\nfunction @ token(0x60000EA)\n  or:\n    api: System.AppDomain::Load @ token(0x60000EA)+0x52E\n\ncompiled to the .NET platform\nnamespace  runtime/dotnet                 \nauthor     william.ballenthin@mandiant.com\nscope      file                           \nor:\n  format: dotnet\n\n\n\n"},"hashes":{"md5":"be0930fc1d862072effdd01493361fb5","sha1":"e421261bf9c56bc5390d1f1b5be10f4fa53ba34c","sha256":"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 455</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 28675</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"2\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"be0930fc1d862072effdd01493361fb5\",\n        \"sha256\": \"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950\",\n        \"arch\": \"i386\",\n        \"os\": \"any\",\n        \"format\": \"dotnet\"\n      }\n    },\n    {\n      \"id\": \"cap_reference_analysis_tools_strings\",\n      \"label\": \"reference analysis tools strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_in__net__9_matches_\",\n      \"label\": \"generate random numbers in .NET (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"api_System\",\n      \"label\": \"System\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_access__net_resource\",\n      \"label\": \"access .NET resource\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author______mr_tz\",\n      \"label\": \"author     @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path\",\n      \"label\": \"get common file path\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_directory\",\n      \"label\": \"create directory\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_directory_exists\",\n      \"label\": \"check if directory exists\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_file_exists\",\n      \"label\": \"check if file exists\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal___net_file_limitation\",\n      \"label\": \"(internal) .NET file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author________v1bh475u\",\n      \"label\": \"author       @v1bh475u\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"label\": \"invoke .NET assembly method (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_load__net_assembly\",\n      \"label\": \"load .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compiled_to_the__net_platform\",\n      \"label\": \"compiled to the .NET platform\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_analysis_tools_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_in__net__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_access__net_resource\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_directory_exists\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal___net_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author________v1bh475u\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_load__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_to_the__net_platform\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-26 23:29:01.820826\",\n    \"total_functions\": \"455\",\n    \"total_features\": \"28675\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-26 23:29:02"}
{"_id":{"$oid":"69e917b359a6632dae07de10"},"md5":"9a5ff998dbf0f6923d0b454d89800fb4","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_zt2bevqd/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_zt2bevqd/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_zt2bevqd/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 9a5ff998dbf0f6923d0b454d89800fb4                                  │\n│ sha1     │ 4f4fa23e9c503b941a5e91584d6ecc3813962ba1                          │\n│ sha256   │ 360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f  │\n│ analysis │ static                                                            │\n│ os       │ any                                                               │\n│ format   │ dotnet                                                            │\n│ arch     │ any                                                               │\n│ path     │ /home/apogean/projects/malware/windows/all_runs/360e6f2288b6c836… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic        ┃ ATT&CK Technique                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Clipboard Data [T1115]                                │\n│                      │ Data from Information Repositories [T1213]            │\n│                      │ Input Capture::Keylogging [T1056.001]                 │\n│                      │ Screen Capture [T1113]                                │\n│ CREDENTIAL ACCESS    │ Credentials from Password Stores::Credentials from    │\n│                      │ Web Browsers [T1555.003]                              │\n│ DEFENSE EVASION      │ Deobfuscate/Decode Files or Information [T1140]       │\n│                      │ File and Directory Permissions Modification [T1222]   │\n│                      │ Hide Artifacts [T1564]                                │\n│                      │ Hide Artifacts::Hidden Window [T1564.003]             │\n│                      │ Impair Defenses::Disable or Modify Tools [T1562.001]  │\n│                      │ Indicator Removal::File Deletion [T1070.004]          │\n│                      │ Modify Registry [T1112]                               │\n│                      │ Obfuscated Files or Information [T1027]               │\n│                      │ Obfuscated Files or Information::Compile After        │\n│                      │ Delivery [T1027.004]                                  │\n│                      │ Reflective Code Loading [T1620]                       │\n│ DISCOVERY            │ Account Discovery [T1087]                             │\n│                      │ Application Window Discovery [T1010]                  │\n│                      │ File and Directory Discovery [T1083]                  │\n│                      │ Process Discovery [T1057]                             │\n│                      │ Query Registry [T1012]                                │\n│                      │ Software Discovery [T1518]                            │\n│                      │ System Information Discovery [T1082]                  │\n│                      │ System Location Discovery [T1614]                     │\n│                      │ System Network Configuration Discovery [T1016]        │\n│                      │ System Owner/User Discovery [T1033]                   │\n│ EXECUTION            │ Windows Management Instrumentation [T1047]            │\n│ IMPACT               │ Resource Hijacking [T1496]                            │\n│ PERSISTENCE          │ Boot or Logon Autostart Execution::Registry Run Keys  │\n│                      │ / Startup Folder [T1547.001]                          │\n│                      │ Event Triggered Execution::Change Default File        │\n│                      │ Association [T1546.001]                               │\n│                      │ Scheduled Task/Job::Scheduled Task [T1053.005]        │\n│ PRIVILEGE ESCALATION │ Access Token Manipulation [T1134]                     │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MAEC Category                                    ┃ MAEC Value                ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ malware-category                                 │ launcher                  │\n└──────────────────────────────────────────────────┴───────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective        ┃ MBC Behavior                                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Keylogging::Application Hook [F0002.001]              │\n│                      │ Keylogging::Polling [F0002.002]                       │\n│                      │ Screen Capture::WinAPI [E1113.m01]                    │\n│ COMMAND AND CONTROL  │ C2 Communication::Receive Data [B0030.002]            │\n│                      │ C2 Communication::Send Data [B0030.001]               │\n│ COMMUNICATION        │ HTTP Communication [C0002]                            │\n│                      │ HTTP Communication::Create Request [C0002.012]        │\n│                      │ HTTP Communication::Get Response [C0002.017]          │\n│                      │ HTTP Communication::Read Header [C0002.014]           │\n│                      │ HTTP Communication::Send Request [C0002.003]          │\n│                      │ Socket Communication::Create TCP Socket [C0001.011]   │\n│                      │ Socket Communication::TCP Client [C0001.008]          │\n│ CRYPTOGRAPHY         │ Decrypt Data [C0031]                                  │\n│                      │ Encrypt Data [C0027]                                  │\n│                      │ Generate Pseudo-random Sequence::Use API [C0021.003]  │\n│ DATA                 │ Check String [C0019]                                  │\n│                      │ Decode Data::Base64 [C0053.001]                       │\n│                      │ Encode Data::Base64 [C0026.001]                       │\n│ DEFENSE EVASION      │ Disable or Evade Security Tools [F0004]               │\n│                      │ Self Deletion::COMSPEC Environment Variable           │\n│                      │ [F0007.001]                                           │\n│ DISCOVERY            │ File and Directory Discovery [E1083]                  │\n│                      │ System Information Discovery [E1082]                  │\n│                      │ Taskbar Discovery [B0043]                             │\n│ FILE SYSTEM          │ Copy File [C0045]                                     │\n│                      │ Create Directory [C0046]                              │\n│                      │ Delete Directory [C0048]                              │\n│                      │ Delete File [C0047]                                   │\n│                      │ Get File Attributes [C0049]                           │\n│                      │ Move File [C0063]                                     │\n│                      │ Read File [C0051]                                     │\n│                      │ Set File Attributes [C0050]                           │\n│                      │ Writes File [C0052]                                   │\n│ OPERATING SYSTEM     │ Console [C0033]                                       │\n│                      │ Registry::Delete Registry Key [C0036.002]             │\n│                      │ Registry::Delete Registry Value [C0036.007]           │\n│                      │ Registry::Query Registry Key [C0036.005]              │\n│                      │ Registry::Query Registry Value [C0036.006]            │\n│                      │ Registry::Set Registry Key [C0036.001]                │\n│                      │ Wallpaper [C0035]                                     │\n│ PERSISTENCE          │ Registry Run Keys / Startup Folder [F0012]            │\n│ PROCESS              │ Create Mutex [C0042]                                  │\n│                      │ Create Process [C0017]                                │\n│                      │ Create Thread [C0038]                                 │\n│                      │ Suspend Thread [C0055]                                │\n│                      │ Terminate Process [C0018]                             │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                            ┃ Namespace                            ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ self delete (3 matches)               │ anti-analysis/anti-forensic/self-de… │\n│ get geographical location             │ collection                           │\n│ save image in .NET                    │ collection                           │\n│ gather firefox profile information    │ collection/browser                   │\n│ reference SQL statements (2 matches)  │ collection/database/sql              │\n│ reference WMI statements              │ collection/database/wmi              │\n│ log keystrokes (2 matches)            │ collection/keylog                    │\n│ log keystrokes via application hook   │ collection/keylog                    │\n│ log keystrokes via polling (2         │ collection/keylog                    │\n│ matches)                              │                                      │\n│ get MAC address in .NET               │ collection/network                   │\n│ capture screenshot                    │ collection/screenshot                │\n│ receive data                          │ communication                        │\n│ send data                             │ communication                        │\n│ manipulate network credentials in     │ communication/authentication         │\n│ .NET                                  │                                      │\n│ read HTTP header                      │ communication/http                   │\n│ reference HTTP User-Agent string      │ communication/http                   │\n│ create HTTP request                   │ communication/http/client            │\n│ receive HTTP response                 │ communication/http/client            │\n│ create TCP socket (3 matches)         │ communication/socket/tcp             │\n│ act as TCP client                     │ communication/tcp/client             │\n│ create zip archive in .NET (3         │ data-manipulation/compression        │\n│ matches)                              │                                      │\n│ decode data using Base64 in .NET      │ data-manipulation/encoding/base64    │\n│ decode data using Base64 via WinAPI   │ data-manipulation/encoding/base64    │\n│ reference Base64 string               │ data-manipulation/encoding/base64    │\n│ encrypt or decrypt data via BCrypt (2 │ data-manipulation/encryption         │\n│ matches)                              │                                      │\n│ encrypt data using DPAPI              │ data-manipulation/encryption/dpapi   │\n│ generate random numbers in .NET       │ data-manipulation/prng               │\n│ contains PDB path                     │ executable/pe/pdb                    │\n│ extract resource via kernel32         │ executable/resource                  │\n│ functions                             │                                      │\n│ check clipboard data (2 matches)      │ host-interaction/clipboard           │\n│ monitor clipboard content             │ host-interaction/clipboard           │\n│ read clipboard data (2 matches)       │ host-interaction/clipboard           │\n│ manipulate console buffer (8 matches) │ host-interaction/console             │\n│ query environment variable (3         │ host-interaction/environment-variab… │\n│ matches)                              │                                      │\n│ enumerate drives                      │ host-interaction/file-system         │\n│ get common file path (7 matches)      │ host-interaction/file-system         │\n│ copy file (7 matches)                 │ host-interaction/file-system/copy    │\n│ create directory (8 matches)          │ host-interaction/file-system/create  │\n│ delete directory (2 matches)          │ host-interaction/file-system/delete  │\n│ delete file (12 matches)              │ host-interaction/file-system/delete  │\n│ check if directory exists (15         │ host-interaction/file-system/exists  │\n│ matches)                              │                                      │\n│ check if file exists (22 matches)     │ host-interaction/file-system/exists  │\n│ enumerate files in .NET (6 matches)   │ host-interaction/file-system/files/… │\n│ get file attributes                   │ host-interaction/file-system/meta    │\n│ get file size (5 matches)             │ host-interaction/file-system/meta    │\n│ set file attributes (2 matches)       │ host-interaction/file-system/meta    │\n│ move file (2 matches)                 │ host-interaction/file-system/move    │\n│ read file on Windows (7 matches)      │ host-interaction/file-system/read    │\n│ write file on Windows (11 matches)    │ host-interaction/file-system/write   │\n│ enumerate gui resources (2 matches)   │ host-interaction/gui                 │\n│ change the wallpaper                  │ host-interaction/gui/session         │\n│ hide the Windows taskbar              │ host-interaction/gui/taskbar/hide    │\n│ get disk information                  │ host-interaction/hardware/storage    │\n│ get disk size                         │ host-interaction/hardware/storage    │\n│ allocate unmanaged memory in .NET (3  │ host-interaction/memory              │\n│ matches)                              │                                      │\n│ manipulate unmanaged memory in .NET   │ host-interaction/memory              │\n│ (14 matches)                          │                                      │\n│ create or open mutex on Windows       │ host-interaction/mutex               │\n│ get networking interfaces             │ host-interaction/network/interface   │\n│ get hostname (2 matches)              │ host-interaction/os/hostname         │\n│ get OS version in .NET                │ host-interaction/os/version          │\n│ get process image filename (5         │ host-interaction/process             │\n│ matches)                              │                                      │\n│ create a process with modified I/O    │ host-interaction/process/create      │\n│ handles and window (14 matches)       │                                      │\n│ create process on Windows (22         │ host-interaction/process/create      │\n│ matches)                              │                                      │\n│ enumerate processes (2 matches)       │ host-interaction/process/list        │\n│ find process by PID (2 matches)       │ host-interaction/process/list        │\n│ find process by name                  │ host-interaction/process/list        │\n│ acquire debug privileges              │ host-interaction/process/modify      │\n│ terminate process (14 matches)        │ host-interaction/process/terminate   │\n│ query or enumerate registry key (7    │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ query or enumerate registry value (2  │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ delete registry key                   │ host-interaction/registry/delete     │\n│ delete registry value (2 matches)     │ host-interaction/registry/delete     │\n│ get session integrity level (3        │ host-interaction/session             │\n│ matches)                              │                                      │\n│ get session user name (5 matches)     │ host-interaction/session             │\n│ create thread (3 matches)             │ host-interaction/thread/create       │\n│ suspend thread (9 matches)            │ host-interaction/thread/suspend      │\n│ access WMI data in .NET               │ host-interaction/wmi                 │\n│ reference cryptocurrency strings      │ impact/cryptocurrency                │\n│ disable system features via registry  │ impact/features                      │\n│ on Windows                            │                                      │\n│ invoke .NET assembly method (2        │ load-code/dotnet                     │\n│ matches)                              │                                      │\n│ load .NET assembly                    │ load-code/dotnet                     │\n│ compile CSharp in .NET                │ load-code/dotnet/csharp              │\n│ persist via default file association  │ persistence/registry                 │\n│ registry key (2 matches)              │                                      │\n│ persist via Run registry key          │ persistence/registry/run             │\n│ schedule task via schtasks (2         │ persistence/scheduled-tasks          │\n│ matches)                              │                                      │\n│ unmanaged call (42 matches)           │ runtime                              │\n│ compiled to the .NET platform         │ runtime/dotnet                       │\n└───────────────────────────────────────┴──────────────────────────────────────┘\n\n","verbose":"md5                     9a5ff998dbf0f6923d0b454d89800fb4                        \nsha1                    4f4fa23e9c503b941a5e91584d6ecc3813962ba1                \nsha256                  360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15…\npath                    /home/apogean/projects/malware/windows/all_runs/360e6f2…\ntimestamp               2026-04-23 00:40:14.063332                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    any                                                     \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEI7sgq78/rules                                   \nfunction count          574                                                     \nlibrary function count  0                                                       \ntotal feature count     18525                                                   \n\nself delete (3 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion\nscope      function                                 \nmatches    token(0x6000039)                         \n           token(0x600003E)                         \n           token(0x600003E)                         \n\nget geographical location\nnamespace  collection      \nscope      function        \nmatches    token(0x600004C)\n\nsave image in .NET\nnamespace  collection      \nscope      function        \nmatches    token(0x6000054)\n\ngather firefox profile information\nnamespace  collection/browser\nscope      function          \nmatches    token(0x60001CC)  \n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql\nscope      function               \nmatches    token(0x6000147)       \n           token(0x600015B)       \n\nreference WMI statements\nnamespace  collection/database/wmi\nscope      function               \nmatches    token(0x600004B)       \n\nlog keystrokes (2 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    token(0x600017A) \n           token(0x600017B) \n\nlog keystrokes via application hook\nnamespace  collection/keylog\nscope      basic block      \nmatches    token(0x60000A7) \n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    token(0x60000AA) \n           token(0x600017C) \n\nget MAC address in .NET\nnamespace  collection/network\nscope      function          \nmatches    token(0x600011C)  \n\ncapture screenshot\nnamespace  collection/screenshot\nscope      function             \nmatches    token(0x6000054)     \n\nreceive data\nnamespace    communication                                                     \ndescription  all known techniques for receiving data from a potential C2 server\nscope        function                                                          \nmatches      token(0x600004C)                                                  \n\nsend data\nnamespace    communication                                                 \ndescription  all known techniques for sending data to a potential C2 server\nscope        function                                                      \nmatches      token(0x60001BF)                                              \n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nscope      function                    \nmatches    token(0x60001BF)            \n\nread HTTP header\nnamespace  communication/http\nscope      function          \nmatches    token(0x600004C)  \n\nreference HTTP User-Agent string\nnamespace  communication/http\nscope      function          \nmatches    token(0x600004C)  \n\ncreate HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\nread data from Internet\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x600004C)         \n\nreceive HTTP response\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\nsend HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\ncreate TCP socket (3 matches)\nnamespace  communication/socket/tcp\nscope      basic block             \nmatches    token(0x600000C)        \n           token(0x600000E)        \n           token(0x6000014)        \n\nact as TCP client\nnamespace  communication/tcp/client\nscope      function                \nmatches    token(0x600000E)        \n\ncreate zip archive in .NET (3 matches)\nnamespace  data-manipulation/compression\nscope      basic block                  \nmatches    token(0x60000B8)             \n           token(0x60000BB)             \n           token(0x60001BC)             \n\ndecode data using Base64 in .NET\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    token(0x60001B5)                 \n\ndecode data using Base64 via WinAPI\nnamespace  data-manipulation/encoding/base64\nscope      basic block                      \nmatches    token(0x60001B5)                 \n\nreference Base64 string\nnamespace  data-manipulation/encoding/base64\nscope      file                             \n\nencrypt or decrypt data via BCrypt (2 matches)\nnamespace  data-manipulation/encryption\nscope      function                    \nmatches    token(0x60001AD)            \n           token(0x60001B0)            \n\nencrypt data using DPAPI\nnamespace  data-manipulation/encryption/dpapi\nscope      function                          \nmatches    token(0x60001AF)                  \n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng\nscope      function              \nmatches    token(0x600003E)      \n\ncontains PDB path\nnamespace  executable/pe/pdb\nscope      file             \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    token(0x60000E5)   \n\ncheck clipboard data (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    token(0x60000EE)          \n           token(0x600024C)          \n\nmonitor clipboard content\nnamespace  host-interaction/clipboard\nscope      basic block               \nmatches    token(0x60000F4)          \n\nread clipboard data (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    token(0x60000EE)          \n           token(0x600024C)          \n\nmanipulate console buffer (8 matches)\nnamespace  host-interaction/console\nscope      function                \nmatches    token(0x6000019)        \n           token(0x6000029)        \n           token(0x6000033)        \n           token(0x6000044)        \n           token(0x600014A)        \n           token(0x600015E)        \n           token(0x6000181)        \n           token(0x6000182)        \n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    token(0x6000095)                     \n           token(0x60001A1)                     \n           token(0x60001AB)                     \n\nenumerate drives\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x6000093)            \n\nget common file path (7 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x600004E)            \n           token(0x60000B7)            \n           token(0x60000F8)            \n           token(0x60000FA)            \n           token(0x6000146)            \n           token(0x6000149)            \n           token(0x600015D)            \n\ncopy file (7 matches)\nnamespace  host-interaction/file-system/copy\nscope      function                         \nmatches    token(0x60000BC)                 \n           token(0x6000144)                 \n           token(0x6000159)                 \n           token(0x60001A5)                 \n           token(0x60001A6)                 \n           token(0x60001AB)                 \n           token(0x60001BF)                 \n\ncreate directory (8 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    token(0x6000097)                   \n           token(0x6000098)                   \n           token(0x60000B8)                   \n           token(0x60000BB)                   \n           token(0x60000BC)                   \n           token(0x6000144)                   \n           token(0x6000159)                   \n           token(0x60001A0)                   \n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    token(0x60000B8)                   \n           token(0x60000BB)                   \n\ndelete file (12 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    token(0x60000B8)                   \n           token(0x60000BB)                   \n           token(0x6000144)                   \n           token(0x6000147)                   \n           token(0x6000159)                   \n           token(0x600015B)                   \n           token(0x60001A8)                   \n           token(0x60001A9)                   \n           token(0x60001AA)                   \n           token(0x60001AB)                   \n           token(0x60001BC)                   \n           token(0x60001BF)                   \n\ncheck if directory exists (15 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x600004E)                   \n           token(0x6000095)                   \n           token(0x6000097)                   \n           token(0x6000098)                   \n           token(0x60000B7)                   \n           token(0x60000B8)                   \n           token(0x60000BC)                   \n           token(0x6000144)                   \n           token(0x6000149)                   \n           token(0x6000159)                   \n           token(0x600015D)                   \n           token(0x60001A7)                   \n           token(0x60001A9)                   \n           token(0x60001AB)                   \n           token(0x600021B)                   \n\ncheck if file exists (22 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x6000095)                   \n           token(0x6000096)                   \n           token(0x60000D6)                   \n           token(0x60000D7)                   \n           token(0x60000F8)                   \n           token(0x60000FA)                   \n           token(0x6000144)                   \n           token(0x6000146)                   \n           token(0x6000149)                   \n           token(0x6000159)                   \n           token(0x600015D)                   \n           token(0x60001A6)                   \n           token(0x60001A7)                   \n           token(0x60001A8)                   \n           token(0x60001A9)                   \n           token(0x60001AA)                   \n           token(0x60001AB)                   \n           token(0x60001BC)                   \n           token(0x60001BD)                   \n           token(0x60001BF)                   \n           token(0x600026B)                   \n           token(0x600026F)                   \n\nenumerate files in .NET (6 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    token(0x60000BC)                       \n           token(0x6000149)                       \n           token(0x600015D)                       \n           token(0x60001A7)                       \n           token(0x60001A9)                       \n           token(0x60001AB)                       \n\nget file attributes\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    token(0x6000095)                 \n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    token(0x6000095)                 \n           token(0x60001A5)                 \n           token(0x60001A8)                 \n           token(0x60001AA)                 \n           token(0x600026B)                 \n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    token(0x600003C)                 \n           token(0x60001BF)                 \n\nmove file (2 matches)\nnamespace  host-interaction/file-system/move\nscope      function                         \nmatches    token(0x6000144)                 \n           token(0x6000159)                 \n\nread file on Windows (7 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    token(0x6000096)                 \n           token(0x60000B8)                 \n           token(0x60000BB)                 \n           token(0x60001A5)                 \n           token(0x60001AC)                 \n           token(0x60001AD)                 \n           token(0x60001BD)                 \n\nwrite file on Windows (11 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    token(0x6000019)                  \n           token(0x6000044)                  \n           token(0x6000097)                  \n           token(0x60000BB)                  \n           token(0x60000DD)                  \n           token(0x6000147)                  \n           token(0x600014A)                  \n           token(0x600015B)                  \n           token(0x600015E)                  \n           token(0x60001A5)                  \n           token(0x60001E8)                  \n\nenumerate gui resources (2 matches)\nnamespace  host-interaction/gui\nscope      function            \nmatches    token(0x600004D)    \n           token(0x6000054)    \n\nset application hook (2 matches)\nnamespace  host-interaction/gui \nscope      instruction          \nmatches    token(0x60000A7)+0x1C\n           token(0x60000AF)+0x66\n\nchange the wallpaper\nnamespace  host-interaction/gui/session\nscope      basic block                 \nmatches    token(0x60000D7)            \n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find\nscope      basic block                      \nmatches    token(0x60000C2)                 \n           token(0x60000C3)                 \n           token(0x60000C9)                 \n\nhide the Windows taskbar\nnamespace  host-interaction/gui/taskbar/hide\nscope      function                         \nmatches    token(0x60000C2)                 \n\nfind graphical window (3 matches)\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    token(0x60000C2)+0xA            \n           token(0x60000C3)+0xA            \n           token(0x60000C9)+0xA            \n\nhide graphical window\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    token(0x60000C2)                \n\nget disk information\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    token(0x6000093)                 \n\nget disk size\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    token(0x6000093)                 \n\nallocate unmanaged memory in .NET (3 matches)\nnamespace  host-interaction/memory\nscope      function               \nmatches    token(0x60001AD)       \n           token(0x60001AF)       \n           token(0x60001B0)       \n\nmanipulate unmanaged memory in .NET (14 matches)\nnamespace  host-interaction/memory\nscope      function               \nmatches    token(0x6000055)       \n           token(0x60000A8)       \n           token(0x60000C7)       \n           token(0x60000C8)       \n           token(0x60000D7)       \n           token(0x60000E5)       \n           token(0x60001A5)       \n           token(0x60001AD)       \n           token(0x60001AF)       \n           token(0x60001B0)       \n           token(0x60001BB)       \n           token(0x60001CA)       \n           token(0x60001CB)       \n           token(0x60001CC)       \n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex\nscope      instruction           \nmatches    token(0x6000033)+0x211\n\nget networking interfaces\nnamespace  host-interaction/network/interface\nscope      function                          \nmatches    token(0x600011C)                  \n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname\nscope      function                    \nmatches    token(0x6000049)            \n           token(0x60001A0)            \n\nget OS version in .NET\nnamespace  host-interaction/os/version\nscope      basic block                \nmatches    token(0x600004B)           \n\nget process image filename (5 matches)\nnamespace  host-interaction/process\nscope      basic block             \nmatches    token(0x6000033)        \n           token(0x600003A)        \n           token(0x600003C)        \n           token(0x600003E)        \n           token(0x60001E8)        \n\ncreate a process with modified I/O handles and window (14 matches)\nnamespace  host-interaction/process/create\nscope      function                       \nmatches    token(0x6000033)               \n           token(0x600003A)               \n           token(0x600003B)               \n           token(0x600003E)               \n           token(0x60000F7)               \n           token(0x600011D)               \n           token(0x600011E)               \n           token(0x6000144)               \n           token(0x6000147)               \n           token(0x6000148)               \n           token(0x6000159)               \n           token(0x600015B)               \n           token(0x600015C)               \n           token(0x60001E8)               \n\ncreate process on Windows (22 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    token(0x6000033)               \n           token(0x6000039)               \n           token(0x600003A)               \n           token(0x600003B)               \n           token(0x600003E)               \n           token(0x6000099)               \n           token(0x60000D5)               \n           token(0x60000D8)               \n           token(0x60000DB)               \n           token(0x60000DC)               \n           token(0x60000DD)               \n           token(0x60000F7)               \n           token(0x600011D)               \n           token(0x600011E)               \n           token(0x6000144)               \n           token(0x6000147)               \n           token(0x6000148)               \n           token(0x6000159)               \n           token(0x600015B)               \n           token(0x600015C)               \n           token(0x60001E8)               \n           token(0x6000207)               \n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x6000060)             \n           token(0x60000D9)             \n\nfind process by PID (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x6000061)             \n           token(0x6000062)             \n\nfind process by name\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x60001BB)             \n\nacquire debug privileges\nnamespace  host-interaction/process/modify\nscope      basic block                    \nmatches    token(0x60001BA)               \n\nmodify access privileges\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    token(0x60001BA)+0x59          \n\nterminate process (14 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    token(0x600003A)                  \n           token(0x600003B)                  \n           token(0x6000061)                  \n           token(0x60000F7)                  \n           token(0x600011D)                  \n           token(0x600011E)                  \n           token(0x6000144)                  \n           token(0x6000147)                  \n           token(0x6000148)                  \n           token(0x6000159)                  \n           token(0x600015B)                  \n           token(0x600015C)                  \n           token(0x60001E7)                  \n           token(0x60001E8)                  \n\nquery or enumerate registry key (7 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x6000039)         \n           token(0x600006F)         \n           token(0x6000071)         \n           token(0x60000F9)         \n           token(0x6000255)         \n           token(0x6000257)         \n           token(0x6000259)         \n\nquery or enumerate registry value (2 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x600006F)         \n           token(0x6000255)         \n\nset registry value (5 matches)\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    token(0x6000039)                \n           token(0x600003E)                \n           token(0x600003E)                \n           token(0x6000070)                \n           token(0x6000257)                \n\ndelete registry key\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x600003E)                \n\ndelete registry value (2 matches)\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x6000071)                \n           token(0x6000259)                \n\nget session integrity level (3 matches)\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x600003D)        \n           token(0x600007A)        \n           token(0x60001B9)        \n\nget session user name (5 matches)\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x600003D)        \n           token(0x600004A)        \n           token(0x600007A)        \n           token(0x6000149)        \n           token(0x60001B9)        \n\ncreate thread (3 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    token(0x60000A4)              \n           token(0x60000C4)              \n           token(0x60000EC)              \n\nsuspend thread (9 matches)\nnamespace  host-interaction/thread/suspend\nscope      basic block                    \nmatches    token(0x6000010)               \n           token(0x6000011)               \n           token(0x6000033)               \n           token(0x6000035)               \n           token(0x6000037)               \n           token(0x600003E)               \n           token(0x60000DA)               \n           token(0x60001E7)               \n           token(0x6000207)               \n\naccess WMI data in .NET\nnamespace  host-interaction/wmi\nscope      function            \nmatches    token(0x600004B)    \n\nreference cryptocurrency strings\nnamespace  impact/cryptocurrency\nscope      file                 \n\ndisable system features via registry on Windows\nnamespace  impact/features \nscope      function        \nmatches    token(0x6000039)\n\ncompile .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x600027A)\n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000146)\n           token(0x600027A)\n\nload .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000146)\n\ncompile CSharp in .NET\nnamespace  load-code/dotnet/csharp\nscope      function               \nmatches    token(0x600027A)       \n\npersist via default file association registry key (2 matches)\nnamespace  persistence/registry\nscope      function            \nmatches    token(0x600003E)    \n           token(0x600003E)    \n\npersist via Run registry key\nnamespace  persistence/registry/run\nscope      function                \nmatches    token(0x6000070)        \n\nschedule task via schtasks (2 matches)\nnamespace  persistence/scheduled-tasks\nscope      function                   \nmatches    token(0x600003A)           \n           token(0x600003A)           \n\nunmanaged call (42 matches)\nnamespace    runtime                                                       \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nscope        function                                                      \nmatches      token(0x6000055)                                              \n             token(0x6000063)                                              \n             token(0x60000A5)                                              \n             token(0x60000A7)                                              \n             token(0x60000A8)                                              \n             token(0x60000AA)                                              \n             token(0x60000AF)                                              \n             token(0x60000C2)                                              \n             token(0x60000C3)                                              \n             token(0x60000C7)                                              \n             token(0x60000C8)                                              \n             token(0x60000C9)                                              \n             token(0x60000CA)                                              \n             token(0x60000CB)                                              \n             token(0x60000D2)                                              \n             token(0x60000D3)                                              \n             token(0x60000D4)                                              \n             token(0x60000D6)                                              \n             token(0x60000D7)                                              \n             token(0x60000DA)                                              \n             token(0x60000E5)                                              \n             token(0x60000ED)                                              \n             token(0x60000F4)                                              \n             token(0x6000176)                                              \n             token(0x6000177)                                              \n             token(0x6000178)                                              \n             token(0x6000179)                                              \n             token(0x600017A)                                              \n             token(0x600017B)                                              \n             token(0x600017C)                                              \n             token(0x60001A0)                                              \n             token(0x60001A5)                                              \n             token(0x60001AD)                                              \n             token(0x60001AF)                                              \n             token(0x60001B0)                                              \n             token(0x60001B5)                                              \n             token(0x60001B7)                                              \n             token(0x60001BA)                                              \n             token(0x60001BB)                                              \n             token(0x60001CA)                                              \n             token(0x60001CB)                                              \n             token(0x60001CC)                                              \n\ncompiled to the .NET platform\nnamespace  runtime/dotnet\nscope      file          \n\n\n\n","very_verbose":"md5                     9a5ff998dbf0f6923d0b454d89800fb4                        \nsha1                    4f4fa23e9c503b941a5e91584d6ecc3813962ba1                \nsha256                  360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15…\npath                    /home/apogean/projects/malware/windows/all_runs/360e6f2…\ntimestamp               2026-04-23 00:40:18.704360                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    any                                                     \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIqmmSAd/rules                                   \nfunction count          574                                                     \nlibrary function count  0                                                       \ntotal feature count     18525                                                   \n\ncontain loop (library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ token(0x60000BC)\n  or:\n    characteristic: recursive call @ token(0x60000BC)\n\ncreate or open file (library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ token(0x60001A5)+0x48\n  or:\n    api: CreateFile @ token(0x60001A5)+0x48\n\ncreate or open registry key (9 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ token(0x6000039) in function token(0x6000039)\n  or:\n    api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n\nopen process (library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ token(0x60001BB) in function token(0x60001BB)\n  or:\n    api: OpenProcess @ token(0x60001BB)+0x59, token(0x60001BB)+0x90\n\nopen thread (library rule)\nauthor  0x534a@mailbox.org          \nscope   basic block                 \nmbc     Process::Open Thread [C0066]\nbasic block @ token(0x6000063) in function token(0x6000063)\n  or:\n    api: OpenThread @ token(0x6000063)+0x22\n\nself delete (3 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion                            \nauthor     michael.hunhoff@mandiant.com, @mr-tz                                 \nscope      function                                                             \natt&ck     Defense Evasion::Indicator Removal::File Deletion [T1070.004]        \nmbc        Defense Evasion::Self Deletion::COMSPEC Environment Variable         \n           [F0007.001]                                                          \nfunction @ token(0x6000039)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x6000039)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"delta\" @ token(0x6000039)+0xC4B\nfunction @ token(0x600003E)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x600003E)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DelegateExecute\" @ token(0x600003E)+0x3A\nfunction @ token(0x600003E)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x600003E)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DelegateExecute\" @ token(0x600003E)+0x3A\n\nget geographical location\nnamespace  collection                                  \nauthor     moritz.raabe, michael.hunhoff@mandiant.com  \nscope      function                                    \natt&ck     Discovery::System Location Discovery [T1614]\nfunction @ token(0x600004C)\n  or:\n    regex: /countrycode/i\n      - \"\\\"countryCode\\\":\\\"\" @ token(0x600004C)+0x28\n      - \"http://ip-api.com/json/?fields=countryCode\" @ token(0x600004C)+0x1C\n\nsave image in .NET\nnamespace  collection                  \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000054)\n  and:\n    api: System.Drawing.Image::Save @ token(0x6000054)+0x1D6\n\ngather firefox profile information\nnamespace  collection/browser                                                   \nauthor     @_re_fox, still@teamt5.org                                           \nscope      function                                                             \natt&ck     Credential Access::Credentials from Password Stores::Credentials from\n           Web Browsers [T1555.003]                                             \nfunction @ token(0x60001CC)\n  and:\n    2 or more:\n      regex: /SELECT\\s+{5,}FROM moz_(logins|cookies)/i\n        - \"SELECT host, name, value, path, isSecure, expiry FROM moz_cookies\" @ token(0x60001CC)+0x38\n      regex: /FROM moz_(logins|cookies)/i\n        - \"SELECT host, name, value, path, isSecure, expiry FROM moz_cookies\" @ token(0x60001CC)+0x38\n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql                               \nauthor     william.ballenthin@mandiant.com                       \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ token(0x6000147)\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"'\\r\\n    if not os.path.exists(db_path):\\r\\n        print('ERROR:Database file \nnot found: ' + db_path)\\r\\n        sys.exit(1)\\r\\n    \\r\\n    # Check file \nsize\\r\\n    file_size = os.path.getsize(db_path)\\r\\n    if file_size == 0:\\r\\n  \nprint('ERROR:Database file is empty')\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn\n= sqlite3.connect(db_path)\\r\\n    conn.row_factory = sqlite3.Row\\r\\n    cursor =\nconn.cursor()\\r\\n    \\r\\n    # First, check if urls table exists\\r\\n    \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table' AND \nname='urls'\\\")\\r\\n    table_exists = cursor.fetchone()\\r\\n    \\r\\n    if not \ntable_exists:\\r\\n        print('ERROR:urls table does not exist in \ndatabase')\\r\\n        # List available tables for debugging\\r\\n        \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table'\\\")\\r\\n       \ntables = cursor.fetchall()\\r\\n        if tables:\\r\\n            table_names = ',\n'.join([t[0] for t in tables])\\r\\n            print('ERROR:Available tables: ' +\ntable_names)\\r\\n        conn.close()\\r\\n        sys.exit(1)\\r\\n    \\r\\n    # Try\nto query the urls table\\r\\n    try:\\r\\n        # Check if columns exist\\r\\n     \ncursor.execute(\\\"PRAGMA table_info(urls)\\\")\\r\\n        columns = [row[1] for row\nin cursor.fetchall()]\\r\\n        required_columns = ['url', 'title', \n'visit_count', 'last_visit_time']\\r\\n        missing_columns = \\r\\n        \\r\\n \nif missing_columns:\\r\\n            print('ERROR:Missing columns: ' + ', \n'.join(missing_columns))\\r\\n            print('ERROR:Available columns: ' + ', \n'.join(columns))\\r\\n            conn.close()\\r\\n            sys.exit(1)\\r\\n     \n\\r\\n        cursor.execute('SELECT url, title, visit_count, last_visit_time FROM\nurls ORDER BY last_visit_time DESC LIMIT 1000')\\r\\n        rows = \ncursor.fetchall()\\r\\n        \\r\\n        if len(rows) == 0:\\r\\n            \nprint('ERROR:No rows found in urls table')\\r\\n            conn.close()\\r\\n      \nsys.exit(1)\\r\\n        \\r\\n        for row in rows:\\r\\n            url = \nrow['url'] if row['url'] else ''\\r\\n            title = row['title'] if \nrow['title'] else ''\\r\\n            visit_count = int(row['visit_count']) if \nrow['visit_count'] is not None else 0\\r\\n            last_visit = \nint(row['last_visit_time']) if row['last_visit_time'] is not None else 0\\r\\n    \n# Escape pipe characters in URL/title\\r\\n            url = url.replace('|', \n'{PIPE}')\\r\\n            title = title.replace('|', '{PIPE}')\\r\\n            \nprint(f'{url}|{title}|{visit_count}|{last_visit}')\\r\\n    except \nsqlite3.OperationalError as e:\\r\\n        print(f'ERROR:SQL error: \n{str(e)}')\\r\\n        conn.close()\\r\\n        sys.exit(1)\\r\\n    except \nException as e:\\r\\n        print(f'ERROR:Query error: {str(e)}')\\r\\n        \nconn.close()\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn.close()\\r\\nexcept \nException as e:\\r\\n    print(f'ERROR:{str(e)}')\\r\\n    import traceback\\r\\n    \nprint('ERROR:Traceback: ' + traceback.format_exc())\\r\\n    sys.exit(1)\\r\\n\" @ token(0x6000147)+0x26\nfunction @ token(0x600015B)\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"'\\r\\n    if not os.path.exists(db_path):\\r\\n        print('ERROR:Database file \nnot found')\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn = \nsqlite3.connect(db_path)\\r\\n    conn.row_factory = sqlite3.Row\\r\\n    cursor = \nconn.cursor()\\r\\n    \\r\\n    # Check if autofill table exists\\r\\n    \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table' AND \nname='autofill'\\\")\\r\\n    if not cursor.fetchone():\\r\\n        \nprint('ERROR:autofill table does not exist')\\r\\n        conn.close()\\r\\n        \nsys.exit(1)\\r\\n    \\r\\n    # Query autofill data\\r\\n    cursor.execute('SELECT \nname, value, date_created, date_last_used, count FROM autofill ORDER BY \ndate_last_used DESC LIMIT 500')\\r\\n    rows = cursor.fetchall()\\r\\n    \\r\\n    \nfor row in rows:\\r\\n        name = row['name'] if row['name'] else ''\\r\\n       \nvalue = row['value'] if row['value'] else ''\\r\\n        date_created = \nrow['date_created'] if row['date_created'] else 0\\r\\n        date_last_used = \nrow['date_last_used'] if row['date_last_used'] else 0\\r\\n        count = \nrow['count'] if row['count'] else 0\\r\\n        name = name.replace('|', \n'{PIPE}')\\r\\n        value = value.replace('|', '{PIPE}')\\r\\n        \nprint(f'{name}|{value}|{date_created}|{date_last_used}|{count}')\\r\\n    \\r\\n    \nconn.close()\\r\\nexcept Exception as e:\\r\\n    print(f'ERROR:{str(e)}')\\r\\n    \nimport traceback\\r\\n    print('ERROR:Traceback: ' + traceback.format_exc())\\r\\n \nsys.exit(1)\\r\\n\" @ token(0x600015B)+0x1B\n\nreference WMI statements\nnamespace  collection/database/wmi                               \nauthor     michael.hunhoff@mandiant.com                          \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ token(0x600004B)\n  or:\n    regex: /SELECT\\s+\\*\\s+FROM\\s+Win32_./\n      - \"SELECT * FROM Win32_OperatingSystem\" @ token(0x600004B)+0x0\n\nlog keystrokes (2 matches)\nnamespace  collection/keylog                                \nauthor     moritz.raabe@mandiant.com                        \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nfunction @ token(0x600017A)\n  or:\n    api: MapVirtualKey @ token(0x600017A)+0x39\nfunction @ token(0x600017B)\n  or:\n    api: MapVirtualKey @ token(0x600017B)+0xF\n\nlog keystrokes via application hook\nnamespace  collection/keylog                                   \nauthor     michael.hunhoff@mandiant.com                        \nscope      basic block                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]   \nmbc        Collection::Keylogging::Application Hook [F0002.001]\nbasic block @ token(0x60000A7) in function token(0x60000A7)\n  and:\n    match: set application hook @ token(0x60000A7)+0x1C\n      or:\n        api: SetWindowsHookEx @ token(0x60000A7)+0x1C\n    or:\n      number: 0xD = WH_KEYBOARD_LL @ token(0x60000A7)+0xD\n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ token(0x60000AA)\n  or:\n    api: GetKeyState @ token(0x60000AA)+0xE9, token(0x60000AA)+0xFA\nfunction @ token(0x600017C)\n  or:\n    api: VkKeyScan @ token(0x600017C)+0x3CB, token(0x600017C)+0x3F6\n\nget MAC address in .NET\nnamespace  collection/network                                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           echernofsky@google.com                                               \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nfunction @ token(0x600011C)\n  or:\n    api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress @ token(0x600011C)+0x150\n\ncapture screenshot\nnamespace  collection/screenshot                                            \nauthor     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\nscope      function                                                         \natt&ck     Collection::Screen Capture [T1113]                               \nmbc        Collection::Screen Capture::WinAPI [E1113.m01]                   \nfunction @ token(0x6000054)\n  or:\n    api: System.Drawing.Graphics::CopyFromScreen @ token(0x6000054)+0xC7, token(0x6000054)+0x133\n\nreceive data\nnamespace    communication                                                     \nauthor       william.ballenthin@mandiant.com                                   \nscope        function                                                          \nmbc          Command and Control::C2 Communication::Receive Data [B0030.002]   \ndescription  all known techniques for receiving data from a potential C2 server\nfunction @ token(0x600004C)\n  or:\n    match: read data from Internet @ token(0x600004C)\n      and:\n        or:\n          api: System.Net.WebClient::DownloadString @ token(0x600004C)+0x21\n\nsend data\nnamespace    communication                                                 \nauthor       william.ballenthin@mandiant.com, joakim@intezer.com           \nscope        function                                                      \nmbc          Command and Control::C2 Communication::Send Data [B0030.001]  \ndescription  all known techniques for sending data to a potential C2 server\nfunction @ token(0x60001BF)\n  or:\n    and:\n      os: windows\n      or:\n        match: send HTTP request @ token(0x60001BF)\n          or:\n            api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x60001BF)\n  and:\n    api: System.Net.NetworkCredential::ctor @ token(0x60001BF)+0x7F\n\nwrite and execute a file (4 matches)\nnamespace              communication/c2/file-transfer               \nmaec/malware-category  launcher                                     \nauthor                 moritz.raabe@mandiant.com                    \nscope                  function                                     \nmbc                    Execution::Install Additional Program [B0023]\nfunction @ token(0x60000DD)\n  and:\n    match: host-interaction/file-system/write @ token(0x60000DD)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x60000DD)+0x2A\n    match: host-interaction/process/create @ token(0x60000DD)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x60000DD)+0x35\nfunction @ token(0x6000147)\n  and:\n    match: host-interaction/file-system/write @ token(0x6000147)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x6000147)+0x72\n    match: host-interaction/process/create @ token(0x6000147)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000147)+0xD6\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000147)+0xF2\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000147)+0xB9\n            property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000147)+0xCF\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000147)+0xEB\n            property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000147)+0xDD\n            property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000147)+0x108\nfunction @ token(0x600015B)\n  and:\n    match: host-interaction/file-system/write @ token(0x600015B)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x600015B)+0x47\n    match: host-interaction/process/create @ token(0x600015B)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015B)+0xA4\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015B)+0xC0\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015B)+0x87\n            property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015B)+0x9D\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015B)+0xB9\n            property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015B)+0xAB\n            property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015B)+0xD2\nfunction @ token(0x60001E8)\n  and:\n    match: host-interaction/file-system/write @ token(0x60001E8)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x60001E8)+0x6D\n    match: host-interaction/process/create @ token(0x60001E8)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x60001E8)+0x80\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60001E8)+0x79\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60001E8)+0x87\n\nread HTTP header\nnamespace  communication/http                                           \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Read Header [C0002.014]   \nfunction @ token(0x600004C)\n  or:\n    property/read: System.Net.WebClient::Headers @ token(0x600004C)+0x7\n\nreference HTTP User-Agent string\nnamespace   communication/http                                                  \nauthor      @mr-tz                                                              \nscope       function                                                            \nmbc         Communication::HTTP Communication [C0002]                           \nreferences  https://www.useragents.me/,                                         \n            https://www.whatismybrowser.com/guides/the-latest-user-agent/       \nfunction @ token(0x600004C)\n  or:\n    substring: Mozilla/5.0\n      - \"Mozilla/5.0\" @ token(0x600004C)+0x11\n\ncreate HTTP request\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Create Request [C0002.012]\nfunction @ token(0x60001BF)\n  and:\n    or:\n      api: System.Net.WebRequest::Create @ token(0x60001BF)+0x5F\n\nread data from Internet\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Get Response [C0002.017]  \nfunction @ token(0x600004C)\n  and:\n    or:\n      api: System.Net.WebClient::DownloadString @ token(0x600004C)+0x21\n\nreceive HTTP response\nnamespace  communication/http/client                                  \nauthor     michael.hunhoff@mandiant.com                               \nscope      function                                                   \nmbc        Communication::HTTP Communication::Get Response [C0002.017]\nfunction @ token(0x60001BF)\n  or:\n    api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\nsend HTTP request\nnamespace  communication/http/client                                  \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com    \nscope      function                                                   \nmbc        Communication::HTTP Communication::Send Request [C0002.003]\nfunction @ token(0x60001BF)\n  or:\n    api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\ncreate TCP socket (3 matches)\nnamespace   communication/socket/tcp                                            \nauthor      william.ballenthin@mandiant.com, joakim@intezer.com,                \n            anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com       \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create TCP Socket [C0001.011]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ token(0x600000C) in function token(0x600000C)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x600000C)+0x34, token(0x600000C)+0x41, token(0x600000C)+0x53\nbasic block @ token(0x600000E) in function token(0x600000E)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x600000E)+0x63, token(0x600000E)+0x70, token(0x600000E)+0xBE, \ntoken(0x600000E)+0xD7\nbasic block @ token(0x6000014) in function token(0x6000014)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x6000014)+0x34, token(0x6000014)+0x41\n\nact as TCP client\nnamespace  communication/tcp/client                                     \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \nmbc        Communication::Socket Communication::TCP Client [C0001.008]  \nfunction @ token(0x600000E)\n  or:\n    api: System.Net.Sockets.TcpClient::ctor @ token(0x600000E)+0x7\n\ncreate zip archive in .NET (3 matches)\nnamespace  data-manipulation/compression\nauthor     michael.hunhoff@mandiant.com \nscope      basic block                  \nbasic block @ token(0x60000B8) in function token(0x60000B8)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60000B8)+0x14A\nbasic block @ token(0x60000BB) in function token(0x60000BB)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60000BB)+0x79\nbasic block @ token(0x60001BC) in function token(0x60001BC)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60001BC)+0x3F\n\ndecode data using Base64 in .NET\nnamespace  data-manipulation/encoding/base64                               \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \natt&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\nmbc        Data::Decode Data::Base64 [C0053.001]                           \nfunction @ token(0x60001B5)\n  or:\n    api: System.Convert::FromBase64String @ token(0x60001B5)+0x1\n\ndecode data using Base64 via WinAPI\nnamespace  data-manipulation/encoding/base64                               \nauthor     michael.hunhoff@mandiant.com                                    \nscope      basic block                                                     \natt&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\nbasic block @ token(0x60001B5) in function token(0x60001B5)\n  and:\n    api: CryptStringToBinary @ token(0x60001B5)+0x21, token(0x60001B5)+0x43\n    or:\n      number: 0x1 = dwFlags=CRYPT_STRING_BASE64 @ token(0x60001B5)+0x13, token(0x60001B5)+0x35\n\nreference Base64 string\nnamespace  data-manipulation/encoding/base64                                \nauthor     moritz.raabe@mandiant.com                                        \nscope      file                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]         \nmbc        Data::Encode Data::Base64 [C0026.001], Data::Check String [C0019]\nregex: /ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\n  - \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\" @ file+0x254AC\n\nencrypt or decrypt data via BCrypt (2 matches)\nnamespace  data-manipulation/encryption                                         \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Cryptography::Decrypt Data [C0031], Cryptography::Encrypt Data       \n           [C0027]                                                              \nfunction @ token(0x60001AD)\n  and:\n    or:\n      api: BCryptDecrypt @ token(0x60001AD)+0x441\n    optional:\n      api: BCryptOpenAlgorithmProvider @ token(0x60001AD)+0x37D\n      api: BCryptCloseAlgorithmProvider @ token(0x60001AD)+0x4B1\n      api: BCryptGenerateSymmetricKey @ token(0x60001AD)+0x39E\n      api: BCryptDestroyKey @ token(0x60001AD)+0x49A\nfunction @ token(0x60001B0)\n  and:\n    or:\n      api: BCryptDecrypt @ token(0x60001B0)+0x1D1\n    optional:\n      api: BCryptOpenAlgorithmProvider @ token(0x60001B0)+0x70\n      api: BCryptCloseAlgorithmProvider @ token(0x60001B0)+0x280\n      api: BCryptGenerateSymmetricKey @ token(0x60001B0)+0xFC\n      api: BCryptDestroyKey @ token(0x60001B0)+0x26B\n\nencrypt data using DPAPI\nnamespace  data-manipulation/encryption/dpapi                           \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]     \nmbc        Cryptography::Encrypt Data [C0027]                           \nfunction @ token(0x60001AF)\n  or:\n    api: CryptUnprotectData @ token(0x60001AF)+0x52\n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng                                            \nauthor     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com     \nscope      function                                                          \nmbc        Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\nfunction @ token(0x600003E)\n  or:\n    api: System.Random::Next @ token(0x600003E)+0x90\n\ncontains PDB path\nnamespace  executable/pe/pdb        \nauthor     moritz.raabe@mandiant.com\nscope      file                     \nregex: /:\\\\.*\\.pdb/\n  - \"C:\\\\Users\\\\sulum\\\\OneDrive\\\\Desktop\\\\datacenter\\\\stubCsharp\\\\obj\\\\Release\\\\Clie\nnt.pdb\" @ file+0x370BC\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ token(0x60000E5)\n  or:\n    and:\n      or:\n        api: LoadResource @ token(0x60000E5)+0x3D\n        api: LockResource @ token(0x60000E5)+0x5D\n      optional:\n        or:\n          api: FindResource @ token(0x60000E5)+0x12\n        api: SizeofResource @ token(0x60000E5)+0x82\n\ncheck clipboard data (2 matches)\nnamespace  host-interaction/clipboard        \nauthor     anushka.virgaonkar@mandiant.com   \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ token(0x60000EE)\n  or:\n    api: System.Windows.Forms.Clipboard::ContainsText @ token(0x60000EE)+0x10\nfunction @ token(0x600024C)\n  or:\n    api: System.Windows.Forms.Clipboard::ContainsText @ token(0x600024C)+0xA5, token(0x600024C)+0xB4\n\nmonitor clipboard content\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      basic block                       \natt&ck     Collection::Clipboard Data [T1115]\nbasic block @ token(0x60000F4) in function token(0x60000F4)\n  and:\n    api: AddClipboardFormatListener @ token(0x60000F4)+0x17\n\nread clipboard data (2 matches)\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Collection::Clipboard Data [T1115]                                  \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ token(0x60000EE)\n  and:\n    or:\n      api: System.Windows.Forms.Clipboard::GetText @ token(0x60000EE)+0x17\nfunction @ token(0x600024C)\n  and:\n    or:\n      api: System.Windows.Forms.Clipboard::GetText @ token(0x600024C)+0xAC, token(0x600024C)+0xBB\n\nmanipulate console buffer (8 matches)\nnamespace   host-interaction/console                                     \nauthor      william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope       function                                                     \nmbc         Operating System::Console [C0033]                            \nreferences  https://stackoverflow.com/a/15770935/87207                   \nfunction @ token(0x6000019)\n  or:\n    api: System.Console::WriteLine @ token(0x6000019)+0x21, token(0x6000019)+0x58\nfunction @ token(0x6000029)\n  or:\n    api: System.Console::WriteLine @ token(0x6000029)+0x1F\nfunction @ token(0x6000033)\n  or:\n    api: System.Console::WriteLine @ token(0x6000033)+0x19, token(0x6000033)+0x7B, token(0x6000033)+0x9B, \ntoken(0x6000033)+0xBF, and 6 more...\nfunction @ token(0x6000044)\n  or:\n    api: System.Console::WriteLine @ token(0x6000044)+0x21, token(0x6000044)+0x58\nfunction @ token(0x600014A)\n  or:\n    api: System.Console::WriteLine @ token(0x600014A)+0x21\nfunction @ token(0x600015E)\n  or:\n    api: System.Console::WriteLine @ token(0x600015E)+0x21\nfunction @ token(0x6000181)\n  or:\n    api: System.Console::WriteLine @ token(0x6000181)+0x79\nfunction @ token(0x6000182)\n  or:\n    api: System.Console::WriteLine @ token(0x6000182)+0x8, token(0x6000182)+0x2B\n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ token(0x6000095)\n  or:\n    api: System.Environment::ExpandEnvironmentVariables @ token(0x6000095)+0x17\nfunction @ token(0x60001A1)\n  or:\n    api: System.Environment::GetEnvironmentVariable @ token(0x60001A1)+0x28, token(0x60001A1)+0x33, token(0x60001A1)+0x3E\nfunction @ token(0x60001AB)\n  or:\n    api: System.Environment::GetEnvironmentVariable @ token(0x60001AB)+0xF\n\nenumerate drives\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000093)\n  or:\n    api: System.IO.DriveInfo::GetDrives @ token(0x6000093)+0x6\n\nget common file path (7 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ token(0x600004E)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x600004E)+0xA, token(0x600004E)+0x1E, token(0x600004E)+0x32, \ntoken(0x600004E)+0x46\nfunction @ token(0x60000B7)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000B7)+0x8, token(0x60000B7)+0x10\nfunction @ token(0x60000F8)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000F8)+0x10, token(0x60000F8)+0x90\nfunction @ token(0x60000FA)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000FA)+0x8\nfunction @ token(0x6000146)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x6000146)+0x10, token(0x6000146)+0x29, token(0x6000146)+0x42\nfunction @ token(0x6000149)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x6000149)+0x8, token(0x6000149)+0x10\nfunction @ token(0x600015D)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x600015D)+0x8, token(0x600015D)+0x10\n\ncopy file (7 matches)\nnamespace  host-interaction/file-system/copy                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Copy File [C0045]                         \nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.File::Copy @ token(0x60000BC)+0x2C\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Copy @ token(0x6000144)+0xC7\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Copy @ token(0x6000159)+0xA3\nfunction @ token(0x60001A5)\n  or:\n    api: System.IO.File::Copy @ token(0x60001A5)+0x92\nfunction @ token(0x60001A6)\n  or:\n    api: System.IO.File::Copy @ token(0x60001A6)+0x2D, token(0x60001A6)+0x5F\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Copy @ token(0x60001AB)+0x81\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Copy @ token(0x60001BF)+0x43, token(0x60001BF)+0xE7, token(0x60001BF)+0xF6\n\ncreate directory (8 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ token(0x6000097)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000097)+0x18\nfunction @ token(0x6000098)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000098)+0x18\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000B8)+0x5F\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000BB)+0x2C\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000BC)+0x9\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000144)+0x120\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000159)+0xFB\nfunction @ token(0x60001A0)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60001A0)+0x8C, token(0x60001A0)+0x98\n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::Delete @ token(0x60000B8)+0x176\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.Directory::Delete @ token(0x60000BB)+0x87\n\ndelete file (12 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.File::Delete @ token(0x60000B8)+0x182\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::Delete @ token(0x60000BB)+0x93\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Delete @ token(0x6000144)+0x233, token(0x6000144)+0x329\nfunction @ token(0x6000147)\n  or:\n    api: System.IO.File::Delete @ token(0x6000147)+0x3DE\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Delete @ token(0x6000159)+0x1D1, token(0x6000159)+0x256\nfunction @ token(0x600015B)\n  or:\n    api: System.IO.File::Delete @ token(0x600015B)+0x22F, token(0x600015B)+0x255\nfunction @ token(0x60001A8)\n  or:\n    api: System.IO.File::Delete @ token(0x60001A8)+0x280\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.File::Delete @ token(0x60001A9)+0x30D, token(0x60001A9)+0x337, token(0x60001A9)+0x361\nfunction @ token(0x60001AA)\n  or:\n    api: System.IO.File::Delete @ token(0x60001AA)+0x27E, token(0x60001AA)+0x2A6, token(0x60001AA)+0x2CE\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Delete @ token(0x60001AB)+0x12D\nfunction @ token(0x60001BC)\n  or:\n    api: System.IO.File::Delete @ token(0x60001BC)+0x33\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Delete @ token(0x60001BF)+0x109\n\ncheck if directory exists (15 matches)\nnamespace  host-interaction/file-system/exists            \nauthor     michael.hunhoff@mandiant.com                   \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nfunction @ token(0x600004E)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600004E)+0x5E\nfunction @ token(0x6000095)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000095)+0x64\nfunction @ token(0x6000097)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000097)+0x10\nfunction @ token(0x6000098)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000098)+0x10\nfunction @ token(0x60000B7)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000B7)+0x347\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000B8)+0xC0\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000BC)+0x1\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000144)+0x117\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000149)+0x11D, token(0x6000149)+0x237, token(0x6000149)+0x324, \ntoken(0x6000149)+0x469, and 2 more...\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000159)+0xF2\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600015D)+0x7B, token(0x600015D)+0x109, token(0x600015D)+0x198, \ntoken(0x600015D)+0x21D, and 1 more...\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001A7)+0x16\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001A9)+0xB\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001AB)+0x2A\nfunction @ token(0x600021B)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600021B)+0x24\n\ncheck if file exists (22 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ token(0x6000095)\n  or:\n    property/read: System.IO.FileSystemInfo::Exists @ token(0x6000095)+0x88\nfunction @ token(0x6000096)\n  or:\n    api: System.IO.File::Exists @ token(0x6000096)+0x1\nfunction @ token(0x60000D6)\n  or:\n    api: System.IO.File::Exists @ token(0x60000D6)+0x1\nfunction @ token(0x60000D7)\n  or:\n    api: System.IO.File::Exists @ token(0x60000D7)+0x1\nfunction @ token(0x60000F8)\n  or:\n    api: System.IO.File::Exists @ token(0x60000F8)+0x45, token(0x60000F8)+0xC5\nfunction @ token(0x60000FA)\n  or:\n    api: System.IO.File::Exists @ token(0x60000FA)+0x1E\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Exists @ token(0x6000144)+0x219, token(0x6000144)+0x22B, token(0x6000144)+0x321\nfunction @ token(0x6000146)\n  or:\n    api: System.IO.File::Exists @ token(0x6000146)+0x71\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.File::Exists @ token(0x6000149)+0x170, token(0x6000149)+0x28B, token(0x6000149)+0x378, \ntoken(0x6000149)+0x4B1, and 2 more...\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Exists @ token(0x6000159)+0x1B7, token(0x6000159)+0x1C9, token(0x6000159)+0x24E\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.File::Exists @ token(0x600015D)+0xCE, token(0x600015D)+0x15D, token(0x600015D)+0x1EC, \ntoken(0x600015D)+0x265, and 1 more...\nfunction @ token(0x60001A6)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A6)+0x19, token(0x60001A6)+0x4B\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A7)+0x2F, token(0x60001A7)+0x140, token(0x60001A7)+0x15E, \ntoken(0x60001A7)+0x174, and 1 more...\nfunction @ token(0x60001A8)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A8)+0x25, token(0x60001A8)+0x278\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A9)+0x64, token(0x60001A9)+0x304, token(0x60001A9)+0x324, \ntoken(0x60001A9)+0x34E\nfunction @ token(0x60001AA)\n  or:\n    api: System.IO.File::Exists @ token(0x60001AA)+0x66, token(0x60001AA)+0x276, token(0x60001AA)+0x294, \ntoken(0x60001AA)+0x2BC\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Exists @ token(0x60001AB)+0x61\nfunction @ token(0x60001BC)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BC)+0x2B, token(0x60001BC)+0x45\nfunction @ token(0x60001BD)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BD)+0x13\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BF)+0x31, token(0x60001BF)+0x39\nfunction @ token(0x600026B)\n  or:\n    api: System.IO.File::Exists @ token(0x600026B)+0x9B\nfunction @ token(0x600026F)\n  or:\n    api: System.IO.File::Exists @ token(0x600026F)+0x70\n\nenumerate files in .NET (6 matches)\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::GetFiles @ token(0x60000BC)+0x10\n    api: System.IO.Directory::GetDirectories @ token(0x60000BC)+0x41\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x6000149)+0x128, token(0x6000149)+0x243, token(0x6000149)+0x330, \ntoken(0x6000149)+0x475, and 2 more...\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x600015D)+0x86, token(0x600015D)+0x115, token(0x600015D)+0x1A4, \ntoken(0x600015D)+0x229, and 1 more...\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001A7)+0xCB\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001A9)+0x20\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001AB)+0x3F\n\nget file attributes\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ token(0x6000095) in function token(0x6000095)\n  or:\n    property/read: System.IO.FileSystemInfo::Attributes @ token(0x6000095)+0xFD\n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ token(0x6000095)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x6000095)+0x15D\nfunction @ token(0x60001A5)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001A5)+0xD4\nfunction @ token(0x60001A8)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001A8)+0x79\nfunction @ token(0x60001AA)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001AA)+0xB6\nfunction @ token(0x600026B)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x600026B)+0xD3\n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \natt&ck     Defense Evasion::File and Directory Permissions Modification [T1222] \nmbc        File System::Set File Attributes [C0050]                             \nbasic block @ token(0x600003C) in function token(0x600003C)\n  or:\n    api: System.IO.File::SetAttributes @ token(0x600003C)+0x19\nbasic block @ token(0x60001BF) in function token(0x60001BF)\n  or:\n    api: System.IO.File::SetAttributes @ token(0x60001BF)+0x4A, token(0x60001BF)+0xEE, token(0x60001BF)+0xFD\n\nmove file (2 matches)\nnamespace  host-interaction/file-system/move                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Move File [C0063]                         \nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Move @ token(0x6000144)+0x23B\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Move @ token(0x6000159)+0x1D9\n\nread file on Windows (7 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ token(0x6000096)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x6000096)+0x3F\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60000B8)+0x150\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60000BB)+0x7F\nfunction @ token(0x60001A5)\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ token(0x60001A5)+0xF5\nfunction @ token(0x60001AC)\n  or:\n    api: System.IO.File::ReadAllText @ token(0x60001AC)+0x1\nfunction @ token(0x60001AD)\n  or:\n    api: System.IO.File::ReadAllText @ token(0x60001AD)+0xB\nfunction @ token(0x60001BD)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60001BD)+0x70\n\nwrite file on Windows (11 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ token(0x6000019)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x6000019)+0x40\nfunction @ token(0x6000044)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x6000044)+0x40\nfunction @ token(0x6000097)\n  or:\n    api: System.IO.File::WriteAllBytes @ token(0x6000097)+0x20\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60000BB)+0x42\nfunction @ token(0x60000DD)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60000DD)+0x2A\nfunction @ token(0x6000147)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x6000147)+0x72\nfunction @ token(0x600014A)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x600014A)+0x40\nfunction @ token(0x600015B)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x600015B)+0x47\nfunction @ token(0x600015E)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x600015E)+0x40\nfunction @ token(0x60001A5)\n  or:\n    api: System.IO.File::WriteAllBytes @ token(0x60001A5)+0x136\nfunction @ token(0x60001E8)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60001E8)+0x6D\n\nenumerate gui resources (2 matches)\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ token(0x600004D)\n  or:\n    property/read: System.Windows.Forms.Screen::AllScreens @ token(0x600004D)+0x0\nfunction @ token(0x6000054)\n  or:\n    property/read: System.Windows.Forms.Screen::AllScreens @ token(0x6000054)+0x0\n\nset application hook (2 matches)\nnamespace  host-interaction/gui        \nauthor     michael.hunhoff@mandiant.com\nscope      instruction                 \ninstruction @ token(0x60000A7)+0x1C\n  or:\n    api: SetWindowsHookEx @ token(0x60000A7)+0x1C\ninstruction @ token(0x60000AF)+0x66\n  or:\n    api: UnhookWindowsHookEx @ token(0x60000AF)+0x66\n\nchange the wallpaper\nnamespace  host-interaction/gui/session       \nauthor     @_re_fox                           \nscope      basic block                        \nmbc        Operating System::Wallpaper [C0035]\nbasic block @ token(0x60000D7) in function token(0x60000D7)\n  and:\n    api: SystemParametersInfo @ token(0x60000D7)+0x12\n    number: 0x14 = SPI_SETDESKWALLPAPER @ token(0x60000D7)+0x8\n    number: 0x3 = SPIF_SENDWININICHANGE | SPIF_UPDATEINIFILE @ token(0x60000D7)+0x11\n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find   \nauthor     moritz.raabe@mandiant.com           \nscope      basic block                         \nmbc        Discovery::Taskbar Discovery [B0043]\nbasic block @ token(0x60000C2) in function token(0x60000C2)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C2)+0x0\n    match: find graphical window @ token(0x60000C2)+0xA\n      or:\n        api: FindWindow @ token(0x60000C2)+0xA\nbasic block @ token(0x60000C3) in function token(0x60000C3)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C3)+0x0\n    match: find graphical window @ token(0x60000C3)+0xA\n      or:\n        api: FindWindow @ token(0x60000C3)+0xA\nbasic block @ token(0x60000C9) in function token(0x60000C9)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C9)+0x0\n    match: find graphical window @ token(0x60000C9)+0xA\n      or:\n        api: FindWindow @ token(0x60000C9)+0xA\n\nhide the Windows taskbar\nnamespace  host-interaction/gui/taskbar/hide      \nauthor     michael.hunhoff@mandiant.com           \nscope      function                               \natt&ck     Defense Evasion::Hide Artifacts [T1564]\nfunction @ token(0x60000C2)\n  and:\n    match: find taskbar @ token(0x60000C2)\n      and:\n        string: \"Shell_TrayWnd\" @ token(0x60000C2)+0x0\n        match: find graphical window @ token(0x60000C2)+0xA\n          or:\n            api: FindWindow @ token(0x60000C2)+0xA\n    match: hide graphical window @ token(0x60000C2)\n      and:\n        number: 0x0 = SW_HIDE @ token(0x60000C2)+0xF\n        api: ShowWindow @ token(0x60000C2)+0x10\n\nfind graphical window (3 matches)\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ token(0x60000C2)+0xA\n  or:\n    api: FindWindow @ token(0x60000C2)+0xA\ninstruction @ token(0x60000C3)+0xA\n  or:\n    api: FindWindow @ token(0x60000C3)+0xA\ninstruction @ token(0x60000C9)+0xA\n  or:\n    api: FindWindow @ token(0x60000C9)+0xA\n\nhide graphical window\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ token(0x60000C2) in function token(0x60000C2)\n  and:\n    number: 0x0 = SW_HIDE @ token(0x60000C2)+0xF\n    api: ShowWindow @ token(0x60000C2)+0x10\n\nget disk information\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ token(0x6000093)\n  or:\n    property/read: System.IO.DriveInfo::VolumeLabel @ token(0x6000093)+0x3E, token(0x6000093)+0x4B\n    property/read: System.IO.DriveInfo::DriveType @ token(0x6000093)+0x1E\n    property/read: System.IO.DriveInfo::Name @ token(0x6000093)+0x32\n\nget disk size\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ token(0x6000093)\n  or:\n    property/read: System.IO.DriveInfo::TotalSize @ token(0x6000093)+0x63\n    property/read: System.IO.DriveInfo::AvailableFreeSpace @ token(0x6000093)+0x6F\n\nallocate unmanaged memory in .NET (3 matches)\nnamespace  host-interaction/memory     \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x60001AD)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001AD)+0x3D2, token(0x60001AD)+0x3FA\nfunction @ token(0x60001AF)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001AF)+0x15\nfunction @ token(0x60001B0)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001B0)+0x158, token(0x60001B0)+0x163\n\nmanipulate unmanaged memory in .NET (14 matches)\nnamespace  host-interaction/memory     \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000055)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x6000055)+0x14\nfunction @ token(0x60000A8)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000A8)+0x29\nfunction @ token(0x60000C7)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000C7)+0x14\nfunction @ token(0x60000C8)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000C8)+0x14\nfunction @ token(0x60000D7)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000D7)+0xC\nfunction @ token(0x60000E5)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000E5)+0x25, token(0x60000E5)+0xA4\nfunction @ token(0x60001A5)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001A5)+0x5B, token(0x60001A5)+0xFC\nfunction @ token(0x60001AD)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001AD)+0x3BC, token(0x60001AD)+0x3D2, token(0x60001AD)+0x3E8, \ntoken(0x60001AD)+0x3FA, and 3 more...\nfunction @ token(0x60001AF)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001AF)+0x15, token(0x60001AF)+0x34, token(0x60001AF)+0x73, \ntoken(0x60001AF)+0xA2\nfunction @ token(0x60001B0)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001B0)+0x143, token(0x60001B0)+0x158, token(0x60001B0)+0x163, \ntoken(0x60001B0)+0x171, and 3 more...\nfunction @ token(0x60001BB)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001BB)+0x6C, token(0x60001BB)+0xA3, token(0x60001BB)+0xDE, \ntoken(0x60001BB)+0x11F, and 1 more...\nfunction @ token(0x60001CA)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CA)+0x160, token(0x60001CA)+0x187, token(0x60001CA)+0x1C6\nfunction @ token(0x60001CB)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CB)+0x15A, token(0x60001CB)+0x181, token(0x60001CB)+0x1C0, \ntoken(0x60001CB)+0x1E5\nfunction @ token(0x60001CC)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CC)+0x92, token(0x60001CC)+0xB9, token(0x60001CC)+0xE0, \ntoken(0x60001CC)+0x107\n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex                                               \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           mehunhoff@google.com                                                 \nscope      instruction                                                          \nmbc        Process::Create Mutex [C0042]                                        \ninstruction @ token(0x6000033)+0x211\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Threading.Mutex::ctor @ token(0x6000033)+0x211\n\nget networking interfaces\nnamespace  host-interaction/network/interface                                   \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Network Configuration Discovery [T1016]            \nfunction @ token(0x600011C)\n  or:\n    and:\n      or:\n        api: System.Net.NetworkInformation.NetworkInterface::GetIPProperties @ token(0x600011C)+0x18\n      optional:\n        api: System.Net.NetworkInformation.NetworkInterface::GetAllNetworkInterfaces @ token(0x600011C)+0x6\n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nmbc        Discovery::System Information Discovery [E1082]                      \nfunction @ token(0x6000049)\n  or:\n    property/read: System.Environment::MachineName @ token(0x6000049)+0x0\nfunction @ token(0x60001A0)\n  or:\n    api: GetComputerName @ token(0x60001A0)+0x18\n    property/read: System.Environment::MachineName @ token(0x60001A0)+0x35\n\nget OS version in .NET\nnamespace  host-interaction/os/version                    \nauthor     michael.hunhoff@mandiant.com                   \nscope      basic block                                    \natt&ck     Discovery::System Information Discovery [T1082]\nbasic block @ token(0x600004B) in function token(0x600004B)\n  or:\n    property/read: System.Environment::OSVersion @ token(0x600004B)+0x6D\n\nget process image filename (5 matches)\nnamespace  host-interaction/process    \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x6000033)+0xC4\n      property/read: System.Diagnostics.Process::MainModule @ token(0x6000033)+0xC9\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x6000033)+0xCE\nbasic block @ token(0x600003A) in function token(0x600003A)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003A)+0x0\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003A)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003A)+0xA\nbasic block @ token(0x600003C) in function token(0x600003C)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003C)+0x9\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003C)+0xE\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003C)+0x13\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003E)+0x0\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003E)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003E)+0xA\nbasic block @ token(0x60001E8) in function token(0x60001E8)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x60001E8)+0x0, token(0x60001E8)+0x42\n      property/read: System.Diagnostics.Process::MainModule @ token(0x60001E8)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x60001E8)+0xA\n\ncreate a process with modified I/O handles and window (14 matches)\nnamespace   host-interaction/process/create                                     \nauthor      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com      \nscope       function                                                            \nmbc         Process::Create Process [C0017]                                     \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsap…\nfunction @ token(0x6000033)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000033)+0xF4\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000033)+0xE4\n        property/write: System.Diagnostics.ProcessStartInfo::Verb @ token(0x6000033)+0xEF\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000033)+0xDD\nfunction @ token(0x600003A)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\nfunction @ token(0x600003B)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003B)+0x4F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003B)+0x3C\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003B)+0x2E\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003B)+0x11\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003B)+0x27\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003B)+0x35\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003B)+0x43\nfunction @ token(0x600003E)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\nfunction @ token(0x60000F7)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x60000F7)+0x42, token(0x60000F7)+0x11F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x60000F7)+0x29, token(0x60000F7)+0x106\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60000F7)+0x17, token(0x60000F7)+0xE8\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x60000F7)+0x22, token(0x60000F7)+0xFF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60000F7)+0x37, token(0x60000F7)+0x114\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x60000F7)+0x30, token(0x60000F7)+0x10D\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x60000F7)+0x49, token(0x60000F7)+0x126\nfunction @ token(0x600011D)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600011D)+0x42, token(0x600011D)+0x11F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600011D)+0x29, token(0x600011D)+0x106\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600011D)+0x17, token(0x600011D)+0xE8\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600011D)+0x22, token(0x600011D)+0xFF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600011D)+0x37, token(0x600011D)+0x114\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600011D)+0x30, token(0x600011D)+0x10D\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600011D)+0x49, token(0x600011D)+0x126\nfunction @ token(0x600011E)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600011E)+0x42\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600011E)+0x29\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600011E)+0x17\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600011E)+0x22\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600011E)+0x37\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600011E)+0x30\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600011E)+0x49\nfunction @ token(0x6000144)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000144)+0x1B8\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000144)+0x186\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000144)+0x1A6\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000144)+0x13D\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000144)+0x17E\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000144)+0x19E\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000144)+0x18E\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000144)+0x1C0\nfunction @ token(0x6000147)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000147)+0xD6\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000147)+0xF2\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000147)+0xB9\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000147)+0xCF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000147)+0xEB\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000147)+0xDD\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000147)+0x108\nfunction @ token(0x6000148)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000148)+0xD5\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000148)+0xAD\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000148)+0xC9\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000148)+0x81\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000148)+0xA6\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000148)+0xC2\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000148)+0xB4\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000148)+0xDC\nfunction @ token(0x6000159)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000159)+0x190\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000159)+0x161\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000159)+0x181\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000159)+0x118\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000159)+0x159\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000159)+0x179\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000159)+0x169\nfunction @ token(0x600015B)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015B)+0xA4\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015B)+0xC0\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015B)+0x87\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015B)+0x9D\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015B)+0xB9\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015B)+0xAB\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015B)+0xD2\nfunction @ token(0x600015C)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600015C)+0x99\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015C)+0x72\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015C)+0x8E\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015C)+0x46\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015C)+0x6B\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015C)+0x87\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015C)+0x79\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015C)+0xA0\nfunction @ token(0x60001E8)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x60001E8)+0x80\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60001E8)+0x79\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60001E8)+0x87\n\ncreate process on Windows (22 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000033)+0xF4\nbasic block @ token(0x6000039) in function token(0x6000039)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\nbasic block @ token(0x600003A) in function token(0x600003A)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\nbasic block @ token(0x600003B) in function token(0x600003B)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003B)+0x4F\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\nbasic block @ token(0x6000099) in function token(0x6000099)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000099)+0x1\nbasic block @ token(0x60000D5) in function token(0x60000D5)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000D5)+0x28\nbasic block @ token(0x60000D8) in function token(0x60000D8)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000D8)+0xA\nbasic block @ token(0x60000DB) in function token(0x60000DB)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DB)+0x5\nbasic block @ token(0x60000DC) in function token(0x60000DC)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DC)+0x5\nbasic block @ token(0x60000DD) in function token(0x60000DD)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DD)+0x35\nbasic block @ token(0x60000F7) in function token(0x60000F7)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000F7)+0x42, token(0x60000F7)+0x11F\nbasic block @ token(0x600011D) in function token(0x600011D)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600011D)+0x42, token(0x600011D)+0x11F\nbasic block @ token(0x600011E) in function token(0x600011E)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600011E)+0x42\nbasic block @ token(0x6000144) in function token(0x6000144)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000144)+0x1B8\nbasic block @ token(0x6000147) in function token(0x6000147)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\nbasic block @ token(0x6000148) in function token(0x6000148)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000148)+0xD5\nbasic block @ token(0x6000159) in function token(0x6000159)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000159)+0x190\nbasic block @ token(0x600015B) in function token(0x600015B)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\nbasic block @ token(0x600015C) in function token(0x600015C)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600015C)+0x99\nbasic block @ token(0x60001E8) in function token(0x60001E8)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\nbasic block @ token(0x6000207) in function token(0x6000207)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000207)+0x10\n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ token(0x6000060)\n  or:\n    api: System.Diagnostics.Process::GetProcesses @ token(0x6000060)+0x6\nfunction @ token(0x60000D9)\n  or:\n    api: System.Diagnostics.Process::GetProcesses @ token(0x60000D9)+0xD\n\nfind process by PID (2 matches)\nnamespace  host-interaction/process/list                                \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::Process Discovery [T1057]                         \nfunction @ token(0x6000061)\n  and:\n    or:\n      api: System.Diagnostics.Process::GetProcessById @ token(0x6000061)+0x1\nfunction @ token(0x6000062)\n  and:\n    or:\n      api: System.Diagnostics.Process::GetProcessById @ token(0x6000062)+0x1\n\nfind process by name\nnamespace  host-interaction/process/list       \nauthor     anushka.virgaonkar@mandiant.com     \nscope      function                            \natt&ck     Discovery::Process Discovery [T1057]\nfunction @ token(0x60001BB)\n  and:\n    api: System.Diagnostics.Process::GetProcessesByName @ token(0x60001BB)+0x7\n\nacquire debug privileges\nnamespace  host-interaction/process/modify                        \nauthor     william.ballenthin@mandiant.com                        \nscope      basic block                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\nbasic block @ token(0x60001BA) in function token(0x60001BA)\n  and:\n    string: \"SeDebugPrivilege\" @ token(0x60001BA)+0x13\n    optional:\n      match: modify access privileges @ token(0x60001BA)+0x59\n        and:\n          api: AdjustTokenPrivileges @ token(0x60001BA)+0x59\n\nmodify access privileges\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ token(0x60001BA)+0x59\n  and:\n    api: AdjustTokenPrivileges @ token(0x60001BA)+0x59\n\nterminate process (14 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ token(0x600003A)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600003A)+0x6F, token(0x600003A)+0xEF\nfunction @ token(0x600003B)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600003B)+0x5E\nfunction @ token(0x6000061)\n  or:\n    api: System.Diagnostics.Process::Kill @ token(0x6000061)+0x25, token(0x6000061)+0x3C\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000061)+0x14, token(0x6000061)+0x30, token(0x6000061)+0x47\nfunction @ token(0x60000F7)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x60000F7)+0x54, token(0x60000F7)+0x132\nfunction @ token(0x600011D)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600011D)+0x54, token(0x600011D)+0x132\nfunction @ token(0x600011E)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600011E)+0x54\nfunction @ token(0x6000144)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000144)+0x1E0\nfunction @ token(0x6000147)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000147)+0x129\nfunction @ token(0x6000148)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000148)+0xFB\nfunction @ token(0x6000159)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000159)+0x19C\nfunction @ token(0x600015B)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600015B)+0xF0\nfunction @ token(0x600015C)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600015C)+0xB1\nfunction @ token(0x60001E7)\n  or:\n    api: System.Environment::Exit @ token(0x60001E7)+0x2F\nfunction @ token(0x60001E8)\n  or:\n    api: System.Environment::Exit @ token(0x60001E8)+0x99\n\nquery or enumerate registry key (7 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ token(0x6000039)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000039)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\nfunction @ token(0x600006F)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600006F)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\nfunction @ token(0x6000071)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000071)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\nfunction @ token(0x60000F9)\n  and:\n    optional:\n      match: create or open registry key @ token(0x60000F9)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x60000F9)+0x10\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x60000F9)+0x10\nfunction @ token(0x6000255)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000255)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\n    or:\n      api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000255)+0x7F\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\nfunction @ token(0x6000257)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000257)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\nfunction @ token(0x6000259)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000259)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n\nquery or enumerate registry value (2 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ token(0x600006F)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600006F)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\n    or:\n      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x600006F)+0x2C, token(0x600006F)+0xAE\n      api: Microsoft.Win32.RegistryKey::GetValueNames @ token(0x600006F)+0x1A, token(0x600006F)+0x9B\nfunction @ token(0x6000255)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000255)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\n    or:\n      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000255)+0xFE\n      api: Microsoft.Win32.RegistryKey::GetValueKind @ token(0x6000255)+0x108\n      api: Microsoft.Win32.RegistryKey::GetValueNames @ token(0x6000255)+0xE5\n\nset registry value (5 matches)\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ token(0x6000039)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000039)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n      regex: /add/i\n        - \"add_startup\" @ token(0x6000039)+0x6C2\n        - \"add_to_startup\" @ token(0x6000039)+0x79E\n      or:\n        regex: /reg(|.exe)/i\n          - \"Listing registry (normalized): \" @ token(0x6000039)+0x23A4\n          - \"Registry list packet data: \" @ token(0x6000039)+0x2153\n          - \"Setting registry value: \" @ token(0x6000039)+0x2434\n          - \"list_registry\" @ token(0x6000039)+0x453\n          - \"set_registry_value\" @ token(0x6000039)+0x8E8\n        regex: /hklm/i\n          - \"HKLM\" @ token(0x6000039)+0x21FC\n        regex: /HKEY_LOCAL_MACHINE/i\n          - \"HKEY_LOCAL_MACHINE\" @ token(0x6000039)+0x21CC\n        regex: /hkcu/i\n          - \"HKCU\" @ token(0x6000039)+0x21F4\n        regex: /HKEY_CURRENT_USER/i\n          - \"HKEY_CURRENT_USER\" @ token(0x6000039)+0x218F, token(0x6000039)+0x21C4\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000039)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000039)+0x2000\nfunction @ token(0x600003E)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x600003E)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\nfunction @ token(0x600003E)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x600003E)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\nfunction @ token(0x6000070)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000070)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000070)+0xA\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000070)+0x13\nfunction @ token(0x6000257)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000257)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000257)+0x14B\n\ndelete registry key\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ token(0x600003E)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600003E)\n        or:\n          api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteSubKeyTree @ token(0x600003E)+0xA6, token(0x600003E)+0xC0\n\ndelete registry value (2 matches)\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ token(0x6000071)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000071)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteValue @ token(0x6000071)+0x17\nfunction @ token(0x6000259)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000259)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteValue @ token(0x6000259)+0x4A\n\nget session integrity level (3 matches)\nnamespace  host-interaction/session                                     \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::System Owner/User Discovery [T1033]               \nfunction @ token(0x600003D)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600003D)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x600003D)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x600003D)+0xF\nfunction @ token(0x600007A)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600007A)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x600007A)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x600007A)+0xF\nfunction @ token(0x60001B9)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x60001B9)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x60001B9)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x60001B9)+0xF\n\nget session user name (5 matches)\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ token(0x600003D)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600003D)+0x0\nfunction @ token(0x600004A)\n  or:\n    property/read: System.Environment::UserName @ token(0x600004A)+0x0\nfunction @ token(0x600007A)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600007A)+0x0\nfunction @ token(0x6000149)\n  or:\n    property/read: System.Environment::UserName @ token(0x6000149)+0x16\nfunction @ token(0x60001B9)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x60001B9)+0x0\n\ncreate thread (3 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ token(0x60000A4) in function token(0x60000A4)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000A4)+0x47\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000A4)+0x24\nbasic block @ token(0x60000C4) in function token(0x60000C4)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000C4)+0x38\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000C4)+0x25\nbasic block @ token(0x60000EC) in function token(0x60000EC)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000EC)+0x57\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000EC)+0x2F\n\nsuspend thread (9 matches)\nnamespace  host-interaction/thread/suspend                    \nauthor     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\nscope      basic block                                        \nmbc        Process::Suspend Thread [C0055]                    \nbasic block @ token(0x6000010) in function token(0x6000010)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000010)+0x16D, token(0x6000010)+0x1B4, token(0x6000010)+0x1CB\nbasic block @ token(0x6000011) in function token(0x6000011)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000011)+0xEC, token(0x6000011)+0x134\nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000033)+0xA5\nbasic block @ token(0x6000035) in function token(0x6000035)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000035)+0xC1, token(0x6000035)+0xED\nbasic block @ token(0x6000037) in function token(0x6000037)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000037)+0x24A, token(0x6000037)+0x363, token(0x6000037)+0x370, \ntoken(0x6000037)+0x3A1, and 2 more...\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x600003E)+0x96\nbasic block @ token(0x60000DA) in function token(0x60000DA)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x60000DA)+0x55\nbasic block @ token(0x60001E7) in function token(0x60001E7)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x60001E7)+0x14\nbasic block @ token(0x6000207) in function token(0x6000207)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000207)+0x18\n\naccess WMI data in .NET\nnamespace  host-interaction/wmi                                 \nauthor     michael.hunhoff@mandiant.com                         \nscope      function                                             \natt&ck     Execution::Windows Management Instrumentation [T1047]\nfunction @ token(0x600004B)\n  or:\n    and:\n      api: System.Management.ManagementObjectSearcher::Get @ token(0x600004B)+0xC\n      optional:\n        api: System.Management.ManagementObjectSearcher::ctor @ token(0x600004B)+0x5\n\nreference cryptocurrency strings\nnamespace   impact/cryptocurrency                                               \nauthor      moritz.raabe@mandiant.com                                           \nscope       file                                                                \natt&ck      Impact::Resource Hijacking [T1496]                                  \nreferences  https://github.com/ctxis/CAPE/blob/master/modules/signatures/crypto…\nor:\n  string: \"Bitcoin\" @ file+0x258F8\n  string: \"Ethereum\" @ file+0x2591A\n  string: \"Dash\" @ file+0x25A16\n  string: \"Monero\" @ file+0x25A46\n  string: \"Zcash\" @ file+0x25A2C\n\ndisable system features via registry on Windows\nnamespace  impact/features                                                      \nauthor     mehunhoff@google.com                                                 \nscope      function                                                             \natt&ck     Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]\nmbc        Defense Evasion::Disable or Evade Security Tools [F0004]             \nfunction @ token(0x6000039)\n  and:\n    match: set registry value @ token(0x6000039)\n      or:\n        and:\n          match: host-interaction/process/create @ token(0x6000039)\n            or:\n              api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n          regex: /add/i\n            - \"add_startup\" @ token(0x6000039)+0x6C2\n            - \"add_to_startup\" @ token(0x6000039)+0x79E\n          or:\n            regex: /reg(|.exe)/i\n              - \"Listing registry (normalized): \" @ token(0x6000039)+0x23A4\n              - \"Registry list packet data: \" @ token(0x6000039)+0x2153\n              - \"Setting registry value: \" @ token(0x6000039)+0x2434\n              - \"list_registry\" @ token(0x6000039)+0x453\n              - \"set_registry_value\" @ token(0x6000039)+0x8E8\n            regex: /hklm/i\n              - \"HKLM\" @ token(0x6000039)+0x21FC\n            regex: /HKEY_LOCAL_MACHINE/i\n              - \"HKEY_LOCAL_MACHINE\" @ token(0x6000039)+0x21CC\n            regex: /hkcu/i\n              - \"HKCU\" @ token(0x6000039)+0x21F4\n            regex: /HKEY_CURRENT_USER/i\n              - \"HKEY_CURRENT_USER\" @ token(0x6000039)+0x218F, token(0x6000039)+0x21C4\n        and:\n          optional:\n            match: create or open registry key @ token(0x6000039)\n              or:\n                api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000039)+0x2000\n    or:\n      and:\n        regex: /SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System/i\n          - \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\" @ token(0x6000039)+0x1FE2\n        or:\n          regex: /EnableLUA/i\n            - \"EnableLUA\" @ token(0x6000039)+0x1FF5\n\n(internal) .NET file limitation\nnamespace    internal/limitation/dynamic                        \nauthor       @v1bh475u                                          \nscope        file                                               \ndescription  This dynamic analysis trace describes a .NET file. \n                                                                \n             capa rules are not yet tuned for the .NET runtime, \n             so its analysis may be incomplete or misleading.   \n                                                                \nor:\n  format: dotnet\n\ncompile .NET assembly\nnamespace  load-code/dotnet                                                     \nauthor     anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information::Compile After      \n           Delivery [T1027.004]                                                 \nfunction @ token(0x600027A)\n  or:\n    api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromSource @ token(0x600027A)+0x138\n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet                                     \nauthor     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\nscope      function                                             \natt&ck     Defense Evasion::Reflective Code Loading [T1620]     \nfunction @ token(0x6000146)\n  and:\n    format: dotnet\n    or:\n      api: System.Reflection.MethodBase::Invoke @ token(0x6000146)+0x187, token(0x6000146)+0x19B, token(0x6000146)+0x1CB, \ntoken(0x6000146)+0x207, and 6 more...\n    optional:\n      api: System.Type::GetMethod @ token(0x6000146)+0x17F, token(0x6000146)+0x193, token(0x6000146)+0x1C3, \ntoken(0x6000146)+0x1F1, and 6 more...\nfunction @ token(0x600027A)\n  and:\n    format: dotnet\n    or:\n      api: System.Reflection.MethodBase::Invoke @ token(0x600027A)+0x2A8\n    optional:\n      api: System.Type::GetMethod @ token(0x600027A)+0x257\n\nload .NET assembly\nnamespace  load-code/dotnet                                \nauthor     anushka.virgaonkar@mandiant.com                 \nscope      function                                        \natt&ck     Defense Evasion::Reflective Code Loading [T1620]\nfunction @ token(0x6000146)\n  or:\n    api: System.Reflection.Assembly::LoadFrom @ token(0x6000146)+0x7A\n\ncompile CSharp in .NET\nnamespace  load-code/dotnet/csharp                                              \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information::Compile After      \n           Delivery [T1027.004]                                                 \nfunction @ token(0x600027A)\n  and:\n    match: compile .NET assembly @ token(0x600027A)\n      or:\n        api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromSource @ token(0x600027A)+0x138\n    api: Microsoft.CSharp.CSharpCodeProvider::ctor @ token(0x600027A)+0x12\n\npersist via default file association registry key (2 matches)\nnamespace   persistence/registry                                                \nauthor      j.j.vannielen@utwente.nl                                            \nscope       function                                                            \natt&ck      Persistence::Event Triggered Execution::Change Default File         \n            Association [T1546.001]                                             \nreferences  https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/…\n            https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrator…\nfunction @ token(0x600003E)\n  and:\n    match: set registry value @ token(0x600003E)\n      or:\n        and:\n          optional:\n            match: create or open registry key @ token(0x600003E)\n              or:\n                api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\n    or:\n      regex: /\\\\shell\\\\open\\\\command/i\n        - \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\" @ token(0x600003E)+0x10\nfunction @ token(0x600003E)\n  and:\n    match: set registry value @ token(0x600003E)\n      or:\n        and:\n          optional:\n            match: create or open registry key @ token(0x600003E)\n              or:\n                api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\n    or:\n      regex: /\\\\shell\\\\open\\\\command/i\n        - \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\" @ token(0x600003E)+0x10\n\npersist via Run registry key\nnamespace  persistence/registry/run                                             \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com                      \nscope      function                                                             \natt&ck     Persistence::Boot or Logon Autostart Execution::Registry Run Keys /  \n           Startup Folder [T1547.001]                                           \nmbc        Persistence::Registry Run Keys / Startup Folder [F0012]              \nfunction @ token(0x6000070)\n  and:\n    or:\n      match: set registry value @ token(0x6000070)\n        or:\n          and:\n            optional:\n              match: create or open registry key @ token(0x6000070)\n                or:\n                  api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000070)+0xA\n            or:\n              api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000070)+0x13\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" @ token(0x6000070)+0x5\n\nschedule task via schtasks (2 matches)\nnamespace   persistence/scheduled-tasks                                         \nauthor      0x534a@mailbox.org, j.j.vannielen@utwente.nl                        \nscope       function                                                            \natt&ck      Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]         \nreferences  https://learn.microsoft.com/en-us/windows/win32/taskschd/task-sched…\n            https://stmxcsr.com/persistence/scheduled-tasks.html                \nfunction @ token(0x600003A)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x600003A)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n              property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\n      or:\n        and:\n          regex: /schtasks/i\n            - \"schtasks.exe\" @ token(0x600003A)+0x1C, token(0x600003A)+0x81\n          or:\n            regex: /\\/create/i\n              - \"/create /tn \\\"\" @ token(0x600003A)+0x94\nfunction @ token(0x600003A)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x600003A)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n              property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\n      or:\n        and:\n          regex: /schtasks/i\n            - \"schtasks.exe\" @ token(0x600003A)+0x1C, token(0x600003A)+0x81\n          or:\n            regex: /\\/create/i\n              - \"/create /tn \\\"\" @ token(0x600003A)+0x94\n\nunmanaged call (42 matches)\nnamespace    runtime                                                       \nauthor       michael.hunhoff@mandiant.com                                  \nscope        function                                                      \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nfunction @ token(0x6000055)\n  or:\n    characteristic: unmanaged call @ token(0x6000055)+0x20, token(0x6000055)+0x8E, token(0x6000055)+0xFF, \ntoken(0x6000055)+0x12A, and 1 more...\nfunction @ token(0x6000063)\n  or:\n    characteristic: unmanaged call @ token(0x6000063)+0x22, token(0x6000063)+0x36, token(0x6000063)+0x3D\nfunction @ token(0x60000A5)\n  or:\n    characteristic: unmanaged call @ token(0x60000A5)+0x3C\nfunction @ token(0x60000A7)\n  or:\n    characteristic: unmanaged call @ token(0x60000A7)+0x16, token(0x60000A7)+0x1C\nfunction @ token(0x60000A8)\n  or:\n    characteristic: unmanaged call @ token(0x60000A8)+0x79\nfunction @ token(0x60000AA)\n  or:\n    characteristic: unmanaged call @ token(0x60000AA)+0xE9, token(0x60000AA)+0xFA\nfunction @ token(0x60000AF)\n  or:\n    characteristic: unmanaged call @ token(0x60000AF)+0x3A, token(0x60000AF)+0x42, token(0x60000AF)+0x51, \ntoken(0x60000AF)+0x66\nfunction @ token(0x60000C2)\n  or:\n    characteristic: unmanaged call @ token(0x60000C2)+0xA, token(0x60000C2)+0x10\nfunction @ token(0x60000C3)\n  or:\n    characteristic: unmanaged call @ token(0x60000C3)+0xA, token(0x60000C3)+0x10\nfunction @ token(0x60000C7)\n  or:\n    characteristic: unmanaged call @ token(0x60000C7)+0x23, token(0x60000C7)+0x4A\nfunction @ token(0x60000C8)\n  or:\n    characteristic: unmanaged call @ token(0x60000C8)+0x23, token(0x60000C8)+0x41\nfunction @ token(0x60000C9)\n  or:\n    characteristic: unmanaged call @ token(0x60000C9)+0xA, token(0x60000C9)+0x1A\nfunction @ token(0x60000CA)\n  or:\n    characteristic: unmanaged call @ token(0x60000CA)+0x9\nfunction @ token(0x60000CB)\n  or:\n    characteristic: unmanaged call @ token(0x60000CB)+0x9\nfunction @ token(0x60000D2)\n  or:\n    characteristic: unmanaged call @ token(0x60000D2)+0xC\nfunction @ token(0x60000D3)\n  or:\n    characteristic: unmanaged call @ token(0x60000D3)+0xC\nfunction @ token(0x60000D4)\n  or:\n    characteristic: unmanaged call @ token(0x60000D4)+0x1\nfunction @ token(0x60000D6)\n  or:\n    characteristic: unmanaged call @ token(0x60000D6)+0x13, token(0x60000D6)+0x26\nfunction @ token(0x60000D7)\n  or:\n    characteristic: unmanaged call @ token(0x60000D7)+0x12\nfunction @ token(0x60000DA)\n  or:\n    characteristic: unmanaged call @ token(0x60000DA)+0x3, token(0x60000DA)+0x4D, token(0x60000DA)+0x70\nfunction @ token(0x60000E5)\n  or:\n    characteristic: unmanaged call @ token(0x60000E5)+0x12, token(0x60000E5)+0x3D, token(0x60000E5)+0x5D, \ntoken(0x60000E5)+0x82\nfunction @ token(0x60000ED)\n  or:\n    characteristic: unmanaged call @ token(0x60000ED)+0x31\nfunction @ token(0x60000F4)\n  or:\n    characteristic: unmanaged call @ token(0x60000F4)+0x17\nfunction @ token(0x6000176)\n  or:\n    characteristic: unmanaged call @ token(0x6000176)+0x2\nfunction @ token(0x6000177)\n  or:\n    characteristic: unmanaged call @ token(0x6000177)+0x2, token(0x6000177)+0x31\nfunction @ token(0x6000178)\n  or:\n    characteristic: unmanaged call @ token(0x6000178)+0x2, token(0x6000178)+0x32\nfunction @ token(0x6000179)\n  or:\n    characteristic: unmanaged call @ token(0x6000179)+0x2, token(0x6000179)+0x27\nfunction @ token(0x600017A)\n  or:\n    characteristic: unmanaged call @ token(0x600017A)+0x9, token(0x600017A)+0x17, token(0x600017A)+0x25, \ntoken(0x600017A)+0x39, and 1 more...\nfunction @ token(0x600017B)\n  or:\n    characteristic: unmanaged call @ token(0x600017B)+0xF, token(0x600017B)+0x1A, token(0x600017B)+0x28, \ntoken(0x600017B)+0x36, and 1 more...\nfunction @ token(0x600017C)\n  or:\n    characteristic: unmanaged call @ token(0x600017C)+0x3CB, token(0x600017C)+0x3F6\nfunction @ token(0x60001A0)\n  or:\n    characteristic: unmanaged call @ token(0x60001A0)+0x18\nfunction @ token(0x60001A5)\n  or:\n    characteristic: unmanaged call @ token(0x60001A5)+0x48, token(0x60001A5)+0xF5, token(0x60001A5)+0x158\nfunction @ token(0x60001AD)\n  or:\n    characteristic: unmanaged call @ token(0x60001AD)+0x105, token(0x60001AD)+0x37D, token(0x60001AD)+0x39E, \ntoken(0x60001AD)+0x441, and 3 more...\nfunction @ token(0x60001AF)\n  or:\n    characteristic: unmanaged call @ token(0x60001AF)+0x52, token(0x60001AF)+0x7E\nfunction @ token(0x60001B0)\n  or:\n    characteristic: unmanaged call @ token(0x60001B0)+0x70, token(0x60001B0)+0xBB, token(0x60001B0)+0xFC, \ntoken(0x60001B0)+0x1D1, and 2 more...\nfunction @ token(0x60001B5)\n  or:\n    characteristic: unmanaged call @ token(0x60001B5)+0x21, token(0x60001B5)+0x43\nfunction @ token(0x60001B7)\n  or:\n    characteristic: unmanaged call @ token(0x60001B7)+0x20, token(0x60001B7)+0x5A, token(0x60001B7)+0x79, \ntoken(0x60001B7)+0xAD, and 7 more...\nfunction @ token(0x60001BA)\n  or:\n    characteristic: unmanaged call @ token(0x60001BA)+0x0, token(0x60001BA)+0x9, token(0x60001BA)+0x1A, \ntoken(0x60001BA)+0x22, and 2 more...\nfunction @ token(0x60001BB)\n  or:\n    characteristic: unmanaged call @ token(0x60001BB)+0x59, token(0x60001BB)+0x90, token(0x60001BB)+0xD7, \ntoken(0x60001BB)+0xFC, and 7 more...\nfunction @ token(0x60001CA)\n  or:\n    characteristic: unmanaged call @ token(0x60001CA)+0x39, token(0x60001CA)+0xAE, token(0x60001CA)+0xF1, \ntoken(0x60001CA)+0x142, and 5 more...\nfunction @ token(0x60001CB)\n  or:\n    characteristic: unmanaged call @ token(0x60001CB)+0x39, token(0x60001CB)+0xA8, token(0x60001CB)+0xEB, \ntoken(0x60001CB)+0x13C, and 8 more...\nfunction @ token(0x60001CC)\n  or:\n    characteristic: unmanaged call @ token(0x60001CC)+0x29, token(0x60001CC)+0x60, token(0x60001CC)+0x74, \ntoken(0x60001CC)+0x9B, and 7 more...\n\ncompiled to the .NET platform\nnamespace  runtime/dotnet                 \nauthor     william.ballenthin@mandiant.com\nscope      file                           \nor:\n  format: dotnet\n\n\n\n"},"hashes":{"md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 574</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 18525</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"360e6f2\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"9a5ff998dbf0f6923d0b454d89800fb4\",\n        \"sha256\": \"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15\",\n        \"arch\": \"any\",\n        \"os\": \"any\",\n        \"format\": \"dotnet\"\n      }\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"api_Microsoft\",\n      \"label\": \"Microsoft\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_self_delete__3_matches_\",\n      \"label\": \"self delete (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_System\",\n      \"label\": \"System\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_geographical_location\",\n      \"label\": \"get geographical location\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_save_image_in__net\",\n      \"label\": \"save image in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_gather_firefox_profile_information\",\n      \"label\": \"gather firefox profile information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Credential Access::Credentials from Password Stores::Credentials from\",\n        \"Web Browsers [T1555.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______re_fox__still_teamt5_org\",\n      \"label\": \"author     @_re_fox, still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Credential Access::Credentials from Password Stores::Credentials from\",\n        \"Web Browsers [T1555.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_sql_statements__2_matches_\",\n      \"label\": \"reference SQL statements (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_wmi_statements\",\n      \"label\": \"reference WMI statements\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes__2_matches_\",\n      \"label\": \"log keystrokes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_MapVirtualKey\",\n      \"label\": \"MapVirtualKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_application_hook\",\n      \"label\": \"log keystrokes via application hook\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Application Hook [F0002.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_SetWindowsHookEx\",\n      \"label\": \"SetWindowsHookEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"label\": \"log keystrokes via polling (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"api_VkKeyScan\",\n      \"label\": \"VkKeyScan\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_mac_address_in__net\",\n      \"label\": \"get MAC address in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_echernofsky_google_com\",\n      \"label\": \"echernofsky@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_capture_screenshot\",\n      \"label\": \"capture screenshot\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_data\",\n      \"label\": \"receive data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data\",\n      \"label\": \"send data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_manipulate_network_credentials_in__net\",\n      \"label\": \"manipulate network credentials in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_write_and_execute_a_file__4_matches_\",\n      \"label\": \"write and execute a file (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"launcher\",\n      \"mitre\": [\n        \"Execution::Install Additional Program [B0023]\"\n      ]\n    },\n    {\n      \"id\": \"cap_maec_malware_category__launcher\",\n      \"label\": \"maec/malware-category  launcher\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"launcher\",\n      \"mitre\": [\n        \"Execution::Install Additional Program [B0023]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_http_header\",\n      \"label\": \"read HTTP header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_http_user_agent_string\",\n      \"label\": \"reference HTTP User-Agent string\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication [C0002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______mr_tz\",\n      \"label\": \"author      @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication [C0002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_http_request\",\n      \"label\": \"create HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_data_from_internet\",\n      \"label\": \"read data from Internet\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_http_response\",\n      \"label\": \"receive HTTP response\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_http_request\",\n      \"label\": \"send HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_tcp_socket__3_matches_\",\n      \"label\": \"create TCP socket (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_act_as_tcp_client\",\n      \"label\": \"act as TCP client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_zip_archive_in__net__3_matches_\",\n      \"label\": \"create zip archive in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_decode_data_using_base64_in__net\",\n      \"label\": \"decode data using Base64 in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Decode Data::Base64 [C0053.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_decode_data_using_base64_via_winapi\",\n      \"label\": \"decode data using Base64 via WinAPI\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\"\n      ]\n    },\n    {\n      \"id\": \"api_CryptStringToBinary\",\n      \"label\": \"CryptStringToBinary\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_reference_base64_string\",\n      \"label\": \"reference Base64 string\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Encode Data::Base64 [C0026.001]\",\n        \"Data::Check String [C0019]\"\n      ]\n    },\n    {\n      \"id\": \"cap_encrypt_or_decrypt_data_via_bcrypt__2_matches_\",\n      \"label\": \"encrypt or decrypt data via BCrypt (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Decrypt Data [C0031]\",\n        \"Cryptography::Encrypt Data\",\n        \"[C0027]\"\n      ]\n    },\n    {\n      \"id\": \"api_BCryptCloseAlgorithmProvider\",\n      \"label\": \"BCryptCloseAlgorithmProvider\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptDestroyKey\",\n      \"label\": \"BCryptDestroyKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptGenerateSymmetricKey\",\n      \"label\": \"BCryptGenerateSymmetricKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptOpenAlgorithmProvider\",\n      \"label\": \"BCryptOpenAlgorithmProvider\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptDecrypt\",\n      \"label\": \"BCryptDecrypt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_encrypt_data_using_dpapi\",\n      \"label\": \"encrypt data using DPAPI\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Encrypt Data [C0027]\"\n      ]\n    },\n    {\n      \"id\": \"api_CryptUnprotectData\",\n      \"label\": \"CryptUnprotectData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_in__net\",\n      \"label\": \"generate random numbers in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contains_pdb_path\",\n      \"label\": \"contains PDB path\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_check_clipboard_data__2_matches_\",\n      \"label\": \"check clipboard data (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_monitor_clipboard_content\",\n      \"label\": \"monitor clipboard content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"api_AddClipboardFormatListener\",\n      \"label\": \"AddClipboardFormatListener\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read_clipboard_data__2_matches_\",\n      \"label\": \"read clipboard data (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_manipulate_console_buffer__8_matches_\",\n      \"label\": \"manipulate console buffer (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Console [C0033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Console [C0033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable__3_matches_\",\n      \"label\": \"query environment variable (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_drives\",\n      \"label\": \"enumerate drives\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__7_matches_\",\n      \"label\": \"get common file path (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_copy_file__7_matches_\",\n      \"label\": \"copy file (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_directory__8_matches_\",\n      \"label\": \"create directory (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_directory__2_matches_\",\n      \"label\": \"delete directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_file__12_matches_\",\n      \"label\": \"delete file (12 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_directory_exists__15_matches_\",\n      \"label\": \"check if directory exists (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__22_matches_\",\n      \"label\": \"check if file exists (22 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_files_in__net__6_matches_\",\n      \"label\": \"enumerate files in .NET (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes\",\n      \"label\": \"get file attributes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_size__5_matches_\",\n      \"label\": \"get file size (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_file_attributes__2_matches_\",\n      \"label\": \"set file attributes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Set File Attributes [C0050]\"\n      ]\n    },\n    {\n      \"id\": \"cap_move_file__2_matches_\",\n      \"label\": \"move file (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Move File [C0063]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__7_matches_\",\n      \"label\": \"read file on Windows (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__11_matches_\",\n      \"label\": \"write file on Windows (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources__2_matches_\",\n      \"label\": \"enumerate gui resources (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_application_hook__2_matches_\",\n      \"label\": \"set application hook (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_UnhookWindowsHookEx\",\n      \"label\": \"UnhookWindowsHookEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_change_the_wallpaper\",\n      \"label\": \"change the wallpaper\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Wallpaper [C0035]\"\n      ]\n    },\n    {\n      \"id\": \"api_SystemParametersInfo\",\n      \"label\": \"SystemParametersInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox\",\n      \"label\": \"author     @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Wallpaper [C0035]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_taskbar__3_matches_\",\n      \"label\": \"find taskbar (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Taskbar Discovery [B0043]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_the_windows_taskbar\",\n      \"label\": \"hide the Windows taskbar\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts [T1564]\"\n      ]\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_find_graphical_window__3_matches_\",\n      \"label\": \"find graphical window (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hide_graphical_window\",\n      \"label\": \"hide graphical window\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_information\",\n      \"label\": \"get disk information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_size\",\n      \"label\": \"get disk size\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_allocate_unmanaged_memory_in__net__3_matches_\",\n      \"label\": \"allocate unmanaged memory in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_manipulate_unmanaged_memory_in__net__14_matches_\",\n      \"label\": \"manipulate unmanaged memory in .NET (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_or_open_mutex_on_windows\",\n      \"label\": \"create or open mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_mehunhoff_google_com\",\n      \"label\": \"mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_networking_interfaces\",\n      \"label\": \"get networking interfaces\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Network Configuration Discovery [T1016]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_hostname__2_matches_\",\n      \"label\": \"get hostname (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetComputerName\",\n      \"label\": \"GetComputerName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_os_version_in__net\",\n      \"label\": \"get OS version in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_process_image_filename__5_matches_\",\n      \"label\": \"get process image filename (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_a_process_with_modified_i_o_handles_and_window__14_matches_\",\n      \"label\": \"create a process with modified I/O handles and window (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__22_matches_\",\n      \"label\": \"create process on Windows (22 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes__2_matches_\",\n      \"label\": \"enumerate processes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_process_by_pid__2_matches_\",\n      \"label\": \"find process by PID (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_process_by_name\",\n      \"label\": \"find process by name\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\"\n      ]\n    },\n    {\n      \"id\": \"cap_acquire_debug_privileges\",\n      \"label\": \"acquire debug privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_modify_access_privileges\",\n      \"label\": \"modify access privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"cap_terminate_process__14_matches_\",\n      \"label\": \"terminate process (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__7_matches_\",\n      \"label\": \"query or enumerate registry key (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__2_matches_\",\n      \"label\": \"query or enumerate registry value (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_registry_value__5_matches_\",\n      \"label\": \"set registry value (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_key\",\n      \"label\": \"delete registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value__2_matches_\",\n      \"label\": \"delete registry value (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_integrity_level__3_matches_\",\n      \"label\": \"get session integrity level (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_user_name__5_matches_\",\n      \"label\": \"get session user name (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_thread__3_matches_\",\n      \"label\": \"create thread (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_suspend_thread__9_matches_\",\n      \"label\": \"suspend thread (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_access_wmi_data_in__net\",\n      \"label\": \"access WMI data in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Windows Management Instrumentation [T1047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_cryptocurrency_strings\",\n      \"label\": \"reference cryptocurrency strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Resource Hijacking [T1496]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Resource Hijacking [T1496]\"\n      ]\n    },\n    {\n      \"id\": \"cap_disable_system_features_via_registry_on_windows\",\n      \"label\": \"disable system features via registry on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Disable or Evade Security Tools [F0004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____mehunhoff_google_com\",\n      \"label\": \"author     mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Disable or Evade Security Tools [F0004]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal___net_file_limitation\",\n      \"label\": \"(internal) .NET file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author________v1bh475u\",\n      \"label\": \"author       @v1bh475u\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_compile__net_assembly\",\n      \"label\": \"compile .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Compile After\",\n        \"Delivery [T1027.004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"label\": \"invoke .NET assembly method (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_load__net_assembly\",\n      \"label\": \"load .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compile_csharp_in__net\",\n      \"label\": \"compile CSharp in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Compile After\",\n        \"Delivery [T1027.004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_persist_via_default_file_association_registry_key__2_matches_\",\n      \"label\": \"persist via default file association registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Event Triggered Execution::Change Default File\",\n        \"Association [T1546.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______j_j_vannielen_utwente_nl\",\n      \"label\": \"author      j.j.vannielen@utwente.nl\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Event Triggered Execution::Change Default File\",\n        \"Association [T1546.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_persist_via_run_registry_key\",\n      \"label\": \"persist via Run registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_schedule_task_via_schtasks__2_matches_\",\n      \"label\": \"schedule task via schtasks (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"label\": \"author      0x534a@mailbox.org, j.j.vannielen@utwente.nl\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_unmanaged_call__42_matches_\",\n      \"label\": \"unmanaged call (42 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"label\": \"author       michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_compiled_to_the__net_platform\",\n      \"label\": \"compiled to the .NET platform\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_self_delete__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_geographical_location\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_save_image_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_gather_firefox_profile_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_sql_statements__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_wmi_statements\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_application_hook\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_mac_address_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_echernofsky_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_capture_screenshot\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_network_credentials_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_and_execute_a_file__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_maec_malware_category__launcher\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_http_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_http_user_agent_string\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_data_from_internet\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_http_response\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_tcp_socket__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_act_as_tcp_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_zip_archive_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_decode_data_using_base64_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_decode_data_using_base64_via_winapi\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_base64_string\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encrypt_or_decrypt_data_via_bcrypt__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encrypt_data_using_dpapi\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contains_pdb_path\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_clipboard_data__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_monitor_clipboard_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_clipboard_data__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_console_buffer__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_drives\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_copy_file__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__12_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_directory_exists__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__22_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_in__net__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_file_attributes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_move_file__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_application_hook__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_change_the_wallpaper\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_taskbar__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_the_windows_taskbar\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_unmanaged_memory_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_unmanaged_memory_in__net__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_networking_interfaces\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_hostname__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_process_image_filename__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_a_process_with_modified_i_o_handles_and_window__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__22_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_process_by_pid__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_process_by_name\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_acquire_debug_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_integrity_level__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_suspend_thread__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_access_wmi_data_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_cryptocurrency_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_disable_system_features_via_registry_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal___net_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author________v1bh475u\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compile__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_load__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compile_csharp_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_default_file_association_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______j_j_vannielen_utwente_nl\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_run_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_schedule_task_via_schtasks__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_unmanaged_call__42_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_to_the__net_platform\",\n      \"relationship\": \"exhibits\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-23 00:40:18.704360\",\n    \"total_functions\": \"574\",\n    \"total_features\": \"18525\",\n    \"pdb_path\": \"C:\\\\\\\\Users\\\\\\\\sulum\\\\\\\\OneDrive\\\\\\\\Desktop\\\\\\\\datacenter\\\\\\\\stubCsharp\\\\\\\\obj\\\\\\\\Release\\\\\\\\Clie\\nnt.pdb\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-23 00:40:20"}
{"_id":{"$oid":"69e9ba7159a6632dae07de1f"},"sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_91b8xti6/now_you_see_me_again.exe_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_91b8xti6/now_you_see_me_again.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_91b8xti6/now_you_see_me_again.exe_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 9a5ff998dbf0f6923d0b454d89800fb4                                  │\n│ sha1     │ 4f4fa23e9c503b941a5e91584d6ecc3813962ba1                          │\n│ sha256   │ 360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f  │\n│ analysis │ static                                                            │\n│ os       │ any                                                               │\n│ format   │ dotnet                                                            │\n│ arch     │ any                                                               │\n│ path     │ /home/apogean/projects/malware/windows/all_runs/now_you_see_me_a… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic        ┃ ATT&CK Technique                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Clipboard Data [T1115]                                │\n│                      │ Data from Information Repositories [T1213]            │\n│                      │ Input Capture::Keylogging [T1056.001]                 │\n│                      │ Screen Capture [T1113]                                │\n│ CREDENTIAL ACCESS    │ Credentials from Password Stores::Credentials from    │\n│                      │ Web Browsers [T1555.003]                              │\n│ DEFENSE EVASION      │ Deobfuscate/Decode Files or Information [T1140]       │\n│                      │ File and Directory Permissions Modification [T1222]   │\n│                      │ Hide Artifacts [T1564]                                │\n│                      │ Hide Artifacts::Hidden Window [T1564.003]             │\n│                      │ Impair Defenses::Disable or Modify Tools [T1562.001]  │\n│                      │ Indicator Removal::File Deletion [T1070.004]          │\n│                      │ Modify Registry [T1112]                               │\n│                      │ Obfuscated Files or Information [T1027]               │\n│                      │ Obfuscated Files or Information::Compile After        │\n│                      │ Delivery [T1027.004]                                  │\n│                      │ Reflective Code Loading [T1620]                       │\n│ DISCOVERY            │ Account Discovery [T1087]                             │\n│                      │ Application Window Discovery [T1010]                  │\n│                      │ File and Directory Discovery [T1083]                  │\n│                      │ Process Discovery [T1057]                             │\n│                      │ Query Registry [T1012]                                │\n│                      │ Software Discovery [T1518]                            │\n│                      │ System Information Discovery [T1082]                  │\n│                      │ System Location Discovery [T1614]                     │\n│                      │ System Network Configuration Discovery [T1016]        │\n│                      │ System Owner/User Discovery [T1033]                   │\n│ EXECUTION            │ Windows Management Instrumentation [T1047]            │\n│ IMPACT               │ Resource Hijacking [T1496]                            │\n│ PERSISTENCE          │ Boot or Logon Autostart Execution::Registry Run Keys  │\n│                      │ / Startup Folder [T1547.001]                          │\n│                      │ Event Triggered Execution::Change Default File        │\n│                      │ Association [T1546.001]                               │\n│                      │ Scheduled Task/Job::Scheduled Task [T1053.005]        │\n│ PRIVILEGE ESCALATION │ Access Token Manipulation [T1134]                     │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MAEC Category                                    ┃ MAEC Value                ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ malware-category                                 │ launcher                  │\n└──────────────────────────────────────────────────┴───────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective        ┃ MBC Behavior                                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Keylogging::Application Hook [F0002.001]              │\n│                      │ Keylogging::Polling [F0002.002]                       │\n│                      │ Screen Capture::WinAPI [E1113.m01]                    │\n│ COMMAND AND CONTROL  │ C2 Communication::Receive Data [B0030.002]            │\n│                      │ C2 Communication::Send Data [B0030.001]               │\n│ COMMUNICATION        │ HTTP Communication [C0002]                            │\n│                      │ HTTP Communication::Create Request [C0002.012]        │\n│                      │ HTTP Communication::Get Response [C0002.017]          │\n│                      │ HTTP Communication::Read Header [C0002.014]           │\n│                      │ HTTP Communication::Send Request [C0002.003]          │\n│                      │ Socket Communication::Create TCP Socket [C0001.011]   │\n│                      │ Socket Communication::TCP Client [C0001.008]          │\n│ CRYPTOGRAPHY         │ Decrypt Data [C0031]                                  │\n│                      │ Encrypt Data [C0027]                                  │\n│                      │ Generate Pseudo-random Sequence::Use API [C0021.003]  │\n│ DATA                 │ Check String [C0019]                                  │\n│                      │ Decode Data::Base64 [C0053.001]                       │\n│                      │ Encode Data::Base64 [C0026.001]                       │\n│ DEFENSE EVASION      │ Disable or Evade Security Tools [F0004]               │\n│                      │ Self Deletion::COMSPEC Environment Variable           │\n│                      │ [F0007.001]                                           │\n│ DISCOVERY            │ File and Directory Discovery [E1083]                  │\n│                      │ System Information Discovery [E1082]                  │\n│                      │ Taskbar Discovery [B0043]                             │\n│ FILE SYSTEM          │ Copy File [C0045]                                     │\n│                      │ Create Directory [C0046]                              │\n│                      │ Delete Directory [C0048]                              │\n│                      │ Delete File [C0047]                                   │\n│                      │ Get File Attributes [C0049]                           │\n│                      │ Move File [C0063]                                     │\n│                      │ Read File [C0051]                                     │\n│                      │ Set File Attributes [C0050]                           │\n│                      │ Writes File [C0052]                                   │\n│ OPERATING SYSTEM     │ Console [C0033]                                       │\n│                      │ Registry::Delete Registry Key [C0036.002]             │\n│                      │ Registry::Delete Registry Value [C0036.007]           │\n│                      │ Registry::Query Registry Key [C0036.005]              │\n│                      │ Registry::Query Registry Value [C0036.006]            │\n│                      │ Registry::Set Registry Key [C0036.001]                │\n│                      │ Wallpaper [C0035]                                     │\n│ PERSISTENCE          │ Registry Run Keys / Startup Folder [F0012]            │\n│ PROCESS              │ Create Mutex [C0042]                                  │\n│                      │ Create Process [C0017]                                │\n│                      │ Create Thread [C0038]                                 │\n│                      │ Suspend Thread [C0055]                                │\n│                      │ Terminate Process [C0018]                             │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                            ┃ Namespace                            ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ self delete (3 matches)               │ anti-analysis/anti-forensic/self-de… │\n│ get geographical location             │ collection                           │\n│ save image in .NET                    │ collection                           │\n│ gather firefox profile information    │ collection/browser                   │\n│ reference SQL statements (2 matches)  │ collection/database/sql              │\n│ reference WMI statements              │ collection/database/wmi              │\n│ log keystrokes (2 matches)            │ collection/keylog                    │\n│ log keystrokes via application hook   │ collection/keylog                    │\n│ log keystrokes via polling (2         │ collection/keylog                    │\n│ matches)                              │                                      │\n│ get MAC address in .NET               │ collection/network                   │\n│ capture screenshot                    │ collection/screenshot                │\n│ receive data                          │ communication                        │\n│ send data                             │ communication                        │\n│ manipulate network credentials in     │ communication/authentication         │\n│ .NET                                  │                                      │\n│ read HTTP header                      │ communication/http                   │\n│ reference HTTP User-Agent string      │ communication/http                   │\n│ create HTTP request                   │ communication/http/client            │\n│ receive HTTP response                 │ communication/http/client            │\n│ create TCP socket (3 matches)         │ communication/socket/tcp             │\n│ act as TCP client                     │ communication/tcp/client             │\n│ create zip archive in .NET (3         │ data-manipulation/compression        │\n│ matches)                              │                                      │\n│ decode data using Base64 in .NET      │ data-manipulation/encoding/base64    │\n│ decode data using Base64 via WinAPI   │ data-manipulation/encoding/base64    │\n│ reference Base64 string               │ data-manipulation/encoding/base64    │\n│ encrypt or decrypt data via BCrypt (2 │ data-manipulation/encryption         │\n│ matches)                              │                                      │\n│ encrypt data using DPAPI              │ data-manipulation/encryption/dpapi   │\n│ generate random numbers in .NET       │ data-manipulation/prng               │\n│ contains PDB path                     │ executable/pe/pdb                    │\n│ extract resource via kernel32         │ executable/resource                  │\n│ functions                             │                                      │\n│ check clipboard data (2 matches)      │ host-interaction/clipboard           │\n│ monitor clipboard content             │ host-interaction/clipboard           │\n│ read clipboard data (2 matches)       │ host-interaction/clipboard           │\n│ manipulate console buffer (8 matches) │ host-interaction/console             │\n│ query environment variable (3         │ host-interaction/environment-variab… │\n│ matches)                              │                                      │\n│ enumerate drives                      │ host-interaction/file-system         │\n│ get common file path (7 matches)      │ host-interaction/file-system         │\n│ copy file (7 matches)                 │ host-interaction/file-system/copy    │\n│ create directory (8 matches)          │ host-interaction/file-system/create  │\n│ delete directory (2 matches)          │ host-interaction/file-system/delete  │\n│ delete file (12 matches)              │ host-interaction/file-system/delete  │\n│ check if directory exists (15         │ host-interaction/file-system/exists  │\n│ matches)                              │                                      │\n│ check if file exists (22 matches)     │ host-interaction/file-system/exists  │\n│ enumerate files in .NET (6 matches)   │ host-interaction/file-system/files/… │\n│ get file attributes                   │ host-interaction/file-system/meta    │\n│ get file size (5 matches)             │ host-interaction/file-system/meta    │\n│ set file attributes (2 matches)       │ host-interaction/file-system/meta    │\n│ move file (2 matches)                 │ host-interaction/file-system/move    │\n│ read file on Windows (7 matches)      │ host-interaction/file-system/read    │\n│ write file on Windows (11 matches)    │ host-interaction/file-system/write   │\n│ enumerate gui resources (2 matches)   │ host-interaction/gui                 │\n│ change the wallpaper                  │ host-interaction/gui/session         │\n│ hide the Windows taskbar              │ host-interaction/gui/taskbar/hide    │\n│ get disk information                  │ host-interaction/hardware/storage    │\n│ get disk size                         │ host-interaction/hardware/storage    │\n│ allocate unmanaged memory in .NET (3  │ host-interaction/memory              │\n│ matches)                              │                                      │\n│ manipulate unmanaged memory in .NET   │ host-interaction/memory              │\n│ (14 matches)                          │                                      │\n│ create or open mutex on Windows       │ host-interaction/mutex               │\n│ get networking interfaces             │ host-interaction/network/interface   │\n│ get hostname (2 matches)              │ host-interaction/os/hostname         │\n│ get OS version in .NET                │ host-interaction/os/version          │\n│ get process image filename (5         │ host-interaction/process             │\n│ matches)                              │                                      │\n│ create a process with modified I/O    │ host-interaction/process/create      │\n│ handles and window (14 matches)       │                                      │\n│ create process on Windows (22         │ host-interaction/process/create      │\n│ matches)                              │                                      │\n│ enumerate processes (2 matches)       │ host-interaction/process/list        │\n│ find process by PID (2 matches)       │ host-interaction/process/list        │\n│ find process by name                  │ host-interaction/process/list        │\n│ acquire debug privileges              │ host-interaction/process/modify      │\n│ terminate process (14 matches)        │ host-interaction/process/terminate   │\n│ query or enumerate registry key (7    │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ query or enumerate registry value (2  │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ delete registry key                   │ host-interaction/registry/delete     │\n│ delete registry value (2 matches)     │ host-interaction/registry/delete     │\n│ get session integrity level (3        │ host-interaction/session             │\n│ matches)                              │                                      │\n│ get session user name (5 matches)     │ host-interaction/session             │\n│ create thread (3 matches)             │ host-interaction/thread/create       │\n│ suspend thread (9 matches)            │ host-interaction/thread/suspend      │\n│ access WMI data in .NET               │ host-interaction/wmi                 │\n│ reference cryptocurrency strings      │ impact/cryptocurrency                │\n│ disable system features via registry  │ impact/features                      │\n│ on Windows                            │                                      │\n│ invoke .NET assembly method (2        │ load-code/dotnet                     │\n│ matches)                              │                                      │\n│ load .NET assembly                    │ load-code/dotnet                     │\n│ compile CSharp in .NET                │ load-code/dotnet/csharp              │\n│ persist via default file association  │ persistence/registry                 │\n│ registry key (2 matches)              │                                      │\n│ persist via Run registry key          │ persistence/registry/run             │\n│ schedule task via schtasks (2         │ persistence/scheduled-tasks          │\n│ matches)                              │                                      │\n│ unmanaged call (42 matches)           │ runtime                              │\n│ compiled to the .NET platform         │ runtime/dotnet                       │\n└───────────────────────────────────────┴──────────────────────────────────────┘\n\n","verbose":"md5                     9a5ff998dbf0f6923d0b454d89800fb4                        \nsha1                    4f4fa23e9c503b941a5e91584d6ecc3813962ba1                \nsha256                  360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15…\npath                    /home/apogean/projects/malware/windows/all_runs/now_you…\ntimestamp               2026-04-29 20:28:51.566739                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    any                                                     \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIT45nxl/rules                                   \nfunction count          574                                                     \nlibrary function count  0                                                       \ntotal feature count     18525                                                   \n\nself delete (3 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion\nscope      function                                 \nmatches    token(0x6000039)                         \n           token(0x600003E)                         \n           token(0x600003E)                         \n\nget geographical location\nnamespace  collection      \nscope      function        \nmatches    token(0x600004C)\n\nsave image in .NET\nnamespace  collection      \nscope      function        \nmatches    token(0x6000054)\n\ngather firefox profile information\nnamespace  collection/browser\nscope      function          \nmatches    token(0x60001CC)  \n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql\nscope      function               \nmatches    token(0x6000147)       \n           token(0x600015B)       \n\nreference WMI statements\nnamespace  collection/database/wmi\nscope      function               \nmatches    token(0x600004B)       \n\nlog keystrokes (2 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    token(0x600017A) \n           token(0x600017B) \n\nlog keystrokes via application hook\nnamespace  collection/keylog\nscope      basic block      \nmatches    token(0x60000A7) \n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    token(0x60000AA) \n           token(0x600017C) \n\nget MAC address in .NET\nnamespace  collection/network\nscope      function          \nmatches    token(0x600011C)  \n\ncapture screenshot\nnamespace  collection/screenshot\nscope      function             \nmatches    token(0x6000054)     \n\nreceive data\nnamespace    communication                                                     \ndescription  all known techniques for receiving data from a potential C2 server\nscope        function                                                          \nmatches      token(0x600004C)                                                  \n\nsend data\nnamespace    communication                                                 \ndescription  all known techniques for sending data to a potential C2 server\nscope        function                                                      \nmatches      token(0x60001BF)                                              \n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nscope      function                    \nmatches    token(0x60001BF)            \n\nread HTTP header\nnamespace  communication/http\nscope      function          \nmatches    token(0x600004C)  \n\nreference HTTP User-Agent string\nnamespace  communication/http\nscope      function          \nmatches    token(0x600004C)  \n\ncreate HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\nread data from Internet\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x600004C)         \n\nreceive HTTP response\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\nsend HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x60001BF)         \n\ncreate TCP socket (3 matches)\nnamespace  communication/socket/tcp\nscope      basic block             \nmatches    token(0x600000C)        \n           token(0x600000E)        \n           token(0x6000014)        \n\nact as TCP client\nnamespace  communication/tcp/client\nscope      function                \nmatches    token(0x600000E)        \n\ncreate zip archive in .NET (3 matches)\nnamespace  data-manipulation/compression\nscope      basic block                  \nmatches    token(0x60000B8)             \n           token(0x60000BB)             \n           token(0x60001BC)             \n\ndecode data using Base64 in .NET\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    token(0x60001B5)                 \n\ndecode data using Base64 via WinAPI\nnamespace  data-manipulation/encoding/base64\nscope      basic block                      \nmatches    token(0x60001B5)                 \n\nreference Base64 string\nnamespace  data-manipulation/encoding/base64\nscope      file                             \n\nencrypt or decrypt data via BCrypt (2 matches)\nnamespace  data-manipulation/encryption\nscope      function                    \nmatches    token(0x60001AD)            \n           token(0x60001B0)            \n\nencrypt data using DPAPI\nnamespace  data-manipulation/encryption/dpapi\nscope      function                          \nmatches    token(0x60001AF)                  \n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng\nscope      function              \nmatches    token(0x600003E)      \n\ncontains PDB path\nnamespace  executable/pe/pdb\nscope      file             \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    token(0x60000E5)   \n\ncheck clipboard data (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    token(0x60000EE)          \n           token(0x600024C)          \n\nmonitor clipboard content\nnamespace  host-interaction/clipboard\nscope      basic block               \nmatches    token(0x60000F4)          \n\nread clipboard data (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    token(0x60000EE)          \n           token(0x600024C)          \n\nmanipulate console buffer (8 matches)\nnamespace  host-interaction/console\nscope      function                \nmatches    token(0x6000019)        \n           token(0x6000029)        \n           token(0x6000033)        \n           token(0x6000044)        \n           token(0x600014A)        \n           token(0x600015E)        \n           token(0x6000181)        \n           token(0x6000182)        \n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    token(0x6000095)                     \n           token(0x60001A1)                     \n           token(0x60001AB)                     \n\nenumerate drives\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x6000093)            \n\nget common file path (7 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x600004E)            \n           token(0x60000B7)            \n           token(0x60000F8)            \n           token(0x60000FA)            \n           token(0x6000146)            \n           token(0x6000149)            \n           token(0x600015D)            \n\ncopy file (7 matches)\nnamespace  host-interaction/file-system/copy\nscope      function                         \nmatches    token(0x60000BC)                 \n           token(0x6000144)                 \n           token(0x6000159)                 \n           token(0x60001A5)                 \n           token(0x60001A6)                 \n           token(0x60001AB)                 \n           token(0x60001BF)                 \n\ncreate directory (8 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    token(0x6000097)                   \n           token(0x6000098)                   \n           token(0x60000B8)                   \n           token(0x60000BB)                   \n           token(0x60000BC)                   \n           token(0x6000144)                   \n           token(0x6000159)                   \n           token(0x60001A0)                   \n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    token(0x60000B8)                   \n           token(0x60000BB)                   \n\ndelete file (12 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    token(0x60000B8)                   \n           token(0x60000BB)                   \n           token(0x6000144)                   \n           token(0x6000147)                   \n           token(0x6000159)                   \n           token(0x600015B)                   \n           token(0x60001A8)                   \n           token(0x60001A9)                   \n           token(0x60001AA)                   \n           token(0x60001AB)                   \n           token(0x60001BC)                   \n           token(0x60001BF)                   \n\ncheck if directory exists (15 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x600004E)                   \n           token(0x6000095)                   \n           token(0x6000097)                   \n           token(0x6000098)                   \n           token(0x60000B7)                   \n           token(0x60000B8)                   \n           token(0x60000BC)                   \n           token(0x6000144)                   \n           token(0x6000149)                   \n           token(0x6000159)                   \n           token(0x600015D)                   \n           token(0x60001A7)                   \n           token(0x60001A9)                   \n           token(0x60001AB)                   \n           token(0x600021B)                   \n\ncheck if file exists (22 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x6000095)                   \n           token(0x6000096)                   \n           token(0x60000D6)                   \n           token(0x60000D7)                   \n           token(0x60000F8)                   \n           token(0x60000FA)                   \n           token(0x6000144)                   \n           token(0x6000146)                   \n           token(0x6000149)                   \n           token(0x6000159)                   \n           token(0x600015D)                   \n           token(0x60001A6)                   \n           token(0x60001A7)                   \n           token(0x60001A8)                   \n           token(0x60001A9)                   \n           token(0x60001AA)                   \n           token(0x60001AB)                   \n           token(0x60001BC)                   \n           token(0x60001BD)                   \n           token(0x60001BF)                   \n           token(0x600026B)                   \n           token(0x600026F)                   \n\nenumerate files in .NET (6 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    token(0x60000BC)                       \n           token(0x6000149)                       \n           token(0x600015D)                       \n           token(0x60001A7)                       \n           token(0x60001A9)                       \n           token(0x60001AB)                       \n\nget file attributes\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    token(0x6000095)                 \n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    token(0x6000095)                 \n           token(0x60001A5)                 \n           token(0x60001A8)                 \n           token(0x60001AA)                 \n           token(0x600026B)                 \n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    token(0x600003C)                 \n           token(0x60001BF)                 \n\nmove file (2 matches)\nnamespace  host-interaction/file-system/move\nscope      function                         \nmatches    token(0x6000144)                 \n           token(0x6000159)                 \n\nread file on Windows (7 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    token(0x6000096)                 \n           token(0x60000B8)                 \n           token(0x60000BB)                 \n           token(0x60001A5)                 \n           token(0x60001AC)                 \n           token(0x60001AD)                 \n           token(0x60001BD)                 \n\nwrite file on Windows (11 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    token(0x6000019)                  \n           token(0x6000044)                  \n           token(0x6000097)                  \n           token(0x60000BB)                  \n           token(0x60000DD)                  \n           token(0x6000147)                  \n           token(0x600014A)                  \n           token(0x600015B)                  \n           token(0x600015E)                  \n           token(0x60001A5)                  \n           token(0x60001E8)                  \n\nenumerate gui resources (2 matches)\nnamespace  host-interaction/gui\nscope      function            \nmatches    token(0x600004D)    \n           token(0x6000054)    \n\nset application hook (2 matches)\nnamespace  host-interaction/gui \nscope      instruction          \nmatches    token(0x60000A7)+0x1C\n           token(0x60000AF)+0x66\n\nchange the wallpaper\nnamespace  host-interaction/gui/session\nscope      basic block                 \nmatches    token(0x60000D7)            \n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find\nscope      basic block                      \nmatches    token(0x60000C2)                 \n           token(0x60000C3)                 \n           token(0x60000C9)                 \n\nhide the Windows taskbar\nnamespace  host-interaction/gui/taskbar/hide\nscope      function                         \nmatches    token(0x60000C2)                 \n\nfind graphical window (3 matches)\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    token(0x60000C2)+0xA            \n           token(0x60000C3)+0xA            \n           token(0x60000C9)+0xA            \n\nhide graphical window\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    token(0x60000C2)                \n\nget disk information\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    token(0x6000093)                 \n\nget disk size\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    token(0x6000093)                 \n\nallocate unmanaged memory in .NET (3 matches)\nnamespace  host-interaction/memory\nscope      function               \nmatches    token(0x60001AD)       \n           token(0x60001AF)       \n           token(0x60001B0)       \n\nmanipulate unmanaged memory in .NET (14 matches)\nnamespace  host-interaction/memory\nscope      function               \nmatches    token(0x6000055)       \n           token(0x60000A8)       \n           token(0x60000C7)       \n           token(0x60000C8)       \n           token(0x60000D7)       \n           token(0x60000E5)       \n           token(0x60001A5)       \n           token(0x60001AD)       \n           token(0x60001AF)       \n           token(0x60001B0)       \n           token(0x60001BB)       \n           token(0x60001CA)       \n           token(0x60001CB)       \n           token(0x60001CC)       \n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex\nscope      instruction           \nmatches    token(0x6000033)+0x211\n\nget networking interfaces\nnamespace  host-interaction/network/interface\nscope      function                          \nmatches    token(0x600011C)                  \n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname\nscope      function                    \nmatches    token(0x6000049)            \n           token(0x60001A0)            \n\nget OS version in .NET\nnamespace  host-interaction/os/version\nscope      basic block                \nmatches    token(0x600004B)           \n\nget process image filename (5 matches)\nnamespace  host-interaction/process\nscope      basic block             \nmatches    token(0x6000033)        \n           token(0x600003A)        \n           token(0x600003C)        \n           token(0x600003E)        \n           token(0x60001E8)        \n\ncreate a process with modified I/O handles and window (14 matches)\nnamespace  host-interaction/process/create\nscope      function                       \nmatches    token(0x6000033)               \n           token(0x600003A)               \n           token(0x600003B)               \n           token(0x600003E)               \n           token(0x60000F7)               \n           token(0x600011D)               \n           token(0x600011E)               \n           token(0x6000144)               \n           token(0x6000147)               \n           token(0x6000148)               \n           token(0x6000159)               \n           token(0x600015B)               \n           token(0x600015C)               \n           token(0x60001E8)               \n\ncreate process on Windows (22 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    token(0x6000033)               \n           token(0x6000039)               \n           token(0x600003A)               \n           token(0x600003B)               \n           token(0x600003E)               \n           token(0x6000099)               \n           token(0x60000D5)               \n           token(0x60000D8)               \n           token(0x60000DB)               \n           token(0x60000DC)               \n           token(0x60000DD)               \n           token(0x60000F7)               \n           token(0x600011D)               \n           token(0x600011E)               \n           token(0x6000144)               \n           token(0x6000147)               \n           token(0x6000148)               \n           token(0x6000159)               \n           token(0x600015B)               \n           token(0x600015C)               \n           token(0x60001E8)               \n           token(0x6000207)               \n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x6000060)             \n           token(0x60000D9)             \n\nfind process by PID (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x6000061)             \n           token(0x6000062)             \n\nfind process by name\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x60001BB)             \n\nacquire debug privileges\nnamespace  host-interaction/process/modify\nscope      basic block                    \nmatches    token(0x60001BA)               \n\nmodify access privileges\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    token(0x60001BA)+0x59          \n\nterminate process (14 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    token(0x600003A)                  \n           token(0x600003B)                  \n           token(0x6000061)                  \n           token(0x60000F7)                  \n           token(0x600011D)                  \n           token(0x600011E)                  \n           token(0x6000144)                  \n           token(0x6000147)                  \n           token(0x6000148)                  \n           token(0x6000159)                  \n           token(0x600015B)                  \n           token(0x600015C)                  \n           token(0x60001E7)                  \n           token(0x60001E8)                  \n\nquery or enumerate registry key (7 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x6000039)         \n           token(0x600006F)         \n           token(0x6000071)         \n           token(0x60000F9)         \n           token(0x6000255)         \n           token(0x6000257)         \n           token(0x6000259)         \n\nquery or enumerate registry value (2 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x600006F)         \n           token(0x6000255)         \n\nset registry value (5 matches)\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    token(0x6000039)                \n           token(0x600003E)                \n           token(0x600003E)                \n           token(0x6000070)                \n           token(0x6000257)                \n\ndelete registry key\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x600003E)                \n\ndelete registry value (2 matches)\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x6000071)                \n           token(0x6000259)                \n\nget session integrity level (3 matches)\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x600003D)        \n           token(0x600007A)        \n           token(0x60001B9)        \n\nget session user name (5 matches)\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x600003D)        \n           token(0x600004A)        \n           token(0x600007A)        \n           token(0x6000149)        \n           token(0x60001B9)        \n\ncreate thread (3 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    token(0x60000A4)              \n           token(0x60000C4)              \n           token(0x60000EC)              \n\nsuspend thread (9 matches)\nnamespace  host-interaction/thread/suspend\nscope      basic block                    \nmatches    token(0x6000010)               \n           token(0x6000011)               \n           token(0x6000033)               \n           token(0x6000035)               \n           token(0x6000037)               \n           token(0x600003E)               \n           token(0x60000DA)               \n           token(0x60001E7)               \n           token(0x6000207)               \n\naccess WMI data in .NET\nnamespace  host-interaction/wmi\nscope      function            \nmatches    token(0x600004B)    \n\nreference cryptocurrency strings\nnamespace  impact/cryptocurrency\nscope      file                 \n\ndisable system features via registry on Windows\nnamespace  impact/features \nscope      function        \nmatches    token(0x6000039)\n\ncompile .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x600027A)\n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000146)\n           token(0x600027A)\n\nload .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000146)\n\ncompile CSharp in .NET\nnamespace  load-code/dotnet/csharp\nscope      function               \nmatches    token(0x600027A)       \n\npersist via default file association registry key (2 matches)\nnamespace  persistence/registry\nscope      function            \nmatches    token(0x600003E)    \n           token(0x600003E)    \n\npersist via Run registry key\nnamespace  persistence/registry/run\nscope      function                \nmatches    token(0x6000070)        \n\nschedule task via schtasks (2 matches)\nnamespace  persistence/scheduled-tasks\nscope      function                   \nmatches    token(0x600003A)           \n           token(0x600003A)           \n\nunmanaged call (42 matches)\nnamespace    runtime                                                       \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nscope        function                                                      \nmatches      token(0x6000055)                                              \n             token(0x6000063)                                              \n             token(0x60000A5)                                              \n             token(0x60000A7)                                              \n             token(0x60000A8)                                              \n             token(0x60000AA)                                              \n             token(0x60000AF)                                              \n             token(0x60000C2)                                              \n             token(0x60000C3)                                              \n             token(0x60000C7)                                              \n             token(0x60000C8)                                              \n             token(0x60000C9)                                              \n             token(0x60000CA)                                              \n             token(0x60000CB)                                              \n             token(0x60000D2)                                              \n             token(0x60000D3)                                              \n             token(0x60000D4)                                              \n             token(0x60000D6)                                              \n             token(0x60000D7)                                              \n             token(0x60000DA)                                              \n             token(0x60000E5)                                              \n             token(0x60000ED)                                              \n             token(0x60000F4)                                              \n             token(0x6000176)                                              \n             token(0x6000177)                                              \n             token(0x6000178)                                              \n             token(0x6000179)                                              \n             token(0x600017A)                                              \n             token(0x600017B)                                              \n             token(0x600017C)                                              \n             token(0x60001A0)                                              \n             token(0x60001A5)                                              \n             token(0x60001AD)                                              \n             token(0x60001AF)                                              \n             token(0x60001B0)                                              \n             token(0x60001B5)                                              \n             token(0x60001B7)                                              \n             token(0x60001BA)                                              \n             token(0x60001BB)                                              \n             token(0x60001CA)                                              \n             token(0x60001CB)                                              \n             token(0x60001CC)                                              \n\ncompiled to the .NET platform\nnamespace  runtime/dotnet\nscope      file          \n\n\n\n","very_verbose":"md5                     9a5ff998dbf0f6923d0b454d89800fb4                        \nsha1                    4f4fa23e9c503b941a5e91584d6ecc3813962ba1                \nsha256                  360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15…\npath                    /home/apogean/projects/malware/windows/all_runs/now_you…\ntimestamp               2026-04-29 20:28:57.517569                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    any                                                     \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIyVCyhQ/rules                                   \nfunction count          574                                                     \nlibrary function count  0                                                       \ntotal feature count     18525                                                   \n\ncontain loop (library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ token(0x60000BC)\n  or:\n    characteristic: recursive call @ token(0x60000BC)\n\ncreate or open file (library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ token(0x60001A5)+0x48\n  or:\n    api: CreateFile @ token(0x60001A5)+0x48\n\ncreate or open registry key (9 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ token(0x6000039) in function token(0x6000039)\n  or:\n    api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n\nopen process (library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ token(0x60001BB) in function token(0x60001BB)\n  or:\n    api: OpenProcess @ token(0x60001BB)+0x59, token(0x60001BB)+0x90\n\nopen thread (library rule)\nauthor  0x534a@mailbox.org          \nscope   basic block                 \nmbc     Process::Open Thread [C0066]\nbasic block @ token(0x6000063) in function token(0x6000063)\n  or:\n    api: OpenThread @ token(0x6000063)+0x22\n\nself delete (3 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion                            \nauthor     michael.hunhoff@mandiant.com, @mr-tz                                 \nscope      function                                                             \natt&ck     Defense Evasion::Indicator Removal::File Deletion [T1070.004]        \nmbc        Defense Evasion::Self Deletion::COMSPEC Environment Variable         \n           [F0007.001]                                                          \nfunction @ token(0x6000039)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x6000039)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"delta\" @ token(0x6000039)+0xC4B\nfunction @ token(0x600003E)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x600003E)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DelegateExecute\" @ token(0x600003E)+0x3A\nfunction @ token(0x600003E)\n  and:\n    or:\n      match: host-interaction/process/create @ token(0x600003E)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DelegateExecute\" @ token(0x600003E)+0x3A\n\nget geographical location\nnamespace  collection                                  \nauthor     moritz.raabe, michael.hunhoff@mandiant.com  \nscope      function                                    \natt&ck     Discovery::System Location Discovery [T1614]\nfunction @ token(0x600004C)\n  or:\n    regex: /countrycode/i\n      - \"\\\"countryCode\\\":\\\"\" @ token(0x600004C)+0x28\n      - \"http://ip-api.com/json/?fields=countryCode\" @ token(0x600004C)+0x1C\n\nsave image in .NET\nnamespace  collection                  \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000054)\n  and:\n    api: System.Drawing.Image::Save @ token(0x6000054)+0x1D6\n\ngather firefox profile information\nnamespace  collection/browser                                                   \nauthor     @_re_fox, still@teamt5.org                                           \nscope      function                                                             \natt&ck     Credential Access::Credentials from Password Stores::Credentials from\n           Web Browsers [T1555.003]                                             \nfunction @ token(0x60001CC)\n  and:\n    2 or more:\n      regex: /SELECT\\s+{5,}FROM moz_(logins|cookies)/i\n        - \"SELECT host, name, value, path, isSecure, expiry FROM moz_cookies\" @ token(0x60001CC)+0x38\n      regex: /FROM moz_(logins|cookies)/i\n        - \"SELECT host, name, value, path, isSecure, expiry FROM moz_cookies\" @ token(0x60001CC)+0x38\n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql                               \nauthor     william.ballenthin@mandiant.com                       \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ token(0x6000147)\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"'\\r\\n    if not os.path.exists(db_path):\\r\\n        print('ERROR:Database file \nnot found: ' + db_path)\\r\\n        sys.exit(1)\\r\\n    \\r\\n    # Check file \nsize\\r\\n    file_size = os.path.getsize(db_path)\\r\\n    if file_size == 0:\\r\\n  \nprint('ERROR:Database file is empty')\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn\n= sqlite3.connect(db_path)\\r\\n    conn.row_factory = sqlite3.Row\\r\\n    cursor =\nconn.cursor()\\r\\n    \\r\\n    # First, check if urls table exists\\r\\n    \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table' AND \nname='urls'\\\")\\r\\n    table_exists = cursor.fetchone()\\r\\n    \\r\\n    if not \ntable_exists:\\r\\n        print('ERROR:urls table does not exist in \ndatabase')\\r\\n        # List available tables for debugging\\r\\n        \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table'\\\")\\r\\n       \ntables = cursor.fetchall()\\r\\n        if tables:\\r\\n            table_names = ',\n'.join([t[0] for t in tables])\\r\\n            print('ERROR:Available tables: ' +\ntable_names)\\r\\n        conn.close()\\r\\n        sys.exit(1)\\r\\n    \\r\\n    # Try\nto query the urls table\\r\\n    try:\\r\\n        # Check if columns exist\\r\\n     \ncursor.execute(\\\"PRAGMA table_info(urls)\\\")\\r\\n        columns = [row[1] for row\nin cursor.fetchall()]\\r\\n        required_columns = ['url', 'title', \n'visit_count', 'last_visit_time']\\r\\n        missing_columns = \\r\\n        \\r\\n \nif missing_columns:\\r\\n            print('ERROR:Missing columns: ' + ', \n'.join(missing_columns))\\r\\n            print('ERROR:Available columns: ' + ', \n'.join(columns))\\r\\n            conn.close()\\r\\n            sys.exit(1)\\r\\n     \n\\r\\n        cursor.execute('SELECT url, title, visit_count, last_visit_time FROM\nurls ORDER BY last_visit_time DESC LIMIT 1000')\\r\\n        rows = \ncursor.fetchall()\\r\\n        \\r\\n        if len(rows) == 0:\\r\\n            \nprint('ERROR:No rows found in urls table')\\r\\n            conn.close()\\r\\n      \nsys.exit(1)\\r\\n        \\r\\n        for row in rows:\\r\\n            url = \nrow['url'] if row['url'] else ''\\r\\n            title = row['title'] if \nrow['title'] else ''\\r\\n            visit_count = int(row['visit_count']) if \nrow['visit_count'] is not None else 0\\r\\n            last_visit = \nint(row['last_visit_time']) if row['last_visit_time'] is not None else 0\\r\\n    \n# Escape pipe characters in URL/title\\r\\n            url = url.replace('|', \n'{PIPE}')\\r\\n            title = title.replace('|', '{PIPE}')\\r\\n            \nprint(f'{url}|{title}|{visit_count}|{last_visit}')\\r\\n    except \nsqlite3.OperationalError as e:\\r\\n        print(f'ERROR:SQL error: \n{str(e)}')\\r\\n        conn.close()\\r\\n        sys.exit(1)\\r\\n    except \nException as e:\\r\\n        print(f'ERROR:Query error: {str(e)}')\\r\\n        \nconn.close()\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn.close()\\r\\nexcept \nException as e:\\r\\n    print(f'ERROR:{str(e)}')\\r\\n    import traceback\\r\\n    \nprint('ERROR:Traceback: ' + traceback.format_exc())\\r\\n    sys.exit(1)\\r\\n\" @ token(0x6000147)+0x26\nfunction @ token(0x600015B)\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"'\\r\\n    if not os.path.exists(db_path):\\r\\n        print('ERROR:Database file \nnot found')\\r\\n        sys.exit(1)\\r\\n    \\r\\n    conn = \nsqlite3.connect(db_path)\\r\\n    conn.row_factory = sqlite3.Row\\r\\n    cursor = \nconn.cursor()\\r\\n    \\r\\n    # Check if autofill table exists\\r\\n    \ncursor.execute(\\\"SELECT name FROM sqlite_master WHERE type='table' AND \nname='autofill'\\\")\\r\\n    if not cursor.fetchone():\\r\\n        \nprint('ERROR:autofill table does not exist')\\r\\n        conn.close()\\r\\n        \nsys.exit(1)\\r\\n    \\r\\n    # Query autofill data\\r\\n    cursor.execute('SELECT \nname, value, date_created, date_last_used, count FROM autofill ORDER BY \ndate_last_used DESC LIMIT 500')\\r\\n    rows = cursor.fetchall()\\r\\n    \\r\\n    \nfor row in rows:\\r\\n        name = row['name'] if row['name'] else ''\\r\\n       \nvalue = row['value'] if row['value'] else ''\\r\\n        date_created = \nrow['date_created'] if row['date_created'] else 0\\r\\n        date_last_used = \nrow['date_last_used'] if row['date_last_used'] else 0\\r\\n        count = \nrow['count'] if row['count'] else 0\\r\\n        name = name.replace('|', \n'{PIPE}')\\r\\n        value = value.replace('|', '{PIPE}')\\r\\n        \nprint(f'{name}|{value}|{date_created}|{date_last_used}|{count}')\\r\\n    \\r\\n    \nconn.close()\\r\\nexcept Exception as e:\\r\\n    print(f'ERROR:{str(e)}')\\r\\n    \nimport traceback\\r\\n    print('ERROR:Traceback: ' + traceback.format_exc())\\r\\n \nsys.exit(1)\\r\\n\" @ token(0x600015B)+0x1B\n\nreference WMI statements\nnamespace  collection/database/wmi                               \nauthor     michael.hunhoff@mandiant.com                          \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ token(0x600004B)\n  or:\n    regex: /SELECT\\s+\\*\\s+FROM\\s+Win32_./\n      - \"SELECT * FROM Win32_OperatingSystem\" @ token(0x600004B)+0x0\n\nlog keystrokes (2 matches)\nnamespace  collection/keylog                                \nauthor     moritz.raabe@mandiant.com                        \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nfunction @ token(0x600017A)\n  or:\n    api: MapVirtualKey @ token(0x600017A)+0x39\nfunction @ token(0x600017B)\n  or:\n    api: MapVirtualKey @ token(0x600017B)+0xF\n\nlog keystrokes via application hook\nnamespace  collection/keylog                                   \nauthor     michael.hunhoff@mandiant.com                        \nscope      basic block                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]   \nmbc        Collection::Keylogging::Application Hook [F0002.001]\nbasic block @ token(0x60000A7) in function token(0x60000A7)\n  and:\n    match: set application hook @ token(0x60000A7)+0x1C\n      or:\n        api: SetWindowsHookEx @ token(0x60000A7)+0x1C\n    or:\n      number: 0xD = WH_KEYBOARD_LL @ token(0x60000A7)+0xD\n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ token(0x60000AA)\n  or:\n    api: GetKeyState @ token(0x60000AA)+0xE9, token(0x60000AA)+0xFA\nfunction @ token(0x600017C)\n  or:\n    api: VkKeyScan @ token(0x600017C)+0x3CB, token(0x600017C)+0x3F6\n\nget MAC address in .NET\nnamespace  collection/network                                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           echernofsky@google.com                                               \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nfunction @ token(0x600011C)\n  or:\n    api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress @ token(0x600011C)+0x150\n\ncapture screenshot\nnamespace  collection/screenshot                                            \nauthor     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\nscope      function                                                         \natt&ck     Collection::Screen Capture [T1113]                               \nmbc        Collection::Screen Capture::WinAPI [E1113.m01]                   \nfunction @ token(0x6000054)\n  or:\n    api: System.Drawing.Graphics::CopyFromScreen @ token(0x6000054)+0xC7, token(0x6000054)+0x133\n\nreceive data\nnamespace    communication                                                     \nauthor       william.ballenthin@mandiant.com                                   \nscope        function                                                          \nmbc          Command and Control::C2 Communication::Receive Data [B0030.002]   \ndescription  all known techniques for receiving data from a potential C2 server\nfunction @ token(0x600004C)\n  or:\n    match: read data from Internet @ token(0x600004C)\n      and:\n        or:\n          api: System.Net.WebClient::DownloadString @ token(0x600004C)+0x21\n\nsend data\nnamespace    communication                                                 \nauthor       william.ballenthin@mandiant.com, joakim@intezer.com           \nscope        function                                                      \nmbc          Command and Control::C2 Communication::Send Data [B0030.001]  \ndescription  all known techniques for sending data to a potential C2 server\nfunction @ token(0x60001BF)\n  or:\n    and:\n      os: windows\n      or:\n        match: send HTTP request @ token(0x60001BF)\n          or:\n            api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x60001BF)\n  and:\n    api: System.Net.NetworkCredential::ctor @ token(0x60001BF)+0x7F\n\nwrite and execute a file (4 matches)\nnamespace              communication/c2/file-transfer               \nmaec/malware-category  launcher                                     \nauthor                 moritz.raabe@mandiant.com                    \nscope                  function                                     \nmbc                    Execution::Install Additional Program [B0023]\nfunction @ token(0x60000DD)\n  and:\n    match: host-interaction/file-system/write @ token(0x60000DD)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x60000DD)+0x2A\n    match: host-interaction/process/create @ token(0x60000DD)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x60000DD)+0x35\nfunction @ token(0x6000147)\n  and:\n    match: host-interaction/file-system/write @ token(0x6000147)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x6000147)+0x72\n    match: host-interaction/process/create @ token(0x6000147)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000147)+0xD6\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000147)+0xF2\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000147)+0xB9\n            property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000147)+0xCF\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000147)+0xEB\n            property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000147)+0xDD\n            property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000147)+0x108\nfunction @ token(0x600015B)\n  and:\n    match: host-interaction/file-system/write @ token(0x600015B)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x600015B)+0x47\n    match: host-interaction/process/create @ token(0x600015B)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015B)+0xA4\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015B)+0xC0\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015B)+0x87\n            property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015B)+0x9D\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015B)+0xB9\n            property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015B)+0xAB\n            property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015B)+0xD2\nfunction @ token(0x60001E8)\n  and:\n    match: host-interaction/file-system/write @ token(0x60001E8)\n      or:\n        api: System.IO.File::WriteAllText @ token(0x60001E8)+0x6D\n    match: host-interaction/process/create @ token(0x60001E8)\n      or:\n        api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n      or:\n        and:\n          api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n          or:\n            property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x60001E8)+0x80\n            property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60001E8)+0x79\n            property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60001E8)+0x87\n\nread HTTP header\nnamespace  communication/http                                           \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Read Header [C0002.014]   \nfunction @ token(0x600004C)\n  or:\n    property/read: System.Net.WebClient::Headers @ token(0x600004C)+0x7\n\nreference HTTP User-Agent string\nnamespace   communication/http                                                  \nauthor      @mr-tz                                                              \nscope       function                                                            \nmbc         Communication::HTTP Communication [C0002]                           \nreferences  https://www.useragents.me/,                                         \n            https://www.whatismybrowser.com/guides/the-latest-user-agent/       \nfunction @ token(0x600004C)\n  or:\n    substring: Mozilla/5.0\n      - \"Mozilla/5.0\" @ token(0x600004C)+0x11\n\ncreate HTTP request\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Create Request [C0002.012]\nfunction @ token(0x60001BF)\n  and:\n    or:\n      api: System.Net.WebRequest::Create @ token(0x60001BF)+0x5F\n\nread data from Internet\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Get Response [C0002.017]  \nfunction @ token(0x600004C)\n  and:\n    or:\n      api: System.Net.WebClient::DownloadString @ token(0x600004C)+0x21\n\nreceive HTTP response\nnamespace  communication/http/client                                  \nauthor     michael.hunhoff@mandiant.com                               \nscope      function                                                   \nmbc        Communication::HTTP Communication::Get Response [C0002.017]\nfunction @ token(0x60001BF)\n  or:\n    api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\nsend HTTP request\nnamespace  communication/http/client                                  \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com    \nscope      function                                                   \nmbc        Communication::HTTP Communication::Send Request [C0002.003]\nfunction @ token(0x60001BF)\n  or:\n    api: System.Net.WebRequest::GetResponse @ token(0x60001BF)+0x97\n\ncreate TCP socket (3 matches)\nnamespace   communication/socket/tcp                                            \nauthor      william.ballenthin@mandiant.com, joakim@intezer.com,                \n            anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com       \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create TCP Socket [C0001.011]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ token(0x600000C) in function token(0x600000C)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x600000C)+0x34, token(0x600000C)+0x41, token(0x600000C)+0x53\nbasic block @ token(0x600000E) in function token(0x600000E)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x600000E)+0x63, token(0x600000E)+0x70, token(0x600000E)+0xBE, \ntoken(0x600000E)+0xD7\nbasic block @ token(0x6000014) in function token(0x6000014)\n  or:\n    property/read: System.Net.Sockets.TcpClient::Client @ token(0x6000014)+0x34, token(0x6000014)+0x41\n\nact as TCP client\nnamespace  communication/tcp/client                                     \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \nmbc        Communication::Socket Communication::TCP Client [C0001.008]  \nfunction @ token(0x600000E)\n  or:\n    api: System.Net.Sockets.TcpClient::ctor @ token(0x600000E)+0x7\n\ncreate zip archive in .NET (3 matches)\nnamespace  data-manipulation/compression\nauthor     michael.hunhoff@mandiant.com \nscope      basic block                  \nbasic block @ token(0x60000B8) in function token(0x60000B8)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60000B8)+0x14A\nbasic block @ token(0x60000BB) in function token(0x60000BB)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60000BB)+0x79\nbasic block @ token(0x60001BC) in function token(0x60001BC)\n  and:\n    or:\n      api: System.IO.Compression.ZipFile::CreateFromDirectory @ token(0x60001BC)+0x3F\n\ndecode data using Base64 in .NET\nnamespace  data-manipulation/encoding/base64                               \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \natt&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\nmbc        Data::Decode Data::Base64 [C0053.001]                           \nfunction @ token(0x60001B5)\n  or:\n    api: System.Convert::FromBase64String @ token(0x60001B5)+0x1\n\ndecode data using Base64 via WinAPI\nnamespace  data-manipulation/encoding/base64                               \nauthor     michael.hunhoff@mandiant.com                                    \nscope      basic block                                                     \natt&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\nbasic block @ token(0x60001B5) in function token(0x60001B5)\n  and:\n    api: CryptStringToBinary @ token(0x60001B5)+0x21, token(0x60001B5)+0x43\n    or:\n      number: 0x1 = dwFlags=CRYPT_STRING_BASE64 @ token(0x60001B5)+0x13, token(0x60001B5)+0x35\n\nreference Base64 string\nnamespace  data-manipulation/encoding/base64                                \nauthor     moritz.raabe@mandiant.com                                        \nscope      file                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]         \nmbc        Data::Encode Data::Base64 [C0026.001], Data::Check String [C0019]\nregex: /ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\n  - \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\" @ file+0x254AC\n\nencrypt or decrypt data via BCrypt (2 matches)\nnamespace  data-manipulation/encryption                                         \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Cryptography::Decrypt Data [C0031], Cryptography::Encrypt Data       \n           [C0027]                                                              \nfunction @ token(0x60001AD)\n  and:\n    or:\n      api: BCryptDecrypt @ token(0x60001AD)+0x441\n    optional:\n      api: BCryptOpenAlgorithmProvider @ token(0x60001AD)+0x37D\n      api: BCryptCloseAlgorithmProvider @ token(0x60001AD)+0x4B1\n      api: BCryptGenerateSymmetricKey @ token(0x60001AD)+0x39E\n      api: BCryptDestroyKey @ token(0x60001AD)+0x49A\nfunction @ token(0x60001B0)\n  and:\n    or:\n      api: BCryptDecrypt @ token(0x60001B0)+0x1D1\n    optional:\n      api: BCryptOpenAlgorithmProvider @ token(0x60001B0)+0x70\n      api: BCryptCloseAlgorithmProvider @ token(0x60001B0)+0x280\n      api: BCryptGenerateSymmetricKey @ token(0x60001B0)+0xFC\n      api: BCryptDestroyKey @ token(0x60001B0)+0x26B\n\nencrypt data using DPAPI\nnamespace  data-manipulation/encryption/dpapi                           \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]     \nmbc        Cryptography::Encrypt Data [C0027]                           \nfunction @ token(0x60001AF)\n  or:\n    api: CryptUnprotectData @ token(0x60001AF)+0x52\n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng                                            \nauthor     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com     \nscope      function                                                          \nmbc        Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\nfunction @ token(0x600003E)\n  or:\n    api: System.Random::Next @ token(0x600003E)+0x90\n\ncontains PDB path\nnamespace  executable/pe/pdb        \nauthor     moritz.raabe@mandiant.com\nscope      file                     \nregex: /:\\\\.*\\.pdb/\n  - \"C:\\\\Users\\\\sulum\\\\OneDrive\\\\Desktop\\\\datacenter\\\\stubCsharp\\\\obj\\\\Release\\\\Clie\nnt.pdb\" @ file+0x370BC\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ token(0x60000E5)\n  or:\n    and:\n      or:\n        api: LoadResource @ token(0x60000E5)+0x3D\n        api: LockResource @ token(0x60000E5)+0x5D\n      optional:\n        or:\n          api: FindResource @ token(0x60000E5)+0x12\n        api: SizeofResource @ token(0x60000E5)+0x82\n\ncheck clipboard data (2 matches)\nnamespace  host-interaction/clipboard        \nauthor     anushka.virgaonkar@mandiant.com   \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ token(0x60000EE)\n  or:\n    api: System.Windows.Forms.Clipboard::ContainsText @ token(0x60000EE)+0x10\nfunction @ token(0x600024C)\n  or:\n    api: System.Windows.Forms.Clipboard::ContainsText @ token(0x600024C)+0xA5, token(0x600024C)+0xB4\n\nmonitor clipboard content\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      basic block                       \natt&ck     Collection::Clipboard Data [T1115]\nbasic block @ token(0x60000F4) in function token(0x60000F4)\n  and:\n    api: AddClipboardFormatListener @ token(0x60000F4)+0x17\n\nread clipboard data (2 matches)\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Collection::Clipboard Data [T1115]                                  \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ token(0x60000EE)\n  and:\n    or:\n      api: System.Windows.Forms.Clipboard::GetText @ token(0x60000EE)+0x17\nfunction @ token(0x600024C)\n  and:\n    or:\n      api: System.Windows.Forms.Clipboard::GetText @ token(0x600024C)+0xAC, token(0x600024C)+0xBB\n\nmanipulate console buffer (8 matches)\nnamespace   host-interaction/console                                     \nauthor      william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope       function                                                     \nmbc         Operating System::Console [C0033]                            \nreferences  https://stackoverflow.com/a/15770935/87207                   \nfunction @ token(0x6000019)\n  or:\n    api: System.Console::WriteLine @ token(0x6000019)+0x21, token(0x6000019)+0x58\nfunction @ token(0x6000029)\n  or:\n    api: System.Console::WriteLine @ token(0x6000029)+0x1F\nfunction @ token(0x6000033)\n  or:\n    api: System.Console::WriteLine @ token(0x6000033)+0x19, token(0x6000033)+0x7B, token(0x6000033)+0x9B, \ntoken(0x6000033)+0xBF, and 6 more...\nfunction @ token(0x6000044)\n  or:\n    api: System.Console::WriteLine @ token(0x6000044)+0x21, token(0x6000044)+0x58\nfunction @ token(0x600014A)\n  or:\n    api: System.Console::WriteLine @ token(0x600014A)+0x21\nfunction @ token(0x600015E)\n  or:\n    api: System.Console::WriteLine @ token(0x600015E)+0x21\nfunction @ token(0x6000181)\n  or:\n    api: System.Console::WriteLine @ token(0x6000181)+0x79\nfunction @ token(0x6000182)\n  or:\n    api: System.Console::WriteLine @ token(0x6000182)+0x8, token(0x6000182)+0x2B\n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ token(0x6000095)\n  or:\n    api: System.Environment::ExpandEnvironmentVariables @ token(0x6000095)+0x17\nfunction @ token(0x60001A1)\n  or:\n    api: System.Environment::GetEnvironmentVariable @ token(0x60001A1)+0x28, token(0x60001A1)+0x33, token(0x60001A1)+0x3E\nfunction @ token(0x60001AB)\n  or:\n    api: System.Environment::GetEnvironmentVariable @ token(0x60001AB)+0xF\n\nenumerate drives\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000093)\n  or:\n    api: System.IO.DriveInfo::GetDrives @ token(0x6000093)+0x6\n\nget common file path (7 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ token(0x600004E)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x600004E)+0xA, token(0x600004E)+0x1E, token(0x600004E)+0x32, \ntoken(0x600004E)+0x46\nfunction @ token(0x60000B7)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000B7)+0x8, token(0x60000B7)+0x10\nfunction @ token(0x60000F8)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000F8)+0x10, token(0x60000F8)+0x90\nfunction @ token(0x60000FA)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x60000FA)+0x8\nfunction @ token(0x6000146)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x6000146)+0x10, token(0x6000146)+0x29, token(0x6000146)+0x42\nfunction @ token(0x6000149)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x6000149)+0x8, token(0x6000149)+0x10\nfunction @ token(0x600015D)\n  or:\n    api: System.Environment::GetFolderPath @ token(0x600015D)+0x8, token(0x600015D)+0x10\n\ncopy file (7 matches)\nnamespace  host-interaction/file-system/copy                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Copy File [C0045]                         \nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.File::Copy @ token(0x60000BC)+0x2C\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Copy @ token(0x6000144)+0xC7\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Copy @ token(0x6000159)+0xA3\nfunction @ token(0x60001A5)\n  or:\n    api: System.IO.File::Copy @ token(0x60001A5)+0x92\nfunction @ token(0x60001A6)\n  or:\n    api: System.IO.File::Copy @ token(0x60001A6)+0x2D, token(0x60001A6)+0x5F\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Copy @ token(0x60001AB)+0x81\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Copy @ token(0x60001BF)+0x43, token(0x60001BF)+0xE7, token(0x60001BF)+0xF6\n\ncreate directory (8 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ token(0x6000097)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000097)+0x18\nfunction @ token(0x6000098)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000098)+0x18\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000B8)+0x5F\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000BB)+0x2C\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60000BC)+0x9\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000144)+0x120\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x6000159)+0xFB\nfunction @ token(0x60001A0)\n  or:\n    api: System.IO.Directory::CreateDirectory @ token(0x60001A0)+0x8C, token(0x60001A0)+0x98\n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::Delete @ token(0x60000B8)+0x176\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.Directory::Delete @ token(0x60000BB)+0x87\n\ndelete file (12 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.File::Delete @ token(0x60000B8)+0x182\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::Delete @ token(0x60000BB)+0x93\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Delete @ token(0x6000144)+0x233, token(0x6000144)+0x329\nfunction @ token(0x6000147)\n  or:\n    api: System.IO.File::Delete @ token(0x6000147)+0x3DE\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Delete @ token(0x6000159)+0x1D1, token(0x6000159)+0x256\nfunction @ token(0x600015B)\n  or:\n    api: System.IO.File::Delete @ token(0x600015B)+0x22F, token(0x600015B)+0x255\nfunction @ token(0x60001A8)\n  or:\n    api: System.IO.File::Delete @ token(0x60001A8)+0x280\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.File::Delete @ token(0x60001A9)+0x30D, token(0x60001A9)+0x337, token(0x60001A9)+0x361\nfunction @ token(0x60001AA)\n  or:\n    api: System.IO.File::Delete @ token(0x60001AA)+0x27E, token(0x60001AA)+0x2A6, token(0x60001AA)+0x2CE\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Delete @ token(0x60001AB)+0x12D\nfunction @ token(0x60001BC)\n  or:\n    api: System.IO.File::Delete @ token(0x60001BC)+0x33\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Delete @ token(0x60001BF)+0x109\n\ncheck if directory exists (15 matches)\nnamespace  host-interaction/file-system/exists            \nauthor     michael.hunhoff@mandiant.com                   \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nfunction @ token(0x600004E)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600004E)+0x5E\nfunction @ token(0x6000095)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000095)+0x64\nfunction @ token(0x6000097)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000097)+0x10\nfunction @ token(0x6000098)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000098)+0x10\nfunction @ token(0x60000B7)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000B7)+0x347\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000B8)+0xC0\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60000BC)+0x1\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000144)+0x117\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000149)+0x11D, token(0x6000149)+0x237, token(0x6000149)+0x324, \ntoken(0x6000149)+0x469, and 2 more...\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.Directory::Exists @ token(0x6000159)+0xF2\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600015D)+0x7B, token(0x600015D)+0x109, token(0x600015D)+0x198, \ntoken(0x600015D)+0x21D, and 1 more...\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001A7)+0x16\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001A9)+0xB\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.Directory::Exists @ token(0x60001AB)+0x2A\nfunction @ token(0x600021B)\n  or:\n    api: System.IO.Directory::Exists @ token(0x600021B)+0x24\n\ncheck if file exists (22 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ token(0x6000095)\n  or:\n    property/read: System.IO.FileSystemInfo::Exists @ token(0x6000095)+0x88\nfunction @ token(0x6000096)\n  or:\n    api: System.IO.File::Exists @ token(0x6000096)+0x1\nfunction @ token(0x60000D6)\n  or:\n    api: System.IO.File::Exists @ token(0x60000D6)+0x1\nfunction @ token(0x60000D7)\n  or:\n    api: System.IO.File::Exists @ token(0x60000D7)+0x1\nfunction @ token(0x60000F8)\n  or:\n    api: System.IO.File::Exists @ token(0x60000F8)+0x45, token(0x60000F8)+0xC5\nfunction @ token(0x60000FA)\n  or:\n    api: System.IO.File::Exists @ token(0x60000FA)+0x1E\nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Exists @ token(0x6000144)+0x219, token(0x6000144)+0x22B, token(0x6000144)+0x321\nfunction @ token(0x6000146)\n  or:\n    api: System.IO.File::Exists @ token(0x6000146)+0x71\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.File::Exists @ token(0x6000149)+0x170, token(0x6000149)+0x28B, token(0x6000149)+0x378, \ntoken(0x6000149)+0x4B1, and 2 more...\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Exists @ token(0x6000159)+0x1B7, token(0x6000159)+0x1C9, token(0x6000159)+0x24E\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.File::Exists @ token(0x600015D)+0xCE, token(0x600015D)+0x15D, token(0x600015D)+0x1EC, \ntoken(0x600015D)+0x265, and 1 more...\nfunction @ token(0x60001A6)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A6)+0x19, token(0x60001A6)+0x4B\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A7)+0x2F, token(0x60001A7)+0x140, token(0x60001A7)+0x15E, \ntoken(0x60001A7)+0x174, and 1 more...\nfunction @ token(0x60001A8)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A8)+0x25, token(0x60001A8)+0x278\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.File::Exists @ token(0x60001A9)+0x64, token(0x60001A9)+0x304, token(0x60001A9)+0x324, \ntoken(0x60001A9)+0x34E\nfunction @ token(0x60001AA)\n  or:\n    api: System.IO.File::Exists @ token(0x60001AA)+0x66, token(0x60001AA)+0x276, token(0x60001AA)+0x294, \ntoken(0x60001AA)+0x2BC\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.File::Exists @ token(0x60001AB)+0x61\nfunction @ token(0x60001BC)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BC)+0x2B, token(0x60001BC)+0x45\nfunction @ token(0x60001BD)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BD)+0x13\nfunction @ token(0x60001BF)\n  or:\n    api: System.IO.File::Exists @ token(0x60001BF)+0x31, token(0x60001BF)+0x39\nfunction @ token(0x600026B)\n  or:\n    api: System.IO.File::Exists @ token(0x600026B)+0x9B\nfunction @ token(0x600026F)\n  or:\n    api: System.IO.File::Exists @ token(0x600026F)+0x70\n\nenumerate files in .NET (6 matches)\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ token(0x60000BC)\n  or:\n    api: System.IO.Directory::GetFiles @ token(0x60000BC)+0x10\n    api: System.IO.Directory::GetDirectories @ token(0x60000BC)+0x41\nfunction @ token(0x6000149)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x6000149)+0x128, token(0x6000149)+0x243, token(0x6000149)+0x330, \ntoken(0x6000149)+0x475, and 2 more...\nfunction @ token(0x600015D)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x600015D)+0x86, token(0x600015D)+0x115, token(0x600015D)+0x1A4, \ntoken(0x600015D)+0x229, and 1 more...\nfunction @ token(0x60001A7)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001A7)+0xCB\nfunction @ token(0x60001A9)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001A9)+0x20\nfunction @ token(0x60001AB)\n  or:\n    api: System.IO.Directory::GetDirectories @ token(0x60001AB)+0x3F\n\nget file attributes\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ token(0x6000095) in function token(0x6000095)\n  or:\n    property/read: System.IO.FileSystemInfo::Attributes @ token(0x6000095)+0xFD\n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ token(0x6000095)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x6000095)+0x15D\nfunction @ token(0x60001A5)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001A5)+0xD4\nfunction @ token(0x60001A8)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001A8)+0x79\nfunction @ token(0x60001AA)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x60001AA)+0xB6\nfunction @ token(0x600026B)\n  or:\n    property/read: System.IO.FileInfo::Length @ token(0x600026B)+0xD3\n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \natt&ck     Defense Evasion::File and Directory Permissions Modification [T1222] \nmbc        File System::Set File Attributes [C0050]                             \nbasic block @ token(0x600003C) in function token(0x600003C)\n  or:\n    api: System.IO.File::SetAttributes @ token(0x600003C)+0x19\nbasic block @ token(0x60001BF) in function token(0x60001BF)\n  or:\n    api: System.IO.File::SetAttributes @ token(0x60001BF)+0x4A, token(0x60001BF)+0xEE, token(0x60001BF)+0xFD\n\nmove file (2 matches)\nnamespace  host-interaction/file-system/move                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Move File [C0063]                         \nfunction @ token(0x6000144)\n  or:\n    api: System.IO.File::Move @ token(0x6000144)+0x23B\nfunction @ token(0x6000159)\n  or:\n    api: System.IO.File::Move @ token(0x6000159)+0x1D9\n\nread file on Windows (7 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ token(0x6000096)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x6000096)+0x3F\nfunction @ token(0x60000B8)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60000B8)+0x150\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60000BB)+0x7F\nfunction @ token(0x60001A5)\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ token(0x60001A5)+0xF5\nfunction @ token(0x60001AC)\n  or:\n    api: System.IO.File::ReadAllText @ token(0x60001AC)+0x1\nfunction @ token(0x60001AD)\n  or:\n    api: System.IO.File::ReadAllText @ token(0x60001AD)+0xB\nfunction @ token(0x60001BD)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x60001BD)+0x70\n\nwrite file on Windows (11 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ token(0x6000019)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x6000019)+0x40\nfunction @ token(0x6000044)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x6000044)+0x40\nfunction @ token(0x6000097)\n  or:\n    api: System.IO.File::WriteAllBytes @ token(0x6000097)+0x20\nfunction @ token(0x60000BB)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60000BB)+0x42\nfunction @ token(0x60000DD)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60000DD)+0x2A\nfunction @ token(0x6000147)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x6000147)+0x72\nfunction @ token(0x600014A)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x600014A)+0x40\nfunction @ token(0x600015B)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x600015B)+0x47\nfunction @ token(0x600015E)\n  or:\n    api: System.IO.File::AppendAllText @ token(0x600015E)+0x40\nfunction @ token(0x60001A5)\n  or:\n    api: System.IO.File::WriteAllBytes @ token(0x60001A5)+0x136\nfunction @ token(0x60001E8)\n  or:\n    api: System.IO.File::WriteAllText @ token(0x60001E8)+0x6D\n\nenumerate gui resources (2 matches)\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ token(0x600004D)\n  or:\n    property/read: System.Windows.Forms.Screen::AllScreens @ token(0x600004D)+0x0\nfunction @ token(0x6000054)\n  or:\n    property/read: System.Windows.Forms.Screen::AllScreens @ token(0x6000054)+0x0\n\nset application hook (2 matches)\nnamespace  host-interaction/gui        \nauthor     michael.hunhoff@mandiant.com\nscope      instruction                 \ninstruction @ token(0x60000A7)+0x1C\n  or:\n    api: SetWindowsHookEx @ token(0x60000A7)+0x1C\ninstruction @ token(0x60000AF)+0x66\n  or:\n    api: UnhookWindowsHookEx @ token(0x60000AF)+0x66\n\nchange the wallpaper\nnamespace  host-interaction/gui/session       \nauthor     @_re_fox                           \nscope      basic block                        \nmbc        Operating System::Wallpaper [C0035]\nbasic block @ token(0x60000D7) in function token(0x60000D7)\n  and:\n    api: SystemParametersInfo @ token(0x60000D7)+0x12\n    number: 0x14 = SPI_SETDESKWALLPAPER @ token(0x60000D7)+0x8\n    number: 0x3 = SPIF_SENDWININICHANGE | SPIF_UPDATEINIFILE @ token(0x60000D7)+0x11\n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find   \nauthor     moritz.raabe@mandiant.com           \nscope      basic block                         \nmbc        Discovery::Taskbar Discovery [B0043]\nbasic block @ token(0x60000C2) in function token(0x60000C2)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C2)+0x0\n    match: find graphical window @ token(0x60000C2)+0xA\n      or:\n        api: FindWindow @ token(0x60000C2)+0xA\nbasic block @ token(0x60000C3) in function token(0x60000C3)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C3)+0x0\n    match: find graphical window @ token(0x60000C3)+0xA\n      or:\n        api: FindWindow @ token(0x60000C3)+0xA\nbasic block @ token(0x60000C9) in function token(0x60000C9)\n  and:\n    string: \"Shell_TrayWnd\" @ token(0x60000C9)+0x0\n    match: find graphical window @ token(0x60000C9)+0xA\n      or:\n        api: FindWindow @ token(0x60000C9)+0xA\n\nhide the Windows taskbar\nnamespace  host-interaction/gui/taskbar/hide      \nauthor     michael.hunhoff@mandiant.com           \nscope      function                               \natt&ck     Defense Evasion::Hide Artifacts [T1564]\nfunction @ token(0x60000C2)\n  and:\n    match: find taskbar @ token(0x60000C2)\n      and:\n        string: \"Shell_TrayWnd\" @ token(0x60000C2)+0x0\n        match: find graphical window @ token(0x60000C2)+0xA\n          or:\n            api: FindWindow @ token(0x60000C2)+0xA\n    match: hide graphical window @ token(0x60000C2)\n      and:\n        number: 0x0 = SW_HIDE @ token(0x60000C2)+0xF\n        api: ShowWindow @ token(0x60000C2)+0x10\n\nfind graphical window (3 matches)\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ token(0x60000C2)+0xA\n  or:\n    api: FindWindow @ token(0x60000C2)+0xA\ninstruction @ token(0x60000C3)+0xA\n  or:\n    api: FindWindow @ token(0x60000C3)+0xA\ninstruction @ token(0x60000C9)+0xA\n  or:\n    api: FindWindow @ token(0x60000C9)+0xA\n\nhide graphical window\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ token(0x60000C2) in function token(0x60000C2)\n  and:\n    number: 0x0 = SW_HIDE @ token(0x60000C2)+0xF\n    api: ShowWindow @ token(0x60000C2)+0x10\n\nget disk information\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ token(0x6000093)\n  or:\n    property/read: System.IO.DriveInfo::VolumeLabel @ token(0x6000093)+0x3E, token(0x6000093)+0x4B\n    property/read: System.IO.DriveInfo::DriveType @ token(0x6000093)+0x1E\n    property/read: System.IO.DriveInfo::Name @ token(0x6000093)+0x32\n\nget disk size\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ token(0x6000093)\n  or:\n    property/read: System.IO.DriveInfo::TotalSize @ token(0x6000093)+0x63\n    property/read: System.IO.DriveInfo::AvailableFreeSpace @ token(0x6000093)+0x6F\n\nallocate unmanaged memory in .NET (3 matches)\nnamespace  host-interaction/memory     \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x60001AD)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001AD)+0x3D2, token(0x60001AD)+0x3FA\nfunction @ token(0x60001AF)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001AF)+0x15\nfunction @ token(0x60001B0)\n  or:\n    api: System.Runtime.InteropServices.Marshal::AllocHGlobal @ token(0x60001B0)+0x158, token(0x60001B0)+0x163\n\nmanipulate unmanaged memory in .NET (14 matches)\nnamespace  host-interaction/memory     \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000055)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x6000055)+0x14\nfunction @ token(0x60000A8)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000A8)+0x29\nfunction @ token(0x60000C7)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000C7)+0x14\nfunction @ token(0x60000C8)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000C8)+0x14\nfunction @ token(0x60000D7)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000D7)+0xC\nfunction @ token(0x60000E5)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60000E5)+0x25, token(0x60000E5)+0xA4\nfunction @ token(0x60001A5)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001A5)+0x5B, token(0x60001A5)+0xFC\nfunction @ token(0x60001AD)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001AD)+0x3BC, token(0x60001AD)+0x3D2, token(0x60001AD)+0x3E8, \ntoken(0x60001AD)+0x3FA, and 3 more...\nfunction @ token(0x60001AF)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001AF)+0x15, token(0x60001AF)+0x34, token(0x60001AF)+0x73, \ntoken(0x60001AF)+0xA2\nfunction @ token(0x60001B0)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001B0)+0x143, token(0x60001B0)+0x158, token(0x60001B0)+0x163, \ntoken(0x60001B0)+0x171, and 3 more...\nfunction @ token(0x60001BB)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001BB)+0x6C, token(0x60001BB)+0xA3, token(0x60001BB)+0xDE, \ntoken(0x60001BB)+0x11F, and 1 more...\nfunction @ token(0x60001CA)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CA)+0x160, token(0x60001CA)+0x187, token(0x60001CA)+0x1C6\nfunction @ token(0x60001CB)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CB)+0x15A, token(0x60001CB)+0x181, token(0x60001CB)+0x1C0, \ntoken(0x60001CB)+0x1E5\nfunction @ token(0x60001CC)\n  or:\n    class: System.Runtime.InteropServices.Marshal @ token(0x60001CC)+0x92, token(0x60001CC)+0xB9, token(0x60001CC)+0xE0, \ntoken(0x60001CC)+0x107\n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex                                               \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           mehunhoff@google.com                                                 \nscope      instruction                                                          \nmbc        Process::Create Mutex [C0042]                                        \ninstruction @ token(0x6000033)+0x211\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Threading.Mutex::ctor @ token(0x6000033)+0x211\n\nget networking interfaces\nnamespace  host-interaction/network/interface                                   \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Network Configuration Discovery [T1016]            \nfunction @ token(0x600011C)\n  or:\n    and:\n      or:\n        api: System.Net.NetworkInformation.NetworkInterface::GetIPProperties @ token(0x600011C)+0x18\n      optional:\n        api: System.Net.NetworkInformation.NetworkInterface::GetAllNetworkInterfaces @ token(0x600011C)+0x6\n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nmbc        Discovery::System Information Discovery [E1082]                      \nfunction @ token(0x6000049)\n  or:\n    property/read: System.Environment::MachineName @ token(0x6000049)+0x0\nfunction @ token(0x60001A0)\n  or:\n    api: GetComputerName @ token(0x60001A0)+0x18\n    property/read: System.Environment::MachineName @ token(0x60001A0)+0x35\n\nget OS version in .NET\nnamespace  host-interaction/os/version                    \nauthor     michael.hunhoff@mandiant.com                   \nscope      basic block                                    \natt&ck     Discovery::System Information Discovery [T1082]\nbasic block @ token(0x600004B) in function token(0x600004B)\n  or:\n    property/read: System.Environment::OSVersion @ token(0x600004B)+0x6D\n\nget process image filename (5 matches)\nnamespace  host-interaction/process    \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x6000033)+0xC4\n      property/read: System.Diagnostics.Process::MainModule @ token(0x6000033)+0xC9\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x6000033)+0xCE\nbasic block @ token(0x600003A) in function token(0x600003A)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003A)+0x0\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003A)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003A)+0xA\nbasic block @ token(0x600003C) in function token(0x600003C)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003C)+0x9\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003C)+0xE\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003C)+0x13\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x600003E)+0x0\n      property/read: System.Diagnostics.Process::MainModule @ token(0x600003E)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x600003E)+0xA\nbasic block @ token(0x60001E8) in function token(0x60001E8)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x60001E8)+0x0, token(0x60001E8)+0x42\n      property/read: System.Diagnostics.Process::MainModule @ token(0x60001E8)+0x5\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x60001E8)+0xA\n\ncreate a process with modified I/O handles and window (14 matches)\nnamespace   host-interaction/process/create                                     \nauthor      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com      \nscope       function                                                            \nmbc         Process::Create Process [C0017]                                     \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsap…\nfunction @ token(0x6000033)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000033)+0xF4\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000033)+0xE4\n        property/write: System.Diagnostics.ProcessStartInfo::Verb @ token(0x6000033)+0xEF\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000033)+0xDD\nfunction @ token(0x600003A)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\nfunction @ token(0x600003B)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003B)+0x4F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003B)+0x3C\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003B)+0x2E\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003B)+0x11\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003B)+0x27\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003B)+0x35\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003B)+0x43\nfunction @ token(0x600003E)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003E)+0x68\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003E)+0x6F\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003E)+0x61\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003E)+0x76\nfunction @ token(0x60000F7)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x60000F7)+0x42, token(0x60000F7)+0x11F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x60000F7)+0x29, token(0x60000F7)+0x106\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60000F7)+0x17, token(0x60000F7)+0xE8\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x60000F7)+0x22, token(0x60000F7)+0xFF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60000F7)+0x37, token(0x60000F7)+0x114\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x60000F7)+0x30, token(0x60000F7)+0x10D\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x60000F7)+0x49, token(0x60000F7)+0x126\nfunction @ token(0x600011D)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600011D)+0x42, token(0x600011D)+0x11F\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600011D)+0x29, token(0x600011D)+0x106\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600011D)+0x17, token(0x600011D)+0xE8\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600011D)+0x22, token(0x600011D)+0xFF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600011D)+0x37, token(0x600011D)+0x114\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600011D)+0x30, token(0x600011D)+0x10D\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600011D)+0x49, token(0x600011D)+0x126\nfunction @ token(0x600011E)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600011E)+0x42\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600011E)+0x29\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600011E)+0x17\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600011E)+0x22\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600011E)+0x37\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600011E)+0x30\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600011E)+0x49\nfunction @ token(0x6000144)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000144)+0x1B8\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000144)+0x186\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000144)+0x1A6\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000144)+0x13D\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000144)+0x17E\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000144)+0x19E\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000144)+0x18E\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000144)+0x1C0\nfunction @ token(0x6000147)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000147)+0xD6\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000147)+0xF2\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000147)+0xB9\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000147)+0xCF\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000147)+0xEB\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000147)+0xDD\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000147)+0x108\nfunction @ token(0x6000148)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000148)+0xD5\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000148)+0xAD\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000148)+0xC9\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000148)+0x81\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000148)+0xA6\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000148)+0xC2\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000148)+0xB4\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x6000148)+0xDC\nfunction @ token(0x6000159)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000159)+0x190\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000159)+0x161\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000159)+0x181\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000159)+0x118\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000159)+0x159\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000159)+0x179\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000159)+0x169\nfunction @ token(0x600015B)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015B)+0xA4\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015B)+0xC0\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015B)+0x87\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015B)+0x9D\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015B)+0xB9\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015B)+0xAB\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015B)+0xD2\nfunction @ token(0x600015C)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x600015C)+0x99\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600015C)+0x72\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600015C)+0x8E\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600015C)+0x46\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600015C)+0x6B\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600015C)+0x87\n        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600015C)+0x79\n        property/read: System.Diagnostics.Process::StandardOutput @ token(0x600015C)+0xA0\nfunction @ token(0x60001E8)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x60001E8)+0x80\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x60001E8)+0x79\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x60001E8)+0x87\n\ncreate process on Windows (22 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000033)+0xF4\nbasic block @ token(0x6000039) in function token(0x6000039)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\nbasic block @ token(0x600003A) in function token(0x600003A)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\nbasic block @ token(0x600003B) in function token(0x600003B)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003B)+0x4F\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600003E)+0x7B\nbasic block @ token(0x6000099) in function token(0x6000099)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000099)+0x1\nbasic block @ token(0x60000D5) in function token(0x60000D5)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000D5)+0x28\nbasic block @ token(0x60000D8) in function token(0x60000D8)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000D8)+0xA\nbasic block @ token(0x60000DB) in function token(0x60000DB)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DB)+0x5\nbasic block @ token(0x60000DC) in function token(0x60000DC)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DC)+0x5\nbasic block @ token(0x60000DD) in function token(0x60000DD)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000DD)+0x35\nbasic block @ token(0x60000F7) in function token(0x60000F7)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60000F7)+0x42, token(0x60000F7)+0x11F\nbasic block @ token(0x600011D) in function token(0x600011D)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600011D)+0x42, token(0x600011D)+0x11F\nbasic block @ token(0x600011E) in function token(0x600011E)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600011E)+0x42\nbasic block @ token(0x6000144) in function token(0x6000144)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000144)+0x1B8\nbasic block @ token(0x6000147) in function token(0x6000147)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000147)+0x100\nbasic block @ token(0x6000148) in function token(0x6000148)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000148)+0xD5\nbasic block @ token(0x6000159) in function token(0x6000159)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000159)+0x190\nbasic block @ token(0x600015B) in function token(0x600015B)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600015B)+0xCB\nbasic block @ token(0x600015C) in function token(0x600015C)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x600015C)+0x99\nbasic block @ token(0x60001E8) in function token(0x60001E8)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x60001E8)+0x8C\nbasic block @ token(0x6000207) in function token(0x6000207)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000207)+0x10\n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ token(0x6000060)\n  or:\n    api: System.Diagnostics.Process::GetProcesses @ token(0x6000060)+0x6\nfunction @ token(0x60000D9)\n  or:\n    api: System.Diagnostics.Process::GetProcesses @ token(0x60000D9)+0xD\n\nfind process by PID (2 matches)\nnamespace  host-interaction/process/list                                \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::Process Discovery [T1057]                         \nfunction @ token(0x6000061)\n  and:\n    or:\n      api: System.Diagnostics.Process::GetProcessById @ token(0x6000061)+0x1\nfunction @ token(0x6000062)\n  and:\n    or:\n      api: System.Diagnostics.Process::GetProcessById @ token(0x6000062)+0x1\n\nfind process by name\nnamespace  host-interaction/process/list       \nauthor     anushka.virgaonkar@mandiant.com     \nscope      function                            \natt&ck     Discovery::Process Discovery [T1057]\nfunction @ token(0x60001BB)\n  and:\n    api: System.Diagnostics.Process::GetProcessesByName @ token(0x60001BB)+0x7\n\nacquire debug privileges\nnamespace  host-interaction/process/modify                        \nauthor     william.ballenthin@mandiant.com                        \nscope      basic block                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\nbasic block @ token(0x60001BA) in function token(0x60001BA)\n  and:\n    string: \"SeDebugPrivilege\" @ token(0x60001BA)+0x13\n    optional:\n      match: modify access privileges @ token(0x60001BA)+0x59\n        and:\n          api: AdjustTokenPrivileges @ token(0x60001BA)+0x59\n\nmodify access privileges\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ token(0x60001BA)+0x59\n  and:\n    api: AdjustTokenPrivileges @ token(0x60001BA)+0x59\n\nterminate process (14 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ token(0x600003A)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600003A)+0x6F, token(0x600003A)+0xEF\nfunction @ token(0x600003B)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600003B)+0x5E\nfunction @ token(0x6000061)\n  or:\n    api: System.Diagnostics.Process::Kill @ token(0x6000061)+0x25, token(0x6000061)+0x3C\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000061)+0x14, token(0x6000061)+0x30, token(0x6000061)+0x47\nfunction @ token(0x60000F7)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x60000F7)+0x54, token(0x60000F7)+0x132\nfunction @ token(0x600011D)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600011D)+0x54, token(0x600011D)+0x132\nfunction @ token(0x600011E)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600011E)+0x54\nfunction @ token(0x6000144)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000144)+0x1E0\nfunction @ token(0x6000147)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000147)+0x129\nfunction @ token(0x6000148)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000148)+0xFB\nfunction @ token(0x6000159)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x6000159)+0x19C\nfunction @ token(0x600015B)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600015B)+0xF0\nfunction @ token(0x600015C)\n  or:\n    api: System.Diagnostics.Process::WaitForExit @ token(0x600015C)+0xB1\nfunction @ token(0x60001E7)\n  or:\n    api: System.Environment::Exit @ token(0x60001E7)+0x2F\nfunction @ token(0x60001E8)\n  or:\n    api: System.Environment::Exit @ token(0x60001E8)+0x99\n\nquery or enumerate registry key (7 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ token(0x6000039)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000039)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\nfunction @ token(0x600006F)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600006F)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\nfunction @ token(0x6000071)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000071)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\nfunction @ token(0x60000F9)\n  and:\n    optional:\n      match: create or open registry key @ token(0x60000F9)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x60000F9)+0x10\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x60000F9)+0x10\nfunction @ token(0x6000255)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000255)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\n    or:\n      api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000255)+0x7F\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\nfunction @ token(0x6000257)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000257)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\nfunction @ token(0x6000259)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000259)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n\nquery or enumerate registry value (2 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ token(0x600006F)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600006F)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x600006F)+0x10, token(0x600006F)+0x8E\n    or:\n      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x600006F)+0x2C, token(0x600006F)+0xAE\n      api: Microsoft.Win32.RegistryKey::GetValueNames @ token(0x600006F)+0x1A, token(0x600006F)+0x9B\nfunction @ token(0x6000255)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000255)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000255)+0x67\n    or:\n      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000255)+0xFE\n      api: Microsoft.Win32.RegistryKey::GetValueKind @ token(0x6000255)+0x108\n      api: Microsoft.Win32.RegistryKey::GetValueNames @ token(0x6000255)+0xE5\n\nset registry value (5 matches)\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ token(0x6000039)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000039)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n      regex: /add/i\n        - \"add_startup\" @ token(0x6000039)+0x6C2\n        - \"add_to_startup\" @ token(0x6000039)+0x79E\n      or:\n        regex: /reg(|.exe)/i\n          - \"Listing registry (normalized): \" @ token(0x6000039)+0x23A4\n          - \"Registry list packet data: \" @ token(0x6000039)+0x2153\n          - \"Setting registry value: \" @ token(0x6000039)+0x2434\n          - \"list_registry\" @ token(0x6000039)+0x453\n          - \"set_registry_value\" @ token(0x6000039)+0x8E8\n        regex: /hklm/i\n          - \"HKLM\" @ token(0x6000039)+0x21FC\n        regex: /HKEY_LOCAL_MACHINE/i\n          - \"HKEY_LOCAL_MACHINE\" @ token(0x6000039)+0x21CC\n        regex: /hkcu/i\n          - \"HKCU\" @ token(0x6000039)+0x21F4\n        regex: /HKEY_CURRENT_USER/i\n          - \"HKEY_CURRENT_USER\" @ token(0x6000039)+0x218F, token(0x6000039)+0x21C4\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000039)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000039)+0x2000\nfunction @ token(0x600003E)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x600003E)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\nfunction @ token(0x600003E)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x600003E)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\nfunction @ token(0x6000070)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000070)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000070)+0xA\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000070)+0x13\nfunction @ token(0x6000257)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000257)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000257)+0x3C\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000257)+0x14B\n\ndelete registry key\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ token(0x600003E)\n  and:\n    optional:\n      match: create or open registry key @ token(0x600003E)\n        or:\n          api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteSubKeyTree @ token(0x600003E)+0xA6, token(0x600003E)+0xC0\n\ndelete registry value (2 matches)\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ token(0x6000071)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000071)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000071)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteValue @ token(0x6000071)+0x17\nfunction @ token(0x6000259)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000259)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000259)+0x36\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteValue @ token(0x6000259)+0x4A\n\nget session integrity level (3 matches)\nnamespace  host-interaction/session                                     \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::System Owner/User Discovery [T1033]               \nfunction @ token(0x600003D)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600003D)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x600003D)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x600003D)+0xF\nfunction @ token(0x600007A)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600007A)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x600007A)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x600007A)+0xF\nfunction @ token(0x60001B9)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x60001B9)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x60001B9)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x60001B9)+0xF\n\nget session user name (5 matches)\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ token(0x600003D)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600003D)+0x0\nfunction @ token(0x600004A)\n  or:\n    property/read: System.Environment::UserName @ token(0x600004A)+0x0\nfunction @ token(0x600007A)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x600007A)+0x0\nfunction @ token(0x6000149)\n  or:\n    property/read: System.Environment::UserName @ token(0x6000149)+0x16\nfunction @ token(0x60001B9)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x60001B9)+0x0\n\ncreate thread (3 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ token(0x60000A4) in function token(0x60000A4)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000A4)+0x47\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000A4)+0x24\nbasic block @ token(0x60000C4) in function token(0x60000C4)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000C4)+0x38\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000C4)+0x25\nbasic block @ token(0x60000EC) in function token(0x60000EC)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x60000EC)+0x57\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x60000EC)+0x2F\n\nsuspend thread (9 matches)\nnamespace  host-interaction/thread/suspend                    \nauthor     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\nscope      basic block                                        \nmbc        Process::Suspend Thread [C0055]                    \nbasic block @ token(0x6000010) in function token(0x6000010)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000010)+0x16D, token(0x6000010)+0x1B4, token(0x6000010)+0x1CB\nbasic block @ token(0x6000011) in function token(0x6000011)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000011)+0xEC, token(0x6000011)+0x134\nbasic block @ token(0x6000033) in function token(0x6000033)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000033)+0xA5\nbasic block @ token(0x6000035) in function token(0x6000035)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000035)+0xC1, token(0x6000035)+0xED\nbasic block @ token(0x6000037) in function token(0x6000037)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000037)+0x24A, token(0x6000037)+0x363, token(0x6000037)+0x370, \ntoken(0x6000037)+0x3A1, and 2 more...\nbasic block @ token(0x600003E) in function token(0x600003E)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x600003E)+0x96\nbasic block @ token(0x60000DA) in function token(0x60000DA)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x60000DA)+0x55\nbasic block @ token(0x60001E7) in function token(0x60001E7)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x60001E7)+0x14\nbasic block @ token(0x6000207) in function token(0x6000207)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000207)+0x18\n\naccess WMI data in .NET\nnamespace  host-interaction/wmi                                 \nauthor     michael.hunhoff@mandiant.com                         \nscope      function                                             \natt&ck     Execution::Windows Management Instrumentation [T1047]\nfunction @ token(0x600004B)\n  or:\n    and:\n      api: System.Management.ManagementObjectSearcher::Get @ token(0x600004B)+0xC\n      optional:\n        api: System.Management.ManagementObjectSearcher::ctor @ token(0x600004B)+0x5\n\nreference cryptocurrency strings\nnamespace   impact/cryptocurrency                                               \nauthor      moritz.raabe@mandiant.com                                           \nscope       file                                                                \natt&ck      Impact::Resource Hijacking [T1496]                                  \nreferences  https://github.com/ctxis/CAPE/blob/master/modules/signatures/crypto…\nor:\n  string: \"Bitcoin\" @ file+0x258F8\n  string: \"Ethereum\" @ file+0x2591A\n  string: \"Dash\" @ file+0x25A16\n  string: \"Monero\" @ file+0x25A46\n  string: \"Zcash\" @ file+0x25A2C\n\ndisable system features via registry on Windows\nnamespace  impact/features                                                      \nauthor     mehunhoff@google.com                                                 \nscope      function                                                             \natt&ck     Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]\nmbc        Defense Evasion::Disable or Evade Security Tools [F0004]             \nfunction @ token(0x6000039)\n  and:\n    match: set registry value @ token(0x6000039)\n      or:\n        and:\n          match: host-interaction/process/create @ token(0x6000039)\n            or:\n              api: System.Diagnostics.Process::Start @ token(0x6000039)+0x1DE1, token(0x6000039)+0x1FD1\n          regex: /add/i\n            - \"add_startup\" @ token(0x6000039)+0x6C2\n            - \"add_to_startup\" @ token(0x6000039)+0x79E\n          or:\n            regex: /reg(|.exe)/i\n              - \"Listing registry (normalized): \" @ token(0x6000039)+0x23A4\n              - \"Registry list packet data: \" @ token(0x6000039)+0x2153\n              - \"Setting registry value: \" @ token(0x6000039)+0x2434\n              - \"list_registry\" @ token(0x6000039)+0x453\n              - \"set_registry_value\" @ token(0x6000039)+0x8E8\n            regex: /hklm/i\n              - \"HKLM\" @ token(0x6000039)+0x21FC\n            regex: /HKEY_LOCAL_MACHINE/i\n              - \"HKEY_LOCAL_MACHINE\" @ token(0x6000039)+0x21CC\n            regex: /hkcu/i\n              - \"HKCU\" @ token(0x6000039)+0x21F4\n            regex: /HKEY_CURRENT_USER/i\n              - \"HKEY_CURRENT_USER\" @ token(0x6000039)+0x218F, token(0x6000039)+0x21C4\n        and:\n          optional:\n            match: create or open registry key @ token(0x6000039)\n              or:\n                api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000039)+0x1FE8\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000039)+0x2000\n    or:\n      and:\n        regex: /SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System/i\n          - \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\" @ token(0x6000039)+0x1FE2\n        or:\n          regex: /EnableLUA/i\n            - \"EnableLUA\" @ token(0x6000039)+0x1FF5\n\n(internal) .NET file limitation\nnamespace    internal/limitation/dynamic                        \nauthor       @v1bh475u                                          \nscope        file                                               \ndescription  This dynamic analysis trace describes a .NET file. \n                                                                \n             capa rules are not yet tuned for the .NET runtime, \n             so its analysis may be incomplete or misleading.   \n                                                                \nor:\n  format: dotnet\n\ncompile .NET assembly\nnamespace  load-code/dotnet                                                     \nauthor     anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information::Compile After      \n           Delivery [T1027.004]                                                 \nfunction @ token(0x600027A)\n  or:\n    api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromSource @ token(0x600027A)+0x138\n\ninvoke .NET assembly method (2 matches)\nnamespace  load-code/dotnet                                     \nauthor     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\nscope      function                                             \natt&ck     Defense Evasion::Reflective Code Loading [T1620]     \nfunction @ token(0x6000146)\n  and:\n    format: dotnet\n    or:\n      api: System.Reflection.MethodBase::Invoke @ token(0x6000146)+0x187, token(0x6000146)+0x19B, token(0x6000146)+0x1CB, \ntoken(0x6000146)+0x207, and 6 more...\n    optional:\n      api: System.Type::GetMethod @ token(0x6000146)+0x17F, token(0x6000146)+0x193, token(0x6000146)+0x1C3, \ntoken(0x6000146)+0x1F1, and 6 more...\nfunction @ token(0x600027A)\n  and:\n    format: dotnet\n    or:\n      api: System.Reflection.MethodBase::Invoke @ token(0x600027A)+0x2A8\n    optional:\n      api: System.Type::GetMethod @ token(0x600027A)+0x257\n\nload .NET assembly\nnamespace  load-code/dotnet                                \nauthor     anushka.virgaonkar@mandiant.com                 \nscope      function                                        \natt&ck     Defense Evasion::Reflective Code Loading [T1620]\nfunction @ token(0x6000146)\n  or:\n    api: System.Reflection.Assembly::LoadFrom @ token(0x6000146)+0x7A\n\ncompile CSharp in .NET\nnamespace  load-code/dotnet/csharp                                              \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information::Compile After      \n           Delivery [T1027.004]                                                 \nfunction @ token(0x600027A)\n  and:\n    match: compile .NET assembly @ token(0x600027A)\n      or:\n        api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromSource @ token(0x600027A)+0x138\n    api: Microsoft.CSharp.CSharpCodeProvider::ctor @ token(0x600027A)+0x12\n\npersist via default file association registry key (2 matches)\nnamespace   persistence/registry                                                \nauthor      j.j.vannielen@utwente.nl                                            \nscope       function                                                            \natt&ck      Persistence::Event Triggered Execution::Change Default File         \n            Association [T1546.001]                                             \nreferences  https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/…\n            https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrator…\nfunction @ token(0x600003E)\n  and:\n    match: set registry value @ token(0x600003E)\n      or:\n        and:\n          optional:\n            match: create or open registry key @ token(0x600003E)\n              or:\n                api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\n    or:\n      regex: /\\\\shell\\\\open\\\\command/i\n        - \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\" @ token(0x600003E)+0x10\nfunction @ token(0x600003E)\n  and:\n    match: set registry value @ token(0x600003E)\n      or:\n        and:\n          optional:\n            match: create or open registry key @ token(0x600003E)\n              or:\n                api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x600003E)+0x1C\n          or:\n            api: Microsoft.Win32.RegistryKey::SetValue @ token(0x600003E)+0x34, token(0x600003E)+0x45\n    or:\n      regex: /\\\\shell\\\\open\\\\command/i\n        - \"Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command\" @ token(0x600003E)+0x10\n\npersist via Run registry key\nnamespace  persistence/registry/run                                             \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com                      \nscope      function                                                             \natt&ck     Persistence::Boot or Logon Autostart Execution::Registry Run Keys /  \n           Startup Folder [T1547.001]                                           \nmbc        Persistence::Registry Run Keys / Startup Folder [F0012]              \nfunction @ token(0x6000070)\n  and:\n    or:\n      match: set registry value @ token(0x6000070)\n        or:\n          and:\n            optional:\n              match: create or open registry key @ token(0x6000070)\n                or:\n                  api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000070)+0xA\n            or:\n              api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000070)+0x13\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" @ token(0x6000070)+0x5\n\nschedule task via schtasks (2 matches)\nnamespace   persistence/scheduled-tasks                                         \nauthor      0x534a@mailbox.org, j.j.vannielen@utwente.nl                        \nscope       function                                                            \natt&ck      Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]         \nreferences  https://learn.microsoft.com/en-us/windows/win32/taskschd/task-sched…\n            https://stmxcsr.com/persistence/scheduled-tasks.html                \nfunction @ token(0x600003A)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x600003A)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n              property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\n      or:\n        and:\n          regex: /schtasks/i\n            - \"schtasks.exe\" @ token(0x600003A)+0x1C, token(0x600003A)+0x81\n          or:\n            regex: /\\/create/i\n              - \"/create /tn \\\"\" @ token(0x600003A)+0x94\nfunction @ token(0x600003A)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x600003A)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x600003A)+0x5F, token(0x600003A)+0xE0\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x600003A)+0x4C, token(0x600003A)+0xCC\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x600003A)+0x3E, token(0x600003A)+0xBE\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x600003A)+0x21, token(0x600003A)+0x86\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x600003A)+0x37, token(0x600003A)+0xB7\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x600003A)+0x45, token(0x600003A)+0xC5\n              property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x600003A)+0x53, token(0x600003A)+0xD3\n      or:\n        and:\n          regex: /schtasks/i\n            - \"schtasks.exe\" @ token(0x600003A)+0x1C, token(0x600003A)+0x81\n          or:\n            regex: /\\/create/i\n              - \"/create /tn \\\"\" @ token(0x600003A)+0x94\n\nunmanaged call (42 matches)\nnamespace    runtime                                                       \nauthor       michael.hunhoff@mandiant.com                                  \nscope        function                                                      \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nfunction @ token(0x6000055)\n  or:\n    characteristic: unmanaged call @ token(0x6000055)+0x20, token(0x6000055)+0x8E, token(0x6000055)+0xFF, \ntoken(0x6000055)+0x12A, and 1 more...\nfunction @ token(0x6000063)\n  or:\n    characteristic: unmanaged call @ token(0x6000063)+0x22, token(0x6000063)+0x36, token(0x6000063)+0x3D\nfunction @ token(0x60000A5)\n  or:\n    characteristic: unmanaged call @ token(0x60000A5)+0x3C\nfunction @ token(0x60000A7)\n  or:\n    characteristic: unmanaged call @ token(0x60000A7)+0x16, token(0x60000A7)+0x1C\nfunction @ token(0x60000A8)\n  or:\n    characteristic: unmanaged call @ token(0x60000A8)+0x79\nfunction @ token(0x60000AA)\n  or:\n    characteristic: unmanaged call @ token(0x60000AA)+0xE9, token(0x60000AA)+0xFA\nfunction @ token(0x60000AF)\n  or:\n    characteristic: unmanaged call @ token(0x60000AF)+0x3A, token(0x60000AF)+0x42, token(0x60000AF)+0x51, \ntoken(0x60000AF)+0x66\nfunction @ token(0x60000C2)\n  or:\n    characteristic: unmanaged call @ token(0x60000C2)+0xA, token(0x60000C2)+0x10\nfunction @ token(0x60000C3)\n  or:\n    characteristic: unmanaged call @ token(0x60000C3)+0xA, token(0x60000C3)+0x10\nfunction @ token(0x60000C7)\n  or:\n    characteristic: unmanaged call @ token(0x60000C7)+0x23, token(0x60000C7)+0x4A\nfunction @ token(0x60000C8)\n  or:\n    characteristic: unmanaged call @ token(0x60000C8)+0x23, token(0x60000C8)+0x41\nfunction @ token(0x60000C9)\n  or:\n    characteristic: unmanaged call @ token(0x60000C9)+0xA, token(0x60000C9)+0x1A\nfunction @ token(0x60000CA)\n  or:\n    characteristic: unmanaged call @ token(0x60000CA)+0x9\nfunction @ token(0x60000CB)\n  or:\n    characteristic: unmanaged call @ token(0x60000CB)+0x9\nfunction @ token(0x60000D2)\n  or:\n    characteristic: unmanaged call @ token(0x60000D2)+0xC\nfunction @ token(0x60000D3)\n  or:\n    characteristic: unmanaged call @ token(0x60000D3)+0xC\nfunction @ token(0x60000D4)\n  or:\n    characteristic: unmanaged call @ token(0x60000D4)+0x1\nfunction @ token(0x60000D6)\n  or:\n    characteristic: unmanaged call @ token(0x60000D6)+0x13, token(0x60000D6)+0x26\nfunction @ token(0x60000D7)\n  or:\n    characteristic: unmanaged call @ token(0x60000D7)+0x12\nfunction @ token(0x60000DA)\n  or:\n    characteristic: unmanaged call @ token(0x60000DA)+0x3, token(0x60000DA)+0x4D, token(0x60000DA)+0x70\nfunction @ token(0x60000E5)\n  or:\n    characteristic: unmanaged call @ token(0x60000E5)+0x12, token(0x60000E5)+0x3D, token(0x60000E5)+0x5D, \ntoken(0x60000E5)+0x82\nfunction @ token(0x60000ED)\n  or:\n    characteristic: unmanaged call @ token(0x60000ED)+0x31\nfunction @ token(0x60000F4)\n  or:\n    characteristic: unmanaged call @ token(0x60000F4)+0x17\nfunction @ token(0x6000176)\n  or:\n    characteristic: unmanaged call @ token(0x6000176)+0x2\nfunction @ token(0x6000177)\n  or:\n    characteristic: unmanaged call @ token(0x6000177)+0x2, token(0x6000177)+0x31\nfunction @ token(0x6000178)\n  or:\n    characteristic: unmanaged call @ token(0x6000178)+0x2, token(0x6000178)+0x32\nfunction @ token(0x6000179)\n  or:\n    characteristic: unmanaged call @ token(0x6000179)+0x2, token(0x6000179)+0x27\nfunction @ token(0x600017A)\n  or:\n    characteristic: unmanaged call @ token(0x600017A)+0x9, token(0x600017A)+0x17, token(0x600017A)+0x25, \ntoken(0x600017A)+0x39, and 1 more...\nfunction @ token(0x600017B)\n  or:\n    characteristic: unmanaged call @ token(0x600017B)+0xF, token(0x600017B)+0x1A, token(0x600017B)+0x28, \ntoken(0x600017B)+0x36, and 1 more...\nfunction @ token(0x600017C)\n  or:\n    characteristic: unmanaged call @ token(0x600017C)+0x3CB, token(0x600017C)+0x3F6\nfunction @ token(0x60001A0)\n  or:\n    characteristic: unmanaged call @ token(0x60001A0)+0x18\nfunction @ token(0x60001A5)\n  or:\n    characteristic: unmanaged call @ token(0x60001A5)+0x48, token(0x60001A5)+0xF5, token(0x60001A5)+0x158\nfunction @ token(0x60001AD)\n  or:\n    characteristic: unmanaged call @ token(0x60001AD)+0x105, token(0x60001AD)+0x37D, token(0x60001AD)+0x39E, \ntoken(0x60001AD)+0x441, and 3 more...\nfunction @ token(0x60001AF)\n  or:\n    characteristic: unmanaged call @ token(0x60001AF)+0x52, token(0x60001AF)+0x7E\nfunction @ token(0x60001B0)\n  or:\n    characteristic: unmanaged call @ token(0x60001B0)+0x70, token(0x60001B0)+0xBB, token(0x60001B0)+0xFC, \ntoken(0x60001B0)+0x1D1, and 2 more...\nfunction @ token(0x60001B5)\n  or:\n    characteristic: unmanaged call @ token(0x60001B5)+0x21, token(0x60001B5)+0x43\nfunction @ token(0x60001B7)\n  or:\n    characteristic: unmanaged call @ token(0x60001B7)+0x20, token(0x60001B7)+0x5A, token(0x60001B7)+0x79, \ntoken(0x60001B7)+0xAD, and 7 more...\nfunction @ token(0x60001BA)\n  or:\n    characteristic: unmanaged call @ token(0x60001BA)+0x0, token(0x60001BA)+0x9, token(0x60001BA)+0x1A, \ntoken(0x60001BA)+0x22, and 2 more...\nfunction @ token(0x60001BB)\n  or:\n    characteristic: unmanaged call @ token(0x60001BB)+0x59, token(0x60001BB)+0x90, token(0x60001BB)+0xD7, \ntoken(0x60001BB)+0xFC, and 7 more...\nfunction @ token(0x60001CA)\n  or:\n    characteristic: unmanaged call @ token(0x60001CA)+0x39, token(0x60001CA)+0xAE, token(0x60001CA)+0xF1, \ntoken(0x60001CA)+0x142, and 5 more...\nfunction @ token(0x60001CB)\n  or:\n    characteristic: unmanaged call @ token(0x60001CB)+0x39, token(0x60001CB)+0xA8, token(0x60001CB)+0xEB, \ntoken(0x60001CB)+0x13C, and 8 more...\nfunction @ token(0x60001CC)\n  or:\n    characteristic: unmanaged call @ token(0x60001CC)+0x29, token(0x60001CC)+0x60, token(0x60001CC)+0x74, \ntoken(0x60001CC)+0x9B, and 7 more...\n\ncompiled to the .NET platform\nnamespace  runtime/dotnet                 \nauthor     william.ballenthin@mandiant.com\nscope      file                           \nor:\n  format: dotnet\n\n\n\n"},"hashes":{"md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 574</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 18525</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"now_you\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"9a5ff998dbf0f6923d0b454d89800fb4\",\n        \"sha256\": \"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f15\",\n        \"arch\": \"any\",\n        \"os\": \"any\",\n        \"format\": \"dotnet\"\n      }\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"api_Microsoft\",\n      \"label\": \"Microsoft\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_self_delete__3_matches_\",\n      \"label\": \"self delete (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_System\",\n      \"label\": \"System\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_geographical_location\",\n      \"label\": \"get geographical location\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_save_image_in__net\",\n      \"label\": \"save image in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_gather_firefox_profile_information\",\n      \"label\": \"gather firefox profile information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Credential Access::Credentials from Password Stores::Credentials from\",\n        \"Web Browsers [T1555.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______re_fox__still_teamt5_org\",\n      \"label\": \"author     @_re_fox, still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Credential Access::Credentials from Password Stores::Credentials from\",\n        \"Web Browsers [T1555.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_sql_statements__2_matches_\",\n      \"label\": \"reference SQL statements (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_wmi_statements\",\n      \"label\": \"reference WMI statements\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes__2_matches_\",\n      \"label\": \"log keystrokes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_MapVirtualKey\",\n      \"label\": \"MapVirtualKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_application_hook\",\n      \"label\": \"log keystrokes via application hook\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Application Hook [F0002.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_SetWindowsHookEx\",\n      \"label\": \"SetWindowsHookEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"label\": \"log keystrokes via polling (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"api_VkKeyScan\",\n      \"label\": \"VkKeyScan\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_mac_address_in__net\",\n      \"label\": \"get MAC address in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_echernofsky_google_com\",\n      \"label\": \"echernofsky@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_capture_screenshot\",\n      \"label\": \"capture screenshot\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_data\",\n      \"label\": \"receive data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data\",\n      \"label\": \"send data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_manipulate_network_credentials_in__net\",\n      \"label\": \"manipulate network credentials in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_write_and_execute_a_file__4_matches_\",\n      \"label\": \"write and execute a file (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"launcher\",\n      \"mitre\": [\n        \"Execution::Install Additional Program [B0023]\"\n      ]\n    },\n    {\n      \"id\": \"cap_maec_malware_category__launcher\",\n      \"label\": \"maec/malware-category  launcher\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"launcher\",\n      \"mitre\": [\n        \"Execution::Install Additional Program [B0023]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_http_header\",\n      \"label\": \"read HTTP header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_http_user_agent_string\",\n      \"label\": \"reference HTTP User-Agent string\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication [C0002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______mr_tz\",\n      \"label\": \"author      @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication [C0002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_http_request\",\n      \"label\": \"create HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_data_from_internet\",\n      \"label\": \"read data from Internet\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_http_response\",\n      \"label\": \"receive HTTP response\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_http_request\",\n      \"label\": \"send HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_tcp_socket__3_matches_\",\n      \"label\": \"create TCP socket (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_act_as_tcp_client\",\n      \"label\": \"act as TCP client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_zip_archive_in__net__3_matches_\",\n      \"label\": \"create zip archive in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_decode_data_using_base64_in__net\",\n      \"label\": \"decode data using Base64 in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Decode Data::Base64 [C0053.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_decode_data_using_base64_via_winapi\",\n      \"label\": \"decode data using Base64 via WinAPI\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\"\n      ]\n    },\n    {\n      \"id\": \"api_CryptStringToBinary\",\n      \"label\": \"CryptStringToBinary\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_reference_base64_string\",\n      \"label\": \"reference Base64 string\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Encode Data::Base64 [C0026.001]\",\n        \"Data::Check String [C0019]\"\n      ]\n    },\n    {\n      \"id\": \"cap_encrypt_or_decrypt_data_via_bcrypt__2_matches_\",\n      \"label\": \"encrypt or decrypt data via BCrypt (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Decrypt Data [C0031]\",\n        \"Cryptography::Encrypt Data\",\n        \"[C0027]\"\n      ]\n    },\n    {\n      \"id\": \"api_BCryptGenerateSymmetricKey\",\n      \"label\": \"BCryptGenerateSymmetricKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptCloseAlgorithmProvider\",\n      \"label\": \"BCryptCloseAlgorithmProvider\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptDestroyKey\",\n      \"label\": \"BCryptDestroyKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptOpenAlgorithmProvider\",\n      \"label\": \"BCryptOpenAlgorithmProvider\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_BCryptDecrypt\",\n      \"label\": \"BCryptDecrypt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_encrypt_data_using_dpapi\",\n      \"label\": \"encrypt data using DPAPI\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Encrypt Data [C0027]\"\n      ]\n    },\n    {\n      \"id\": \"api_CryptUnprotectData\",\n      \"label\": \"CryptUnprotectData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_in__net\",\n      \"label\": \"generate random numbers in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contains_pdb_path\",\n      \"label\": \"contains PDB path\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_check_clipboard_data__2_matches_\",\n      \"label\": \"check clipboard data (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_monitor_clipboard_content\",\n      \"label\": \"monitor clipboard content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"api_AddClipboardFormatListener\",\n      \"label\": \"AddClipboardFormatListener\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read_clipboard_data__2_matches_\",\n      \"label\": \"read clipboard data (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_manipulate_console_buffer__8_matches_\",\n      \"label\": \"manipulate console buffer (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Console [C0033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Console [C0033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable__3_matches_\",\n      \"label\": \"query environment variable (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_drives\",\n      \"label\": \"enumerate drives\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__7_matches_\",\n      \"label\": \"get common file path (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_copy_file__7_matches_\",\n      \"label\": \"copy file (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_directory__8_matches_\",\n      \"label\": \"create directory (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_directory__2_matches_\",\n      \"label\": \"delete directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_file__12_matches_\",\n      \"label\": \"delete file (12 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_directory_exists__15_matches_\",\n      \"label\": \"check if directory exists (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__22_matches_\",\n      \"label\": \"check if file exists (22 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_files_in__net__6_matches_\",\n      \"label\": \"enumerate files in .NET (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes\",\n      \"label\": \"get file attributes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_size__5_matches_\",\n      \"label\": \"get file size (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_file_attributes__2_matches_\",\n      \"label\": \"set file attributes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Set File Attributes [C0050]\"\n      ]\n    },\n    {\n      \"id\": \"cap_move_file__2_matches_\",\n      \"label\": \"move file (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Move File [C0063]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__7_matches_\",\n      \"label\": \"read file on Windows (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__11_matches_\",\n      \"label\": \"write file on Windows (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources__2_matches_\",\n      \"label\": \"enumerate gui resources (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_application_hook__2_matches_\",\n      \"label\": \"set application hook (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_UnhookWindowsHookEx\",\n      \"label\": \"UnhookWindowsHookEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_change_the_wallpaper\",\n      \"label\": \"change the wallpaper\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Wallpaper [C0035]\"\n      ]\n    },\n    {\n      \"id\": \"api_SystemParametersInfo\",\n      \"label\": \"SystemParametersInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox\",\n      \"label\": \"author     @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Wallpaper [C0035]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_taskbar__3_matches_\",\n      \"label\": \"find taskbar (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Taskbar Discovery [B0043]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_the_windows_taskbar\",\n      \"label\": \"hide the Windows taskbar\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts [T1564]\"\n      ]\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_find_graphical_window__3_matches_\",\n      \"label\": \"find graphical window (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hide_graphical_window\",\n      \"label\": \"hide graphical window\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_information\",\n      \"label\": \"get disk information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_size\",\n      \"label\": \"get disk size\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_allocate_unmanaged_memory_in__net__3_matches_\",\n      \"label\": \"allocate unmanaged memory in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_manipulate_unmanaged_memory_in__net__14_matches_\",\n      \"label\": \"manipulate unmanaged memory in .NET (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_or_open_mutex_on_windows\",\n      \"label\": \"create or open mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_mehunhoff_google_com\",\n      \"label\": \"mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_networking_interfaces\",\n      \"label\": \"get networking interfaces\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Network Configuration Discovery [T1016]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_hostname__2_matches_\",\n      \"label\": \"get hostname (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetComputerName\",\n      \"label\": \"GetComputerName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_os_version_in__net\",\n      \"label\": \"get OS version in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_process_image_filename__5_matches_\",\n      \"label\": \"get process image filename (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_a_process_with_modified_i_o_handles_and_window__14_matches_\",\n      \"label\": \"create a process with modified I/O handles and window (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__22_matches_\",\n      \"label\": \"create process on Windows (22 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes__2_matches_\",\n      \"label\": \"enumerate processes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_process_by_pid__2_matches_\",\n      \"label\": \"find process by PID (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_process_by_name\",\n      \"label\": \"find process by name\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\"\n      ]\n    },\n    {\n      \"id\": \"cap_acquire_debug_privileges\",\n      \"label\": \"acquire debug privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_modify_access_privileges\",\n      \"label\": \"modify access privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"cap_terminate_process__14_matches_\",\n      \"label\": \"terminate process (14 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__7_matches_\",\n      \"label\": \"query or enumerate registry key (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__2_matches_\",\n      \"label\": \"query or enumerate registry value (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_registry_value__5_matches_\",\n      \"label\": \"set registry value (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_key\",\n      \"label\": \"delete registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value__2_matches_\",\n      \"label\": \"delete registry value (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_integrity_level__3_matches_\",\n      \"label\": \"get session integrity level (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_user_name__5_matches_\",\n      \"label\": \"get session user name (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_thread__3_matches_\",\n      \"label\": \"create thread (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_suspend_thread__9_matches_\",\n      \"label\": \"suspend thread (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_access_wmi_data_in__net\",\n      \"label\": \"access WMI data in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Windows Management Instrumentation [T1047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_cryptocurrency_strings\",\n      \"label\": \"reference cryptocurrency strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Resource Hijacking [T1496]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Resource Hijacking [T1496]\"\n      ]\n    },\n    {\n      \"id\": \"cap_disable_system_features_via_registry_on_windows\",\n      \"label\": \"disable system features via registry on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Disable or Evade Security Tools [F0004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____mehunhoff_google_com\",\n      \"label\": \"author     mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Disable or Evade Security Tools [F0004]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal___net_file_limitation\",\n      \"label\": \"(internal) .NET file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author________v1bh475u\",\n      \"label\": \"author       @v1bh475u\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_compile__net_assembly\",\n      \"label\": \"compile .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Compile After\",\n        \"Delivery [T1027.004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"label\": \"invoke .NET assembly method (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_load__net_assembly\",\n      \"label\": \"load .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compile_csharp_in__net\",\n      \"label\": \"compile CSharp in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Compile After\",\n        \"Delivery [T1027.004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_persist_via_default_file_association_registry_key__2_matches_\",\n      \"label\": \"persist via default file association registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Event Triggered Execution::Change Default File\",\n        \"Association [T1546.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______j_j_vannielen_utwente_nl\",\n      \"label\": \"author      j.j.vannielen@utwente.nl\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Event Triggered Execution::Change Default File\",\n        \"Association [T1546.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_persist_via_run_registry_key\",\n      \"label\": \"persist via Run registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_schedule_task_via_schtasks__2_matches_\",\n      \"label\": \"schedule task via schtasks (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"label\": \"author      0x534a@mailbox.org, j.j.vannielen@utwente.nl\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_unmanaged_call__42_matches_\",\n      \"label\": \"unmanaged call (42 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"label\": \"author       michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_compiled_to_the__net_platform\",\n      \"label\": \"compiled to the .NET platform\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_self_delete__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_geographical_location\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_save_image_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_gather_firefox_profile_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_sql_statements__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_wmi_statements\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_application_hook\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_mac_address_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_echernofsky_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_capture_screenshot\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_network_credentials_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_and_execute_a_file__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_maec_malware_category__launcher\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_http_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_http_user_agent_string\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_data_from_internet\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_http_response\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_tcp_socket__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_act_as_tcp_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_zip_archive_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_decode_data_using_base64_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_decode_data_using_base64_via_winapi\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_base64_string\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encrypt_or_decrypt_data_via_bcrypt__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encrypt_data_using_dpapi\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contains_pdb_path\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_clipboard_data__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_monitor_clipboard_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_clipboard_data__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_console_buffer__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_drives\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_copy_file__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__12_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_directory_exists__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__22_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_in__net__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_file_attributes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_move_file__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_application_hook__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_change_the_wallpaper\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_taskbar__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_the_windows_taskbar\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_unmanaged_memory_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_unmanaged_memory_in__net__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_networking_interfaces\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_hostname__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_process_image_filename__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_a_process_with_modified_i_o_handles_and_window__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__22_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_process_by_pid__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_process_by_name\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_acquire_debug_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__14_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_integrity_level__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_suspend_thread__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_access_wmi_data_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_cryptocurrency_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_disable_system_features_via_registry_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal___net_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author________v1bh475u\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compile__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_invoke__net_assembly_method__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_load__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compile_csharp_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_default_file_association_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______j_j_vannielen_utwente_nl\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_run_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_schedule_task_via_schtasks__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_unmanaged_call__42_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_to_the__net_platform\",\n      \"relationship\": \"exhibits\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-29 20:28:57.517569\",\n    \"total_functions\": \"574\",\n    \"total_features\": \"18525\",\n    \"pdb_path\": \"C:\\\\\\\\Users\\\\\\\\sulum\\\\\\\\OneDrive\\\\\\\\Desktop\\\\\\\\datacenter\\\\\\\\stubCsharp\\\\\\\\obj\\\\\\\\Release\\\\\\\\Clie\\nnt.pdb\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-29 20:28:59"}
{"_id":{"$oid":"69edc49459a6632dae07de34"},"sha256":"2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"WARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n"},"verbose":{"success":true,"path":"/tmp/sdm_capa_h1fyxxok/001_upx_unpacked.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_h1fyxxok/001_upx_unpacked.exe_very_verbose.txt"}},"outputs":{"normal":"ERROR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n\n\nSTDOUT:\n\n\nSTDERR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n","verbose":"md5                     1a7bbf68c09e364ac325434493133305                        \nsha1                    b6e8fae23eca1afff3e815286136cfbfa7b11eb9                \nsha256                  952afbda734257d5e14c9f4b09bc8bb48a60e37e7c17a9f3f27b0a9…\npath                    /tmp/sdm_unpack_6wnswgjn/2aa5ce3561dc657a157460383c7c9b…\ntimestamp               2026-05-15 14:31:58.018739                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEI0wzIwT/rules                                   \nfunction count          2043                                                    \nlibrary function count  714                                                     \ntotal feature count     120247                                                  \n\ncheck for time delay via QueryPerformanceCounter (4 matches)\nnamespace  anti-analysis/anti-debugging/debugger-detection\nscope      function                                       \nmatches    0x469B67                                       \n           0x469B7E                                       \n           0x46AFC6                                       \n           0x46E899                                       \n\ncheck for unmoving mouse cursor (2 matches)\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      function                          \nmatches    0x498EBB                          \n           0x499468                          \n\nlog keystrokes (9 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x4034CE         \n           0x41EFAD         \n           0x4624E6         \n           0x462CEB         \n           0x463985         \n           0x46A90B         \n           0x46B04D         \n           0x46B198         \n           0x46B1FD         \n\nlog keystrokes via polling (11 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x4028C0         \n           0x41EA9A         \n           0x469B97         \n           0x469EAF         \n           0x46A90B         \n           0x46A975         \n           0x46AABA         \n           0x46ABF8         \n           0x46ADD8         \n           0x46B198         \n           0x499468         \n\ncapture screenshot\nnamespace  collection/screenshot\nscope      function             \nmatches    0x482483             \n\nquery remote server for available data\nnamespace  communication\nscope      basic block  \nmatches    0x47CE38     \n\nreceive data (4 matches)\nnamespace    communication                                                     \ndescription  all known techniques for receiving data from a potential C2 server\nscope        function                                                          \nmatches      0x47CD62                                                          \n             0x47CE38                                                          \n             0x48135A                                                          \n             0x481B87                                                          \n\nsend data (3 matches)\nnamespace    communication                                                 \ndescription  all known techniques for sending data to a potential C2 server\nscope        function                                                      \nmatches      0x47C394                                                      \n             0x4814F1                                                      \n             0x481F24                                                      \n\nreceive and write data from server to client\nnamespace  communication/c2/file-transfer\nscope      function                      \nmatches    0x47CD62                      \n\nresolve DNS (3 matches)\nnamespace  communication/dns\nscope      function         \nmatches    0x46DD45         \n           0x480482         \n           0x481288         \n\nconnect network resource\nnamespace    communication/http               \ndescription  connect to disk or print resource\nscope        function                         \nmatches      0x4605C7                         \n\nparse URL\nnamespace  communication/http\nscope      basic block       \nmatches    0x47D012          \n\nconnect to HTTP server (2 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47C061                 \n           0x47C394                 \n\nconnect to URL\nnamespace  communication/http/client\nscope      instruction              \nmatches    0x47C190                 \n\ncreate HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47CC3C                 \n\nread data from Internet (2 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47CD62                 \n           0x47CE38                 \n\nsend HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47C394                 \n\nsend ICMP echo request\nnamespace  communication/icmp\nscope      function          \nmatches    0x480482          \n\ncreate pipe (2 matches)\nnamespace  communication/named-pipe/create\nscope      function                       \nmatches    0x4703F0                       \n           0x4704C5                       \n\nconnect socket\nnamespace    communication/socket                                               \ndescription  Detects socket connection attempts using common APIs or ConnectEx  \n             setup.                                                             \nscope        basic block                                                        \nmatches      0x4810AF                                                           \n\nget socket status\nnamespace  communication/socket\nscope      function            \nmatches    0x483070            \n\ninitialize Winsock library (3 matches)\nnamespace  communication/socket\nscope      function            \nmatches    0x46DD45            \n           0x480482            \n           0x4815DA            \n\nset socket configuration (3 matches)\nnamespace  communication/socket\nscope      function            \nmatches    0x480482            \n           0x4819FD            \n           0x482F75            \n\nreceive data on socket (2 matches)\nnamespace  communication/socket/receive\nscope      function                    \nmatches    0x48135A                    \n           0x481B87                    \n\nsend data on socket (2 matches)\nnamespace  communication/socket/send\nscope      function                 \nmatches    0x4814F1                 \n           0x481F24                 \n\nconnect TCP socket\nnamespace  communication/socket/tcp\nscope      function                \nmatches    0x480FDF                \n\ncreate TCP socket (2 matches)\nnamespace  communication/socket/tcp\nscope      basic block             \nmatches    0x481033                \n           0x481197                \n\ncreate UDP socket (2 matches)\nnamespace  communication/socket/udp/send\nscope      basic block                  \nmatches    0x48177E                     \n           0x4819FD                     \n\nact as TCP client\nnamespace  communication/tcp/client\nscope      function                \nmatches    0x480FDF                \n\ncompiled with AutoIt\nnamespace  compiler/autoit\nscope      file           \n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32\nscope      function                        \nmatches    0x4823E8                        \n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    0x41BEAD                         \n\nencode data using XOR (7 matches)\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x4695EE                      \n           0x471F30                      \n           0x471F9C                      \n           0x471FD6                      \n           0x47284B                      \n           0x472ABF                      \n           0x47D73F                      \n\nhash data using djb2\nnamespace  data-manipulation/hashing/djb2\nscope      function                      \nmatches    0x408273                      \n\nauthenticate HMAC\nnamespace  data-manipulation/hmac\nscope      function              \nmatches    0x41BEAD              \n\ngenerate random numbers using a Mersenne Twister (4 matches)\nnamespace  data-manipulation/prng/mersenne\nscope      function                       \nmatches    0x471E7A                       \n           0x471EC0                       \n           0x471F24                       \n           0x471F64                       \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    0x406122           \n\nlist drag and drop files\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n\nopen clipboard (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n           0x47EC91                  \n\nread clipboard data\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n\nwrite clipboard data\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EC91                  \n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver\nscope      instruction            \nmatches    0x46D563               \n           0x46D5DD               \n           0x46D690               \n           0x473D73               \n\nget COMSPEC environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x41D70E                             \n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x41D70E                             \n           0x47EE14                             \n           0x487559                             \n\nset environment variable (2 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x43D170                             \n           0x47EE84                             \n\nget common file path (9 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40445D                    \n           0x41D70E                    \n           0x41F962                    \n           0x46DE45                    \n           0x472F35                    \n           0x4779B4                    \n           0x477D0E                    \n           0x4780B3                    \n           0x48AF20                    \n\nset current directory (7 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40445D                    \n           0x40AD7C                    \n           0x4753D4                    \n           0x477D0E                    \n           0x4780B3                    \n           0x479560                    \n           0x4796BB                    \n\ncopy file (3 matches)\nnamespace  host-interaction/file-system/copy\nscope      function                         \nmatches    0x46CE1E                         \n           0x46D1BA                         \n           0x472865                         \n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    0x46D1DF                           \n           0x473C3C                           \n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x46E77B                           \n           0x473C3C                           \n\ndelete file (6 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x46CF94                           \n           0x46D2C7                           \n           0x46E77B                           \n           0x472865                           \n           0x4755F7                           \n           0x4778BA                           \n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x46D1DF                           \n           0x46DADC                           \n           0x46E0B7                           \n\nenumerate files on Windows (6 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x46CF94                               \n           0x46D2C7                               \n           0x475BB5                               \n           0x479560                               \n           0x4796BB                               \n           0x479A49                               \n\nenumerate files recursively (3 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x479560                               \n           0x4796BB                               \n           0x479A49                               \n\nget file attributes (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x46D1DF                         \n           0x46DAFA                         \n           0x46E0B7                         \n           0x477F04                         \n           0x4795B8                         \n\nget file size (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x482A05                         \n           0x498461                         \n\nget file version info\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x46DB2C                         \n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x477F04                         \n           0x4795B8                         \n\nmove file (3 matches)\nnamespace  host-interaction/file-system/move\nscope      function                         \nmatches    0x46CE1E                         \n           0x46CF94                         \n           0x46E319                         \n\nread .ini file (4 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x4783FD                         \n           0x4784BF                         \n           0x4787FC                         \n           0x478A19                         \n\nread file on Windows (9 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x406A95                         \n           0x40B230                         \n           0x40B3B0                         \n           0x43921B                         \n           0x47070D                         \n           0x472475                         \n           0x4725B1                         \n           0x482A05                         \n           0x498461                         \n\nclear file content\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x477FD5                          \n\nwrite file on Windows (7 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x41F5B3                          \n           0x46CC1D                          \n           0x470633                          \n           0x4725F5                          \n           0x472642                          \n           0x472865                          \n           0x47CD62                          \n\nenumerate gui resources\nnamespace  host-interaction/gui\nscope      function            \nmatches    0x464144            \n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find\nscope      basic block                      \nmatches    0x41EFCE                         \n           0x492255                         \n           0x492289                         \n\nfind graphical window (4 matches)\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    0x41EFD4                        \n           0x46E645                        \n           0x49225F                        \n           0x49229F                        \n\nget graphical window text (11 matches)\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    0x461A70                            \n           0x46359E                            \n           0x463B0C                            \n           0x46489C                            \n           0x464BD3                            \n           0x465B9A                            \n           0x47E8F7                            \n           0x491E0D                            \n           0x4947A8                            \n           0x496FA4                            \n           0x4972B7                            \n\nhide graphical window (8 matches)\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    0x45F0F9                        \n           0x4827C2                        \n           0x49015D                        \n           0x4950F2                        \n           0x496B61                        \n           0x49813A                        \n           0x4981BF                        \n           0x49A198                        \n\nget keyboard layout\nnamespace  host-interaction/hardware/keyboard\nscope      function                          \nmatches    0x41D70E                          \n\nget memory capacity\nnamespace  host-interaction/hardware/memory\nscope      function                        \nmatches    0x41F370                        \n\nget disk information (6 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x473D97                         \n           0x4743DE                         \n           0x474776                         \n           0x474844                         \n           0x474912                         \n           0x4749FD                         \n\nget disk size (3 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x4750EB                         \n           0x4751CE                         \n           0x4752B1                         \n\nget storage device properties (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x46D509                         \n           0x46D588                         \n\nprint debug messages\nnamespace  host-interaction/log/debug/write-event\nscope      function                              \nmatches    0x41F5B3                              \n\nshutdown system\nnamespace  host-interaction/os\nscope      function           \nmatches    0x46E814           \n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname\nscope      function                    \nmatches    0x41D70E                    \n           0x46DD45                    \n\nget system information on Windows\nnamespace  host-interaction/os/info\nscope      function                \nmatches    0x40615E                \n\ncreate process on Windows (6 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x4437E0                       \n           0x46134A                       \n           0x461472                       \n           0x48AD7A                       \n           0x48B2C1                       \n           0x498064                       \n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nscope      basic block                    \nmatches    0x489881                       \n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    0x46D3FA                     \n           0x48A5A3                     \n\nacquire debug privileges\nnamespace  host-interaction/process/modify\nscope      basic block                    \nmatches    0x48A0B6                       \n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    0x461018                       \n           0x46167E                       \n\nterminate process (3 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x46EA3E                          \n           0x487E80                          \n           0x48A009                          \n\nempty the recycle bin\nnamespace  host-interaction/recycle-bin\nscope      function                    \nmatches    0x477953                    \n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x48B8F0                 \n           0x48CB5B                 \n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x40533E                 \n           0x4059A7                 \n           0x4605C7                 \n           0x48BB02                 \n           0x48BD6B                 \n\nset registry value\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    0x48C2DE                        \n\ndelete registry key (2 matches)\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x48B535                        \n           0x48CB5B                        \n\ndelete registry value\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x48B535                        \n\nget session user name\nnamespace  host-interaction/session\nscope      function                \nmatches    0x41D70E                \n\nget token membership\nnamespace  host-interaction/session\nscope      function                \nmatches    0x4615A7                \n\nget token privileges\nnamespace  host-interaction/session\nscope      function                \nmatches    0x460F58                \n\ncreate thread (5 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x461747                      \n           0x46E114                      \n           0x470870                      \n           0x470870                      \n           0x47D13B                      \n\nterminate thread\nnamespace  host-interaction/thread/terminate\nscope      basic block                      \nmatches    0x4708A6                         \n\nimpersonate user\nnamespace  host-interaction/user\nscope      function             \nmatches    0x461145             \n\nlink function at runtime on Windows (13 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x4062E6               \n           0x406816               \n           0x406850               \n           0x45DB5B               \n           0x432FC7               \n           0x432FC7               \n           0x4671A3               \n           0x483FF4               \n           0x488EF7               \n           0x488F13               \n           0x488F59               \n           0x48B82B               \n           0x48CBF6               \n\nparse PE header\nnamespace  load-code/pe\nscope      function    \nmatches    0x40B7E0    \n\nresolve function by parsing PE exports (15 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x401641    \n           0x408BAA    \n           0x4095C0    \n           0x40A180    \n           0x40AD7C    \n           0x40D840    \n           0x410540    \n           0x41BEAD    \n           0x466502    \n           0x4681EE    \n           0x4763AC    \n           0x476E0F    \n           0x47902A    \n           0x487E80    \n           0x490F26    \n\nexecute shellcode via indirect call\nnamespace  load-code/shellcode\nscope      function           \nmatches    0x4895BB           \n\ncreate shortcut via IShellLink (2 matches)\nnamespace  persistence\nscope      function   \nmatches    0x47573C   \n           0x4763AC   \n\n\n\n","very_verbose":"md5                     1a7bbf68c09e364ac325434493133305                        \nsha1                    b6e8fae23eca1afff3e815286136cfbfa7b11eb9                \nsha256                  952afbda734257d5e14c9f4b09bc8bb48a60e37e7c17a9f3f27b0a9…\npath                    /tmp/sdm_unpack_6wnswgjn/2aa5ce3561dc657a157460383c7c9b…\ntimestamp               2026-05-15 14:32:59.377830                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIysW1Ae/rules                                   \nfunction count          2043                                                    \nlibrary function count  714                                                     \ntotal feature count     120247                                                  \n\nallocate memory (2 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x46B26C in function 0x46B248\n  or:\n    api: VirtualAllocEx @ 0x46B299\n\nallocate or change RW memory (library rule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x46B26C in function 0x46B248\n  and:\n    or:\n      match: allocate memory @ 0x46B26C\n        or:\n          api: VirtualAllocEx @ 0x46B299\n    or:\n      number: 0x4 = PAGE_READWRITE @ 0x46B289\n\ncalculate modulo 256 via x86 assembly (9 matches, only showing first match of \nlibrary rule)\nauthor  moritz.raabe@mandiant.com\nscope   instruction              \nmbc     Data::Modulo [C0058]     \ninstruction @ 0x436DAA\n  and:\n    or:\n      arch: i386\n    mnemonic: and @ 0x436DAA\n    or:\n      number: 0xFF @ 0x436DAA\n\ncontain loop (489 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x401202\n  or:\n    characteristic: loop @ 0x401202\n\ncreate or open file (13 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x407113\n  or:\n    api: CreateFile @ 0x407113\n\ncreate or open registry key (9 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x40533E in function 0x40533E\n  or:\n    api: RegOpenKeyEx @ 0x40545B\n\ndelay execution (37 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x40F4AF in function 0x40F060\n  or:\n    and:\n      os: windows\n      or:\n        api: Sleep @ 0x40F4B1\n\nget OS version (library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x40615E\n  or:\n    api: GetVersionEx @ 0x40618D\n\nopen process (7 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ 0x46B26C in function 0x46B248\n  or:\n    api: OpenProcess @ 0x46B283\n\nwrite process memory (library rule)\nauthor  moritz.raabe@mandiant.com                 \nscope   instruction                               \natt&ck  Defense Evasion::Process Injection [T1055]\ninstruction @ 0x46B34B\n  or:\n    api: WriteProcessMemory @ 0x46B34B\n\ncheck for time delay via QueryPerformanceCounter (4 matches)\nnamespace  anti-analysis/anti-debugging/debugger-detection                      \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check     \n           QueryPerformanceCounter [B0001.033]                                  \nfunction @ 0x469B67\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x469B7E\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x46AFC6\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x46E899\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46E8B5, 0x46E8D5\n\ncheck for unmoving mouse cursor (2 matches)\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      BitsOfBinary                                                        \nscope       function                                                            \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based\n            Checks [T1497.002]                                                  \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection::Human User     \n            Check [B0009.012]                                                   \nreferences  https://www.joesecurity.org/blog/5852460122427342172                \nfunction @ 0x498EBB\n  and:\n    count(api(GetCursorPos)): 2 or more @ 0x498EF3, 0x498F50\nfunction @ 0x499468\n  and:\n    count(api(GetCursorPos)): 2 or more @ 0x49990B, 0x499A5A\n\nlog keystrokes (9 matches)\nnamespace  collection/keylog                                \nauthor     moritz.raabe@mandiant.com                        \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nfunction @ 0x4034CE\n  or:\n    api: MapVirtualKey @ 0x4034FF, 0x403507, 0x403512, 0x40351D, and 2 more...\nfunction @ 0x41EFAD\n  or:\n    api: AttachThreadInput @ 0x41F029, 0x41F031, 0x41F039, 0x41F0AD, and 2 more...\n    api: MapVirtualKey @ 0x41F055, 0x41F06A, 0x41F078, 0x41F087\nfunction @ 0x4624E6\n  or:\n    api: MapVirtualKey @ 0x462501, 0x46252D, 0x462553\nfunction @ 0x462CEB\n  or:\n    api: AttachThreadInput @ 0x462D28\nfunction @ 0x463985\n  or:\n    api: AttachThreadInput @ 0x4639AD\nfunction @ 0x46A90B\n  or:\n    api: MapVirtualKey @ 0x46A93A, 0x46A956\nfunction @ 0x46B04D\n  or:\n    api: AttachThreadInput @ 0x46B099, 0x46B0C4, 0x46B0D6, 0x46B11B, and 2 more...\nfunction @ 0x46B198\n  or:\n    api: MapVirtualKey @ 0x46B1CD\nfunction @ 0x46B1FD\n  or:\n    api: MapVirtualKey @ 0x46B21B\n\nlog keystrokes via polling (11 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ 0x4028C0\n  or:\n    api: VkKeyScan @ 0x442F79, 0x442F89, 0x442FD2\nfunction @ 0x41EA9A\n  or:\n    api: GetAsyncKeyState @ 0x41EB02, 0x41EB1C\nfunction @ 0x469B97\n  or:\n    api: GetAsyncKeyState @ 0x469C40, 0x469C75, 0x469CA2, 0x469CCC, and 1 more...\n    api: GetKeyState @ 0x469C5B, 0x469C8A, 0x469CB4, 0x469CDE, and 1 more...\n    api: GetKeyboardState @ 0x469BBF\nfunction @ 0x469EAF\n  or:\n    api: GetAsyncKeyState @ 0x469FBB, 0x46A001, 0x46A03E, 0x46A075, and 1 more...\n    api: GetKeyState @ 0x469FD2, 0x46A012, 0x46A04C, 0x46A083, and 1 more...\n    api: GetKeyboardState @ 0x469F30\nfunction @ 0x46A90B\n  or:\n    api: GetKeyState @ 0x46A91B\nfunction @ 0x46A975\n  or:\n    api: GetKeyboardState @ 0x46A9CA\nfunction @ 0x46AABA\n  or:\n    api: GetKeyboardState @ 0x46AB0F\nfunction @ 0x46ABF8\n  or:\n    api: GetKeyboardState @ 0x46AC4C\nfunction @ 0x46ADD8\n  or:\n    api: GetKeyboardState @ 0x46AE2C\nfunction @ 0x46B198\n  or:\n    api: VkKeyScan @ 0x46B1B0\nfunction @ 0x499468\n  or:\n    api: GetKeyState @ 0x49967D, 0x49968A, 0x4996AA\n\ncapture screenshot\nnamespace  collection/screenshot                                            \nauthor     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\nscope      function                                                         \natt&ck     Collection::Screen Capture [T1113]                               \nmbc        Collection::Screen Capture::WinAPI [E1113.m01]                   \nfunction @ 0x482483\n  or:\n    and:\n      or:\n        api: GetDC @ 0x4824FF\n      or:\n        api: GetDIBits @ 0x4825D3, 0x4825F7\n      api: CreateCompatibleDC @ 0x48251B\n      api: CreateCompatibleBitmap @ 0x48250F\n\nquery remote server for available data\nnamespace  communication               \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ 0x47CE38 in function 0x47CE38\n  or:\n    api: InternetQueryDataAvailable @ 0x47CE56\n\nreceive data (4 matches)\nnamespace    communication                                                     \nauthor       william.ballenthin@mandiant.com                                   \nscope        function                                                          \nmbc          Command and Control::C2 Communication::Receive Data [B0030.002]   \ndescription  all known techniques for receiving data from a potential C2 server\nfunction @ 0x47CD62\n  or:\n    match: read data from Internet @ 0x47CD62\n      and:\n        or:\n          api: InternetReadFile @ 0x47CDA7\nfunction @ 0x47CE38\n  or:\n    match: read data from Internet @ 0x47CE38\n      and:\n        or:\n          api: InternetReadFile @ 0x47CE8D\nfunction @ 0x48135A\n  or:\n    match: receive data on socket @ 0x48135A\n      or:\n        api: recv @ 0x481403\nfunction @ 0x481B87\n  or:\n    match: receive data on socket @ 0x481B87\n      or:\n        api: recvfrom @ 0x481D08\n\nsend data (3 matches)\nnamespace    communication                                                 \nauthor       william.ballenthin@mandiant.com, joakim@intezer.com           \nscope        function                                                      \nmbc          Command and Control::C2 Communication::Send Data [B0030.001]  \ndescription  all known techniques for sending data to a potential C2 server\nfunction @ 0x47C394\n  or:\n    and:\n      os: windows\n      or:\n        match: send HTTP request @ 0x47C394\n          or:\n            and:\n              or:\n                api: HttpOpenRequest @ 0x47C40E\n                api: InternetConnect @ 0x47C3CE\n              or:\n                api: HttpSendRequest @ 0x47C472\nfunction @ 0x4814F1\n  or:\n    and:\n      os: windows\n      or:\n        match: send data on socket @ 0x4814F1\n          or:\n            api: send @ 0x481525\nfunction @ 0x481F24\n  or:\n    and:\n      os: windows\n      or:\n        match: send data on socket @ 0x481F24\n          or:\n            api: sendto @ 0x482063\n\ndownload and write a file\nnamespace              communication/c2/file-transfer                           \nmaec/malware-category  downloader                                               \nauthor                 moritz.raabe@mandiant.com                                \nscope                  function                                                 \natt&ck                 Command and Control::Ingress Tool Transfer [T1105]       \nmbc                    Command and Control::C2 Communication::Server to Client  \n                       File Transfer [B0030.003]                                \nfunction @ 0x47CD62\n  and:\n    match: receive data @ 0x47CD62\n      or:\n        match: read data from Internet @ 0x47CD62\n          and:\n            or:\n              api: InternetReadFile @ 0x47CDA7\n    match: host-interaction/file-system/write @ 0x47CD62\n      or:\n        and:\n          os: windows\n          or:\n            api: _fwrite @ 0x47CDC3\n            api: fwrite @ 0x47CDC3\n\nreceive and write data from server to client\nnamespace  communication/c2/file-transfer \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x47CD62\n  and:\n    match: receive data @ 0x47CD62\n      or:\n        match: read data from Internet @ 0x47CD62\n          and:\n            or:\n              api: InternetReadFile @ 0x47CDA7\n    match: host-interaction/file-system/write @ 0x47CD62\n      or:\n        and:\n          os: windows\n          or:\n            api: _fwrite @ 0x47CDC3\n            api: fwrite @ 0x47CDC3\n\nresolve DNS (3 matches)\nnamespace  communication/dns                                                    \nauthor     william.ballenthin@mandiant.com, johnk3r, joakim@intezer.com,        \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::DNS Communication::Resolve [C0011.001]                \nfunction @ 0x46DD45\n  or:\n    api: gethostbyname @ 0x46DD87\nfunction @ 0x480482\n  or:\n    api: gethostbyname @ 0x48054F\nfunction @ 0x481288\n  or:\n    api: gethostbyname @ 0x4812B7\n\nconnect network resource\nnamespace    communication/http               \nauthor       michael.hunhoff@mandiant.com     \nscope        function                         \ndescription  connect to disk or print resource\nfunction @ 0x4605C7\n  and:\n    or:\n      api: WNetAddConnection2 @ 0x46068B\n\nparse URL\nnamespace  communication/http          \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ 0x47D012 in function 0x47D012\n  or:\n    api: InternetCrackUrl @ 0x47D058\n\nconnect to HTTP server (2 matches)\nnamespace  communication/http/client                                       \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \nmbc        Communication::HTTP Communication::Connect to Server [C0002.009]\nfunction @ 0x47C061\n  and:\n    api: InternetConnect @ 0x47C0A0\nfunction @ 0x47C394\n  and:\n    api: InternetConnect @ 0x47C3CE\n\nconnect to URL\nnamespace  communication/http/client                              \nauthor     michael.hunhoff@mandiant.com                           \nscope      instruction                                            \nmbc        Communication::HTTP Communication::Open URL [C0002.004]\ninstruction @ 0x47C190\n  and:\n    api: InternetOpenUrl @ 0x47C190\n\ncreate HTTP request\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Create Request [C0002.012]\nfunction @ 0x47CC3C\n  and:\n    or:\n      api: InternetOpen @ 0x47CC9B\n\nread data from Internet (2 matches)\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Get Response [C0002.017]  \nfunction @ 0x47CD62\n  and:\n    or:\n      api: InternetReadFile @ 0x47CDA7\nfunction @ 0x47CE38\n  and:\n    or:\n      api: InternetReadFile @ 0x47CE8D\n\nsend HTTP request\nnamespace  communication/http/client                                  \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com    \nscope      function                                                   \nmbc        Communication::HTTP Communication::Send Request [C0002.003]\nfunction @ 0x47C394\n  or:\n    and:\n      or:\n        api: HttpOpenRequest @ 0x47C40E\n        api: InternetConnect @ 0x47C3CE\n      or:\n        api: HttpSendRequest @ 0x47C472\n\nsend ICMP echo request\nnamespace   communication/icmp                                         \nauthor      michael.hunhoff@mandiant.com                               \nscope       function                                                   \nmbc         Communication::ICMP Communication::Echo Request [C0014.002]\nreferences  https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/\nfunction @ 0x480482\n  and:\n    or:\n      api: IcmpSendEcho @ 0x4805ED, 0x48060C\n    optional:\n      or:\n        api: IcmpCreateFile @ 0x48055D\n      api: IcmpCloseHandle @ 0x4806E0\n\ncreate pipe (2 matches)\nnamespace  communication/named-pipe/create                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com           \nscope      function                                                          \nmbc        Communication::Interprocess Communication::Create Pipe [C0003.001]\nfunction @ 0x4703F0\n  or:\n    api: CreatePipe @ 0x47044C\nfunction @ 0x4704C5\n  or:\n    api: CreatePipe @ 0x47051F\n\nconnect socket\nnamespace    communication/socket                                               \nauthor       moritz.raabe@mandiant.com, joakim@intezer.com,                     \n             mrhafizfarhad@gmail.com                                            \nscope        basic block                                                        \ndescription  Detects socket connection attempts using common APIs or ConnectEx  \n             setup.                                                             \nbasic block @ 0x4810AF in function 0x480FDF\n  or:\n    api: connect @ 0x4810B6\n\nget socket status\nnamespace  communication/socket                                              \nauthor     michael.hunhoff@mandiant.com                                      \nscope      function                                                          \natt&ck     Discovery::System Network Configuration Discovery [T1016]         \nmbc        Communication::Socket Communication::Get Socket Status [C0001.012]\nfunction @ 0x483070\n  or:\n    api: select @ 0x4830BC\n\ninitialize Winsock library (3 matches)\nnamespace  communication/socket                                                 \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::Socket Communication::Initialize Winsock Library      \n           [C0001.009]                                                          \nfunction @ 0x46DD45\n  or:\n    api: WSAStartup @ 0x46DD60\nfunction @ 0x480482\n  or:\n    api: WSAStartup @ 0x4804E3\nfunction @ 0x4815DA\n  or:\n    api: WSAStartup @ 0x4815F5\n\nset socket configuration (3 matches)\nnamespace  communication/socket                                              \nauthor     michael.hunhoff@mandiant.com                                      \nscope      function                                                          \nmbc        Communication::Socket Communication::Set Socket Config [C0001.001]\nfunction @ 0x480482\n  or:\n    api: ioctlsocket @ 0x480543\nfunction @ 0x4819FD\n  or:\n    api: setsockopt @ 0x481AB1\nfunction @ 0x482F75\n  or:\n    api: ioctlsocket @ 0x482FA1\n\nreceive data on socket (2 matches)\nnamespace  communication/socket/receive                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::Socket Communication::Receive Data [C0001.006]        \nfunction @ 0x48135A\n  or:\n    api: recv @ 0x481403\nfunction @ 0x481B87\n  or:\n    api: recvfrom @ 0x481D08\n\nsend data on socket (2 matches)\nnamespace  communication/socket/send                                            \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Communication::Socket Communication::Send Data [C0001.007]           \nfunction @ 0x4814F1\n  or:\n    api: send @ 0x481525\nfunction @ 0x481F24\n  or:\n    api: sendto @ 0x482063\n\nconnect TCP socket\nnamespace  communication/socket/tcp                                             \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           mrhafizfarhad@gmail.com                                              \nscope      function                                                             \nmbc        Communication::Socket Communication::Connect Socket [C0001.004]      \nfunction @ 0x480FDF\n  and:\n    match: create TCP socket @ 0x481033\n      or:\n        and:\n          or:\n            number: 0x6 = IPPROTO_TCP @ 0x481033\n          number: 0x1 = SOCK_STREAM @ 0x481035\n          number: 0x2 = AF_INET @ 0x481037\n          or:\n            api: socket @ 0x481039\n    match: connect socket @ 0x4810AF\n      or:\n        api: connect @ 0x4810B6\n\ncreate TCP socket (2 matches)\nnamespace   communication/socket/tcp                                            \nauthor      william.ballenthin@mandiant.com, joakim@intezer.com,                \n            anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com       \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create TCP Socket [C0001.011]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ 0x481033 in function 0x480FDF\n  or:\n    and:\n      or:\n        number: 0x6 = IPPROTO_TCP @ 0x481033\n      number: 0x1 = SOCK_STREAM @ 0x481035\n      number: 0x2 = AF_INET @ 0x481037\n      or:\n        api: socket @ 0x481039\nbasic block @ 0x481197 in function 0x48112B\n  or:\n    and:\n      or:\n        number: 0x6 = IPPROTO_TCP @ 0x481197\n      number: 0x1 = SOCK_STREAM @ 0x481199\n      number: 0x2 = AF_INET @ 0x48119B\n      or:\n        api: socket @ 0x48119D\n\ncreate UDP socket (2 matches)\nnamespace   communication/socket/udp/send                                       \nauthor      moritz.raabe@mandiant.com, joakim@intezer.com,                      \n            michael.hunhoff@mandiant.com                                        \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create UDP Socket [C0001.010]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ 0x48177E in function 0x48172D\n  or:\n    and:\n      number: 0x2 = AF_INET @ 0x481780, 0x481782\n      or:\n        number: 0x11 = IPPROTO_UDP @ 0x48177E\n      or:\n        api: socket @ 0x481784\nbasic block @ 0x4819FD in function 0x4819FD\n  or:\n    and:\n      number: 0x2 = AF_INET @ 0x481A20, 0x481A22\n      or:\n        number: 0x11 = IPPROTO_UDP @ 0x481A1E\n      or:\n        api: socket @ 0x481A24\n\nact as TCP client\nnamespace  communication/tcp/client                                     \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \nmbc        Communication::Socket Communication::TCP Client [C0001.008]  \nfunction @ 0x480FDF\n  or:\n    match: connect TCP socket @ 0x480FDF\n      and:\n        match: create TCP socket @ 0x481033\n          or:\n            and:\n              or:\n                number: 0x6 = IPPROTO_TCP @ 0x481033\n              number: 0x1 = SOCK_STREAM @ 0x481035\n              number: 0x2 = AF_INET @ 0x481037\n              or:\n                api: socket @ 0x481039\n        match: connect socket @ 0x4810AF\n          or:\n            api: connect @ 0x4810B6\n\ncompiled with AutoIt\nnamespace   compiler/autoit                                                     \nauthor      william.ballenthin@mandiant.com                                     \nscope       file                                                                \natt&ck      Execution::Command and Scripting Interpreter [T1059]                \nreferences  https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malwar…\nor:\n  string: \"AutoIt Error\" @ file+0xD5910\n  string: \">>>AUTOIT NO CMDEXECUTE<<<\" @ file+0x9BF64\n  string: \"#requireadmin\" @ file+0x9EB28\n  string: \"#OnAutoItStartRegister\" @ file+0x9EAD8\n  substring: >>>AUTOIT SCRIPT<<<\n    - \">>>AUTOIT SCRIPT<<<\" @ file+0xC5640\n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32 \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \nmbc        Data::Checksum::CRC32 [C0032.001]\nfunction @ 0x4823E8\n  or:\n    bytes: 00000000963007772c610eeeba51099919c46d078ff46a7035a563e9a395649e = crc32_tab @ 0x48242B, 0x48243F, 0x48244E\n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64                                    \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]         \nfunction @ 0x41BEAD\n  or:\n    and:\n      mnemonic: shl @ 0x41C098, 0x45B1BE, 0x45B245, 0x45B424, and 3 more...\n      mnemonic: shr @ 0x41BEE6, 0x41C310, 0x41C500\n      number: 0x3F = modulo 64 @ 0x41C25B, 0x41C296, 0x41C3BA, 0x41C403, and 6 more...\n      or:\n        number: 0x3D = '=' @ 0x41C5C2, 0x459581, 0x45959D, 0x459A4A, and 4 more...\n      match: contain loop @ 0x41BEAD\n        or:\n          characteristic: loop @ 0x41BEAD\n          characteristic: tight loop @ 0x41C0D3, 0x45A209, 0x45A37A, 0x45AD30, and 12 more...\n      optional:\n        number: 0x2 @ 0x41C049, 0x41C14F, 0x41C310, 0x41C32B, and 152 more...\n        number: 0x3 @ 0x41C2DC, 0x459353, 0x459429, 0x459538, and 4 more...\n        number: 0x4 @ 0x41C2BC, 0x41CC04, 0x458FD9, 0x4591CC, and 24 more...\n        number: 0x6 @ 0x41C55C, 0x41C57C, 0x41C604, 0x4590F1, and 8 more...\n        number: 0xF @ 0x41C91D, 0x41CBE2, 0x45A926, 0x45B30B, and 3 more...\n\nencode data using XOR (7 matches)\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x4695EE in function 0x46959C\n  and:\n    characteristic: tight loop @ 0x4695EE\n    characteristic: nzxor @ 0x4695EE\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471F30 in function 0x471F24\n  and:\n    characteristic: tight loop @ 0x471F30\n    characteristic: nzxor @ 0x471F3C\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471F9C in function 0x471F64\n  and:\n    characteristic: tight loop @ 0x471F9C\n    characteristic: nzxor @ 0x471FA1, 0x471FAE, 0x471FBB, 0x471FBD\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471FD6 in function 0x471F64\n  and:\n    characteristic: tight loop @ 0x471FD6\n    characteristic: nzxor @ 0x471FDB, 0x471FE3, 0x471FF7, 0x471FFB\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x47284B in function 0x47281C\n  and:\n    characteristic: tight loop @ 0x47284B\n    characteristic: nzxor @ 0x472858\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x472ABF in function 0x472865\n  and:\n    characteristic: tight loop @ 0x472ABF\n    characteristic: nzxor @ 0x472ACC\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x47D73F in function 0x47D71C\n  and:\n    characteristic: tight loop @ 0x47D73F\n    characteristic: nzxor @ 0x47D74A\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\nhash data using djb2\nnamespace   data-manipulation/hashing/djb2                                      \nauthor      awillia2@cisco.com, still@teamt5.org                                \nscope       function                                                            \nmbc         Data::Non-Cryptographic Hash::djb2 [C0030.006]                      \nreferences  https://twitter.com/r3c0nst/status/1392405576131436546,             \n            http://www.cse.yorku.ca/~oz/hash.html                               \nfunction @ 0x408273\n  and:\n    instruction:\n      and:\n        mnemonic: mov @ 0x408284\n        number: 0x1505 @ 0x408284\n    or:\n      instruction:\n        and:\n          number: 0x21 @ 0x408291\n          or:\n            mnemonic: imul @ 0x408291\n\nauthenticate HMAC\nnamespace   data-manipulation/hmac                                              \nauthor      moritz.raabe@mandiant.com                                           \nscope       function                                                            \nmbc         Cryptography::Hashed Message Authentication Code [C0061]            \nreferences  https://tools.ietf.org/html/rfc2104,                                \n            https://tools.ietf.org/html/rfc4634, https://github.com/ogay/hmac   \nfunction @ 0x41BEAD\n  and:\n    number: 0x36 = inner padding byte value @ 0x45A89F, 0x45BF8B\n    number: 0x5C = outer padding byte value @ 0x41C20E, 0x41C5D0, 0x41C691, 0x41C6A4, and 8 more...\n    match: contain loop @ 0x41BEAD\n      or:\n        characteristic: loop @ 0x41BEAD\n        characteristic: tight loop @ 0x41C0D3, 0x45A209, 0x45A37A, 0x45AD30, and 12 more...\n    count(characteristic(nzxor)): 2 or more @ 0x41BEFA, 0x41C50E\n    optional: = block size\n      number: 0x40 = MD5, SHA-1, SHA-224, or SHA-256 @ 0x45AA0A, 0x45AC60, 0x45B980\n      number: 0x80 = SHA-384 or SHA-512 @ 0x41C089, 0x41C9F5, 0x41CA50, 0x41CAC2, and 2 more...\n\ngenerate random numbers using a Mersenne Twister (4 matches)\nnamespace  data-manipulation/prng/mersenne                      \nauthor     moritz.raabe@mandiant.com                            \nscope      function                                             \nmbc        Cryptography::Generate Pseudo-random Sequence [C0021]\nfunction @ 0x471E7A\n  or:\n    number: 0xFF3A58AD @ 0x471EA0\nfunction @ 0x471EC0\n  or:\n    number: 0xFF3A58AD @ 0x471EEB\nfunction @ 0x471F24\n  or:\n    number: 0x6C078965 @ 0x471F3E\nfunction @ 0x471F64\n  or:\n    number: 0x9908B0DF @ 0x471FB6, 0x471FF2, 0x472029\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x406122\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x4442F5\n        api: LockResource @ 0x44431D\n      optional:\n        or:\n          api: FindResourceEx @ 0x406149\n        api: SizeofResource @ 0x44430A\n\nlist drag and drop files\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x47EA26\n  and:\n    api: DragQueryFile @ 0x47EB9E, 0x47EBBB, 0x47EBF9\n    and:\n      api: GetClipboardData @ 0x47EA6A, 0x47EAF8, 0x47EB6B\n      number: 0xF = HDROP @ 0x47EB5D, 0x47EB69\n\nopen clipboard (2 matches)\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x47EA26\n  and:\n    api: OpenClipboard @ 0x47EA50\n    optional:\n      api: CloseClipboard @ 0x47EA76, 0x47EAB8, 0x47EAE9, 0x47EB58, and 2 more...\nfunction @ 0x47EC91\n  and:\n    api: OpenClipboard @ 0x47ECB8, 0x47ED76\n    optional:\n      api: CloseClipboard @ 0x47ECC4, 0x47EDCA\n\nread clipboard data\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Collection::Clipboard Data [T1115]                                  \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x47EA26\n  and:\n    optional:\n      match: open clipboard @ 0x47EA26\n        and:\n          api: OpenClipboard @ 0x47EA50\n          optional:\n            api: CloseClipboard @ 0x47EA76, 0x47EAB8, 0x47EAE9, 0x47EB58, and 2 more...\n      match: contain loop @ 0x47EA26\n        or:\n          characteristic: tight loop @ 0x47EBAF\n      api: GlobalLock @ 0x47EAAE, 0x47EB09, 0x47EB7C\n      api: GlobalUnlock @ 0x47EAE3, 0x47EB49, 0x47EC1A\n    or:\n      basic block:\n        and:\n          api: GetClipboardData @ 0x47EA6A\n          optional:\n            number: 0xD = CF_UNICODETEXT @ 0x47EA68\n        and:\n          api: GetClipboardData @ 0x47EB6B\n        and:\n          api: GetClipboardData @ 0x47EAF8\n          optional:\n            number: 0x1 = CF_TEXT @ 0x47EAF6\n\nwrite clipboard data\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \nmbc         Impact::Clipboard Modification [E1510]                              \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x47EC91\n  and:\n    optional:\n      match: open clipboard @ 0x47EC91\n        and:\n          api: OpenClipboard @ 0x47ECB8, 0x47ED76\n          optional:\n            api: CloseClipboard @ 0x47ECC4, 0x47EDCA\n      api: EmptyClipboard @ 0x47ECBE, 0x47ED7C\n    or:\n      api: SetClipboardData @ 0x47ED85\n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver  \nauthor     moritz.raabe@mandiant.com\nscope      instruction              \ninstruction @ 0x46D563\n  or:\n    api: DeviceIoControl @ 0x46D563\ninstruction @ 0x46D5DD\n  or:\n    api: DeviceIoControl @ 0x46D5DD\ninstruction @ 0x46D690\n  or:\n    api: DeviceIoControl @ 0x46D690\ninstruction @ 0x473D73\n  or:\n    api: DeviceIoControl @ 0x473D73\n\nget COMSPEC environment variable\nnamespace  host-interaction/environment-variable          \nauthor     matthew.williams@mandiant.com                  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Operating System::Environment Variable [C0034] \nfunction @ 0x41D70E\n  and:\n    match: query environment variable @ 0x41D70E\n      or:\n        api: GetEnvironmentVariable @ 0x45E05B, 0x45E06E, 0x45E0CA, 0x45E0DD, and 4 more...\n    or:\n      string: \"COMSPEC\" @ 0x45E056\n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x41D70E\n  or:\n    api: GetEnvironmentVariable @ 0x45E05B, 0x45E06E, 0x45E0CA, 0x45E0DD, and 4 more...\nfunction @ 0x47EE14\n  or:\n    api: GetEnvironmentVariable @ 0x47EE51\nfunction @ 0x487559\n  or:\n    api: GetEnvironmentVariable @ 0x4875FD\n\nset environment variable (2 matches)\nnamespace  host-interaction/environment-variable                           \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \nmbc        Operating System::Environment Variable::Set Variable [C0034.001]\nfunction @ 0x43D170\n  or:\n    api: SetEnvironmentVariable @ 0x43D03C\nfunction @ 0x47EE84\n  or:\n    api: SetEnvironmentVariable @ 0x47EEC4\n\nget common file path (9 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x40445D\n  or:\n    api: GetCurrentDirectory @ 0x40448D\nfunction @ 0x41D70E\n  or:\n    api: GetTempPath @ 0x45E085\n    api: GetSystemDirectory @ 0x45DB98\n    api: GetWindowsDirectory @ 0x45DB28\n    api: GetCurrentDirectory @ 0x45DD7F\nfunction @ 0x41F962\n  or:\n    api: GetCurrentDirectory @ 0x41F97E\nfunction @ 0x46DE45\n  or:\n    api: SHGetFolderPath @ 0x46DE5E\nfunction @ 0x472F35\n  or:\n    api: GetTempPath @ 0x472F4D\n    api: GetTempFileName @ 0x472F62\nfunction @ 0x4779B4\n  or:\n    api: SHGetSpecialFolderLocation @ 0x477AAD\nfunction @ 0x477D0E\n  or:\n    api: GetCurrentDirectory @ 0x477ECB\nfunction @ 0x4780B3\n  or:\n    api: GetCurrentDirectory @ 0x47822E\nfunction @ 0x48AF20\n  or:\n    api: GetSystemDirectory @ 0x48B0D7, 0x48B0FB\n    api: GetCurrentDirectory @ 0x48B13B, 0x48B15D\n\nset current directory (7 matches)\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x40445D\n  or:\n    api: SetCurrentDirectory @ 0x404596, 0x443769\nfunction @ 0x40AD7C\n  or:\n    api: SetCurrentDirectory @ 0x40AEF0, 0x40B045\nfunction @ 0x4753D4\n  or:\n    api: SetCurrentDirectory @ 0x4753EC\nfunction @ 0x477D0E\n  or:\n    api: SetCurrentDirectory @ 0x477EDF, 0x477F35, 0x477F7E, 0x477FCE\nfunction @ 0x4780B3\n  or:\n    api: SetCurrentDirectory @ 0x478242, 0x478274, 0x4782AA, 0x4782B3\nfunction @ 0x479560\n  or:\n    api: SetCurrentDirectory @ 0x479668, 0x479686\nfunction @ 0x4796BB\n  or:\n    api: SetCurrentDirectory @ 0x4797AE, 0x4797CC\n\ncopy file (3 matches)\nnamespace  host-interaction/file-system/copy                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Copy File [C0045]                         \nfunction @ 0x46CE1E\n  or:\n    basic block:\n      and:\n        number: 0x2 = FO_COPY @ 0x46CF40\n        or:\n          api: SHFileOperation @ 0x46CF7F\nfunction @ 0x46D1BA\n  or:\n    api: CopyFileEx @ 0x46D1D0\nfunction @ 0x472865\n  or:\n    api: CopyFile @ 0x472BBB\n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ 0x46D1DF\n  or:\n    api: CreateDirectory @ 0x46D237, 0x46D294\nfunction @ 0x473C3C\n  or:\n    api: CreateDirectory @ 0x473CBB\n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ 0x46E77B\n  or:\n    api: RemoveDirectory @ 0x46E7B9\nfunction @ 0x473C3C\n  or:\n    api: RemoveDirectory @ 0x473CEC\n\ndelete file (6 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x46CF94\n  or:\n    api: DeleteFile @ 0x46D0FB, 0x46D12B\nfunction @ 0x46D2C7\n  or:\n    api: DeleteFile @ 0x46D38E\nfunction @ 0x46E77B\n  or:\n    basic block:\n      and:\n        number: 0x3 = FO_DELETE @ 0x46E7D0\n        or:\n          api: SHFileOperation @ 0x46E806\nfunction @ 0x472865\n  or:\n    api: DeleteFile @ 0x472B23, 0x472BA5, 0x472BCC, 0x472BDE\nfunction @ 0x4755F7\n  or:\n    api: DeleteFile @ 0x4756EC\nfunction @ 0x4778BA\n  or:\n    basic block:\n      and:\n        number: 0x3 = FO_DELETE @ 0x4778FA\n        or:\n          api: SHFileOperation @ 0x47792E\n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x46D1DF\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46D219\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46D21F\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46D21F\n    basic block:\n      and:\n        api: GetLastError @ 0x46D228\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46D230\n            number: 0x2 = ERROR_FILE_NOT_FOUND @ 0x46D230\nfunction @ 0x46DADC\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46DAFB\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46DB01\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46DB01\nfunction @ 0x46E0B7\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46E0B8\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46E0BE\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46E0BE\n\nenumerate files on Windows (6 matches)\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ 0x46CF94\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x46D040\n      or:\n        api: FindNextFile @ 0x46D155\n      optional:\n        api: FindClose @ 0x46D171, 0x46D182\n        match: contain loop @ 0x46CF94\n          or:\n            characteristic: loop @ 0x46CF94\nfunction @ 0x46D2C7\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x46D33E\n      or:\n        api: FindNextFile @ 0x46D39F\n      optional:\n        api: FindClose @ 0x46D3B6, 0x46D3BF\n        match: contain loop @ 0x46D2C7\n          or:\n            characteristic: loop @ 0x46D2C7\nfunction @ 0x475BB5\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x475BDF\n      or:\n        api: FindNextFile @ 0x475C35\n      optional:\n        api: FindClose @ 0x475C7D\n        match: contain loop @ 0x475BB5\n          or:\n            characteristic: loop @ 0x475BB5\nfunction @ 0x479560\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x479581, 0x479618\n      or:\n        api: FindNextFile @ 0x4795F1, 0x479690\n      optional:\n        api: FindClose @ 0x4795FC, 0x47969D, 0x4796AD\n        match: contain loop @ 0x479560\n          or:\n            characteristic: loop @ 0x479560\n            characteristic: recursive call @ 0x479560\nfunction @ 0x4796BB\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x4796DC, 0x47975E\n      or:\n        api: FindNextFile @ 0x479737, 0x4797D6\n      optional:\n        api: FindClose @ 0x479742, 0x4797E3, 0x4797F3\n        match: contain loop @ 0x4796BB\n          or:\n            characteristic: loop @ 0x4796BB\n            characteristic: recursive call @ 0x4796BB\nfunction @ 0x479A49\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x479A96\n      or:\n        api: FindNextFile @ 0x479B93\n      optional:\n        api: FindClose @ 0x479BA9\n        match: contain loop @ 0x479A49\n          or:\n            characteristic: loop @ 0x479A49\n            characteristic: recursive call @ 0x479A49\n\nenumerate files recursively (3 matches)\nnamespace  host-interaction/file-system/files/list        \nauthor     @_re_fox, anushka.virgaonkar@mandiant.com      \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nmbc        Discovery::File and Directory Discovery [E1083]\nfunction @ 0x479560\n  and:\n    characteristic: recursive call @ 0x479560\n    or:\n      match: enumerate files on Windows @ 0x479560\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x479581, 0x479618\n            or:\n              api: FindNextFile @ 0x4795F1, 0x479690\n            optional:\n              api: FindClose @ 0x4795FC, 0x47969D, 0x4796AD\n              match: contain loop @ 0x479560\n                or:\n                  characteristic: loop @ 0x479560\n                  characteristic: recursive call @ 0x479560\nfunction @ 0x4796BB\n  and:\n    characteristic: recursive call @ 0x4796BB\n    or:\n      match: enumerate files on Windows @ 0x4796BB\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x4796DC, 0x47975E\n            or:\n              api: FindNextFile @ 0x479737, 0x4797D6\n            optional:\n              api: FindClose @ 0x479742, 0x4797E3, 0x4797F3\n              match: contain loop @ 0x4796BB\n                or:\n                  characteristic: loop @ 0x4796BB\n                  characteristic: recursive call @ 0x4796BB\nfunction @ 0x479A49\n  and:\n    characteristic: recursive call @ 0x479A49\n    or:\n      match: enumerate files on Windows @ 0x479A49\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x479A96\n            or:\n              api: FindNextFile @ 0x479B93\n            optional:\n              api: FindClose @ 0x479BA9\n              match: contain loop @ 0x479A49\n                or:\n                  characteristic: loop @ 0x479A49\n                  characteristic: recursive call @ 0x479A49\n\nget file attributes (5 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x46D1DF in function 0x46D1DF\n  or:\n    api: GetFileAttributes @ 0x46D219\nbasic block @ 0x46DAFA in function 0x46DADC\n  or:\n    api: GetFileAttributes @ 0x46DAFB\nbasic block @ 0x46E0B7 in function 0x46E0B7\n  or:\n    api: GetFileAttributes @ 0x46E0B8\nbasic block @ 0x477F04 in function 0x477D0E\n  or:\n    api: GetFileAttributes @ 0x477F09\nbasic block @ 0x4795B8 in function 0x479560\n  or:\n    api: GetFileAttributes @ 0x4795BF\n\nget file size (2 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x482A05\n  or:\n    api: GetFileSize @ 0x482C9C\nfunction @ 0x498461\n  or:\n    api: GetFileSize @ 0x498494\n\nget file version info\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x46DB2C\n  and:\n    or:\n      api: GetFileVersionInfo @ 0x46DB64\n    optional: = retrieve specified version information from the version-information resource\n      api: VerQueryValue @ 0x46DBDA, 0x46DC84\n      or:\n        api: GetFileVersionInfoSize @ 0x46DB3E\n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \natt&ck     Defense Evasion::File and Directory Permissions Modification [T1222] \nmbc        File System::Set File Attributes [C0050]                             \nbasic block @ 0x477F04 in function 0x477D0E\n  or:\n    api: SetFileAttributes @ 0x477F23\nbasic block @ 0x4795B8 in function 0x479560\n  or:\n    api: SetFileAttributes @ 0x4795D9\n\nmove file (3 matches)\nnamespace  host-interaction/file-system/move                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Move File [C0063]                         \nfunction @ 0x46CE1E\n  or:\n    api: MoveFile @ 0x46CE9D\nfunction @ 0x46CF94\n  or:\n    api: MoveFile @ 0x46D10E\nfunction @ 0x46E319\n  or:\n    api: MoveFile @ 0x46E3CA\n    basic block:\n      and:\n        number: 0x1 = FO_MOVE @ 0x46E566\n        or:\n          api: SHFileOperation @ 0x46E56E\n\nread .ini file (4 matches)\nnamespace  host-interaction/file-system/read     \nauthor     @_re_fox, michael.hunhoff@mandiant.com\nscope      function                              \nmbc        File System::Read File [C0051]        \nfunction @ 0x4783FD\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x478482\nfunction @ 0x4784BF\n  and:\n    or:\n      api: GetPrivateProfileSection @ 0x47852A\nfunction @ 0x4787FC\n  and:\n    or:\n      api: GetPrivateProfileSectionNames @ 0x478858\nfunction @ 0x478A19\n  and:\n    or:\n      api: GetPrivateProfileSection @ 0x478ACC, 0x478AF8\n\nread file on Windows (9 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x406A95\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x406AB3\nfunction @ 0x40B230\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x40B35C\nfunction @ 0x40B3B0\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x40B40C\nfunction @ 0x43921B\n  or:\n    and:\n      os: windows\n      or:\n        api: _read @ 0x439134\nfunction @ 0x47070D\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x470765, 0x470811\nfunction @ 0x472475\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x4724A5\nfunction @ 0x4725B1\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x4725D3\nfunction @ 0x482A05\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x482C82\n          match: create or open file @ 0x482C89\n            or:\n              api: CreateFile @ 0x482C89\n      or:\n        api: ReadFile @ 0x482CBF\nfunction @ 0x498461\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x49847E\n          match: create or open file @ 0x498484\n            or:\n              api: CreateFile @ 0x498484\n      or:\n        api: ReadFile @ 0x4984C9\n\nclear file content\nnamespace  host-interaction/file-system/write\nauthor     jakeperalta7                      \nscope      function                          \nmbc        File System::Writes File [C0052]  \nfunction @ 0x477FD5\n  and:\n    api: SetEndOfFile @ 0x478019\n    not:\n      api: SetFilePointer\n\nwrite file on Windows (7 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x41F5B3\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x45F3C6\n        api: fwrite @ 0x45F3C6\nfunction @ 0x46CC1D\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x46CC44\nfunction @ 0x470633\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x470664\nfunction @ 0x4725F5\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47262D\n        api: fwrite @ 0x47262D\nfunction @ 0x472642\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47265B\n        api: fwrite @ 0x47265B\nfunction @ 0x472865\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x472AF5\n        api: fwrite @ 0x472AF5\nfunction @ 0x47CD62\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47CDC3\n        api: fwrite @ 0x47CDC3\n\nenumerate gui resources\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ 0x464144\n  or:\n    api: EnumWindows @ 0x464832\n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find   \nauthor     moritz.raabe@mandiant.com           \nscope      basic block                         \nmbc        Discovery::Taskbar Discovery [B0043]\nbasic block @ 0x41EFCE in function 0x41EFAD\n  and:\n    string: \"Shell_TrayWnd\" @ 0x41EFCF\n    match: find graphical window @ 0x41EFD4\n      or:\n        api: FindWindow @ 0x41EFD4\nbasic block @ 0x492255 in function 0x492255\n  and:\n    string: \"Shell_TrayWnd\" @ 0x492258\n    match: find graphical window @ 0x49225F\n      or:\n        api: FindWindow @ 0x49225F\nbasic block @ 0x492289 in function 0x492289\n  and:\n    string: \"Shell_TrayWnd\" @ 0x492298\n    match: find graphical window @ 0x49229F\n      or:\n        api: FindWindow @ 0x49229F\n\nfind graphical window (4 matches)\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ 0x41EFD4\n  or:\n    api: FindWindow @ 0x41EFD4\ninstruction @ 0x46E645\n  or:\n    api: FindWindowEx @ 0x46E645\ninstruction @ 0x49225F\n  or:\n    api: FindWindow @ 0x49225F\ninstruction @ 0x49229F\n  or:\n    api: FindWindow @ 0x49229F\n\nget graphical window text (11 matches)\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ 0x461A70\n  or:\n    and:\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x461AD9\n            api: SendMessage @ 0x461ADD\nfunction @ 0x46359E\n  or:\n    and:\n      api: GetWindowText @ 0x4638A5\nfunction @ 0x463B0C\n  or:\n    and:\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x463B66\n            api: SendMessage @ 0x463B6B\nfunction @ 0x46489C\n  or:\n    and:\n      api: GetWindowText @ 0x464922, 0x4649E9\nfunction @ 0x464BD3\n  or:\n    and:\n      optional:\n        api: IsWindowVisible @ 0x464BEB\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x464C3B\n            api: SendMessage @ 0x464C40\nfunction @ 0x465B9A\n  or:\n    and:\n      api: GetWindowText @ 0x465BC5\nfunction @ 0x47E8F7\n  or:\n    and:\n      api: GetWindowText @ 0x47E91E\nfunction @ 0x491E0D\n  or:\n    and:\n      api: GetWindowText @ 0x491F76\nfunction @ 0x4947A8\n  or:\n    and:\n      api: GetWindowText @ 0x494C26, 0x494C8F\nfunction @ 0x496FA4\n  or:\n    and:\n      api: GetWindowText @ 0x4971C3\nfunction @ 0x4972B7\n  or:\n    and:\n      api: GetWindowText @ 0x497423\n\nhide graphical window (8 matches)\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ 0x45F0F9 in function 0x41EEF7\n  and:\n    number: 0x0 = SW_HIDE @ 0x45F101\n    api: ShowWindow @ 0x45F0FB\nbasic block @ 0x4827C2 in function 0x482638\n  and:\n    number: 0x0 = SW_HIDE @ 0x48294B, 0x48295A\n    api: ShowWindow @ 0x4829BE\nbasic block @ 0x49015D in function 0x490135\n  and:\n    number: 0x0 = SW_HIDE @ 0x490163\n    api: ShowWindow @ 0x490167\nbasic block @ 0x4950F2 in function 0x495009\n  and:\n    number: 0x0 = SW_HIDE @ 0x4950F8\n    api: ShowWindow @ 0x4950FC, 0x495102\nbasic block @ 0x496B61 in function 0x496A44\n  and:\n    number: 0x0 = SW_HIDE @ 0x496B61\n    api: ShowWindow @ 0x496B66\nbasic block @ 0x49813A in function 0x4980CD\n  and:\n    number: 0x0 = SW_HIDE @ 0x49813A\n    api: ShowWindow @ 0x49813E\nbasic block @ 0x4981BF in function 0x4980CD\n  and:\n    number: 0x0 = SW_HIDE @ 0x4981BF\n    api: ShowWindow @ 0x4981C3, 0x4981D7\nbasic block @ 0x49A198 in function 0x499E78\n  and:\n    number: 0x0 = SW_HIDE @ 0x49A198\n    api: ShowWindow @ 0x49A19C\n\nget keyboard layout\nnamespace  host-interaction/hardware/keyboard                                   \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Discovery::System Location Discovery::System Language Discovery      \n           [T1614.001]                                                          \nfunction @ 0x41D70E\n  and:\n    or:\n      api: GetKeyboardLayoutName @ 0x45DF94\n\nget memory capacity\nnamespace  host-interaction/hardware/memory               \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x41F370\n  or:\n    api: GlobalMemoryStatusEx @ 0x41F39A\n\nget disk information (6 matches)\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ 0x473D97\n  or:\n    api: GetDriveType @ 0x473EF4\nfunction @ 0x4743DE\n  or:\n    api: GetDriveType @ 0x474661\nfunction @ 0x474776\n  or:\n    api: GetVolumeInformation @ 0x4747DB\nfunction @ 0x474844\n  or:\n    api: GetVolumeInformation @ 0x4748A9\nfunction @ 0x474912\n  or:\n    api: GetVolumeInformation @ 0x47497A\nfunction @ 0x4749FD\n  or:\n    api: GetDriveType @ 0x474AE8\n\nget disk size (3 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ 0x4750EB\n  or:\n    api: GetDiskFreeSpaceEx @ 0x475156\nfunction @ 0x4751CE\n  or:\n    api: GetDiskFreeSpaceEx @ 0x475239\nfunction @ 0x4752B1\n  or:\n    api: GetDiskFreeSpace @ 0x475334\n\nget storage device properties (2 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com                                        \nscope       function                                                            \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-wini…\nfunction @ 0x46D509\n  and:\n    number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY @ 0x46D55D\n    or:\n      match: interact with driver via IOCTL @ 0x46D563\n        or:\n          api: DeviceIoControl @ 0x46D563\nfunction @ 0x46D588\n  and:\n    number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY @ 0x46D5D7\n    or:\n      match: interact with driver via IOCTL @ 0x46D5DD\n        or:\n          api: DeviceIoControl @ 0x46D5DD\n\nprint debug messages\nnamespace  host-interaction/log/debug/write-event\nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \nfunction @ 0x41F5B3\n  or:\n    api: OutputDebugString @ 0x45F3E1\n\nshutdown system\nnamespace  host-interaction/os                   \nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \natt&ck     Impact::System Shutdown/Reboot [T1529]\nfunction @ 0x46E814\n  or:\n    api: ExitWindowsEx @ 0x46E850\n    api: InitiateSystemShutdownEx @ 0x46E870\n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nmbc        Discovery::System Information Discovery [E1082]                      \nfunction @ 0x41D70E\n  or:\n    api: GetComputerName @ 0x45DB11\nfunction @ 0x46DD45\n  or:\n    api: gethostname @ 0x46DD7A\n\nget system information on Windows\nnamespace  host-interaction/os/info                       \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x40615E\n  and:\n    os: windows\n    or:\n      api: GetSystemInfo @ 0x406320, 0x44455F\n\ncreate process on Windows (6 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x4437E0 in function 0x40445D\n  or:\n    api: ShellExecute @ 0x4437F9\nbasic block @ 0x46134A in function 0x461145\n  or:\n    api: CreateProcessAsUser @ 0x46136D\nbasic block @ 0x461472 in function 0x461412\n  or:\n    api: CreateProcessWithLogon @ 0x461493\nbasic block @ 0x48AD7A in function 0x48AC8B\n  or:\n    api: ShellExecuteEx @ 0x48ADCA\nbasic block @ 0x48B2C1 in function 0x48AF20\n  or:\n    api: CreateProcess @ 0x48B2DD\nbasic block @ 0x498064 in function 0x498064\n  or:\n    api: CreateProcess @ 0x4980B1\n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nauthor     @mr-tz, mehunhoff@google.com   \nscope      basic block                    \nmbc        Memory::Allocate Memory [C0007]\nbasic block @ 0x489881 in function 0x4895BB\n  or:\n    basic block:\n      and:\n        or:\n          match: allocate memory @ 0x489881\n            or:\n              api: VirtualAlloc @ 0x489895\n        or:\n          number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x489881\n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ 0x46D3FA\n  or:\n    and:\n      api: Process32First @ 0x46D42D\n      api: Process32Next @ 0x46D44D\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x46D41F\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x46D411\nfunction @ 0x48A5A3\n  or:\n    and:\n      api: Process32First @ 0x48A5E1\n      api: Process32Next @ 0x48A6C3\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x48A5D3\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x48A5BD\n\nacquire debug privileges\nnamespace  host-interaction/process/modify                        \nauthor     william.ballenthin@mandiant.com                        \nscope      basic block                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\nbasic block @ 0x48A0B6 in function 0x48A009\n  and:\n    string: \"SeDebugPrivilege\" @ 0x48A0B6\n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ 0x461018\n  and:\n    api: AdjustTokenPrivileges @ 0x461018\ninstruction @ 0x46167E\n  and:\n    api: AdjustTokenPrivileges @ 0x46167E\n\nterminate process (3 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x46EA3E\n  or:\n    and:\n      optional:\n        match: open process @ 0x46EA6E\n          or:\n            api: OpenProcess @ 0x46EA82\n      or:\n        api: TerminateProcess @ 0x46EA8C\nfunction @ 0x487E80\n  or:\n    and:\n      or:\n        api: TerminateProcess @ 0x488223\nfunction @ 0x48A009\n  or:\n    and:\n      optional:\n        match: open process @ 0x48A08D, 0x48A0D2\n          or:\n            api: OpenProcess @ 0x48A0DA\n          or:\n            api: OpenProcess @ 0x48A094\n      or:\n        api: TerminateProcess @ 0x48A18F\n\nempty the recycle bin\nnamespace  host-interaction/recycle-bin\nauthor     moritz.raabe@mandiant.com   \nscope      function                    \nfunction @ 0x477953\n  or:\n    api: SHEmptyRecycleBin @ 0x477977\n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ 0x48B8F0\n  and:\n    optional:\n      match: create or open registry key @ 0x48BA11\n        or:\n          api: RegOpenKeyEx @ 0x48BA27\n    or:\n      api: RegEnumKeyEx @ 0x48BA8A\nfunction @ 0x48CB5B\n  and:\n    optional:\n      match: create or open registry key @ 0x48CBA6\n        or:\n          api: RegOpenKeyEx @ 0x48CBB4\n    or:\n      api: RegEnumKeyEx @ 0x48CB8B, 0x48CC4F\n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x40533E\n  and:\n    optional:\n      match: create or open registry key @ 0x40533E\n        or:\n          api: RegOpenKeyEx @ 0x40545B\n    or:\n      api: RegQueryValueEx @ 0x443EEC, 0x443F2D\nfunction @ 0x4059A7\n  and:\n    optional:\n      match: create or open registry key @ 0x4059BB\n        or:\n          api: RegOpenKeyEx @ 0x4059CB\n    or:\n      api: RegQueryValueEx @ 0x4059EC\nfunction @ 0x4605C7\n  and:\n    optional:\n      match: create or open registry key @ 0x4606B3\n        or:\n          api: RegOpenKeyEx @ 0x4606C3\n    or:\n      api: RegQueryValueEx @ 0x4606ED\nfunction @ 0x48BB02\n  and:\n    optional:\n      match: create or open registry key @ 0x48BC36\n        or:\n          api: RegOpenKeyEx @ 0x48BC4C\n    or:\n      api: RegEnumValue @ 0x48BCC0\nfunction @ 0x48BD6B\n  and:\n    optional:\n      match: create or open registry key @ 0x48BEB9\n        or:\n          api: RegOpenKeyEx @ 0x48BED0\n    or:\n      api: RegQueryValueEx @ 0x48BF53, 0x48C00E, 0x48C07B, 0x48C110, and 2 more...\n\nset registry value\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ 0x48C2DE\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x48C448\n          or:\n            api: RegCreateKeyEx @ 0x48C46B\n      or:\n        api: RegSetValueEx @ 0x48C5D9, 0x48C6E8, 0x48C774, 0x48C887\n\ndelete registry key (2 matches)\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ 0x48B535\n  and:\n    optional:\n      match: create or open registry key @ 0x48B683\n        or:\n          api: RegOpenKeyEx @ 0x48B699\n    or:\n      api: RegDeleteKey @ 0x48B849\nfunction @ 0x48CB5B\n  and:\n    optional:\n      match: create or open registry key @ 0x48CBA6\n        or:\n          api: RegOpenKeyEx @ 0x48CBB4\n    or:\n      api: RegDeleteKey @ 0x48CC1A\n\ndelete registry value\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ 0x48B535\n  and:\n    optional:\n      match: create or open registry key @ 0x48B683\n        or:\n          api: RegOpenKeyEx @ 0x48B699\n    or:\n      api: RegDeleteValue @ 0x48B731\n\nget session user name\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ 0x41D70E\n  or:\n    api: GetUserName @ 0x45DA28\n\nget token membership\nnamespace  host-interaction/session                      \nauthor     michael.hunhoff@mandiant.com                  \nscope      function                                      \natt&ck     Discovery::System Owner/User Discovery [T1033]\nfunction @ 0x4615A7\n  and:\n    api: CheckTokenMembership @ 0x4615E5\n    optional:\n      api: AllocateAndInitializeSid @ 0x4615D0\n      api: FreeSid @ 0x4615F5\n\nget token privileges\nnamespace  host-interaction/session    \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x460F58\n  and:\n    or:\n      basic block:\n        and:\n          api: GetTokenInformation @ 0x460F6E\n          number: 0x3 = TokenPrivileges @ 0x460F6B\n        and:\n          api: GetTokenInformation @ 0x460FA6\n          number: 0x3 = TokenPrivileges @ 0x460FA3\n\ncreate thread (5 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x461747 in function 0x461747\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x4617AC\nbasic block @ 0x46E114 in function 0x46E0F4\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthreadex @ 0x46E139\nbasic block @ 0x470870 in function 0x4708F7\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x47087D\nbasic block @ 0x470870 in function 0x4708F7\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x47087D\nbasic block @ 0x47D13B in function 0x47D126\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthread @ 0x47D151\n\nterminate thread\nnamespace  host-interaction/thread/terminate                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \nmbc        Process::Terminate Thread [C0039]                                    \nbasic block @ 0x4708A6 in function 0x470889\n  or:\n    api: TerminateThread @ 0x4708B9\n\nimpersonate user\nnamespace  host-interaction/user                                                \nauthor     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com                 \nscope      function                                                             \natt&ck     Privilege Escalation::Access Token Manipulation::Token               \n           Impersonation/Theft [T1134.001]                                      \nfunction @ 0x461145\n  or:\n    api: LogonUser @ 0x4611CA\n    and:\n      api: LoadUserProfile @ 0x461327\n\n(internal) autoit file limitation\nnamespace    internal/limitation/static                                         \nauthor       william.ballenthin@mandiant.com                                    \nscope        file                                                               \ndescription  This sample appears to be compiled with AutoIt.                    \n                                                                                \n             AutoIt is a freeware BASIC-like scripting language designed for    \n             automating the Windows GUI.                                        \n             capa cannot handle AutoIt scripts. This means that the results will\n             be misleading or incomplete.                                       \n             You may have to analyze the file manually, using a tool like the   \n             AutoIt decompiler MyAut2Exe.                                       \n                                                                                \nor:\n  match: compiler/autoit @ global\n    or:\n      string: \"AutoIt Error\" @ file+0xD5910\n      string: \">>>AUTOIT NO CMDEXECUTE<<<\" @ file+0x9BF64\n      string: \"#requireadmin\" @ file+0x9EB28\n      string: \"#OnAutoItStartRegister\" @ file+0x9EAD8\n      substring: >>>AUTOIT SCRIPT<<<\n        - \">>>AUTOIT SCRIPT<<<\" @ file+0xC5640\n\nlink function at runtime on Windows (13 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x4062E6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4062E6\ninstruction @ 0x406816\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x406816\ninstruction @ 0x406850\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x406850\ninstruction @ 0x432FC7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x432FC7\ninstruction @ 0x432FC7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x432FC7\ninstruction @ 0x45DB5B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x45DB5B\ninstruction @ 0x4671A3\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4671A3\ninstruction @ 0x483FF4\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x483FF4\ninstruction @ 0x488EF7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488EF7\ninstruction @ 0x488F13\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488F13\ninstruction @ 0x488F59\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488F59\ninstruction @ 0x48B82B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48B82B\ninstruction @ 0x48CBF6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48CBF6\n\nparse PE header\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x40B7E0\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x40B810, 0x40B824, 0x40B82D, 0x40B84F, and 43 more...\n      or:\n        and:\n          number: 0x50 @ 0x450313\n          number: 0x45 @ 0x40BC73\n      or:\n        and:\n          number: 0x4D @ 0x40BB79\n          number: 0x5A @ 0x40B92F, 0x40B973, 0x40BCA4\n\nresolve function by parsing PE exports (15 matches)\nnamespace  load-code/pe\nauthor     sara-rn     \nscope      function    \nfunction @ 0x401641\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x401641\n      mnemonic: movzx @ 0x401B19, 0x401B67, 0x401BA4, 0x401BEE, and 2 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x401AB7, 0x401AF7, 0x442A22\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x401760\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x401B05, 0x401B29, 0x401B5B, 0x401B63, and 11 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40165B, 0x401679, 0x401A7C, 0x401BB7, and 8 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x401A6C, 0x401A9E, 0x401ADE, 0x401B15, and 8 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x401AB3, 0x401AC0, 0x401AF0, 0x401B25, and 12 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x401AA2, 0x401AD4, 0x401BD5, 0x4425C7, and 11 more...\nfunction @ 0x408BAA\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x408BAA\n      mnemonic: movzx @ 0x445922, 0x445B7A\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x408D85, 0x408DDB\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x445A85, 0x445B3F\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x408C7B, 0x408CD7, 0x408D0F, 0x408D4C, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x408BB8, 0x408CBE, 0x408DC2, 0x408DD1, and 7 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x408BF6, 0x408C12, 0x408C87, 0x408D89\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x408D20, 0x445980, 0x445A4F, 0x445AB4, and 2 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x408CA5, 0x408CD3, 0x408DAF, 0x408E24, and 2 more...\nfunction @ 0x4095C0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4095C0\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4096AC, 0x409887, 0x4098DD, 0x4099C7\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4463CA, 0x446461, 0x4465C9, 0x44661E, and 1 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x409653, 0x409864, 0x446280, 0x4462A5, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4096B0, 0x4098EC, 0x4465C1\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4096BC, 0x40988B, 0x40989D, 0x4098AE, and 6 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4096A4, 0x409963, 0x40996D, 0x409971, and 7 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4096B8, 0x4097D8, 0x409909, 0x409931, and 6 more...\nfunction @ 0x40A180\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40A180\n      mnemonic: movzx @ 0x40A1DD, 0x40A1FF, 0x40A20D, 0x40A21F, and 490 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x40A558, 0x449751, 0x44976C\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40A670, 0x40A8C8, 0x44738C, 0x447398, and 18 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40A647, 0x40A887, 0x447695, 0x447A2F, and 1 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4474A1, 0x4474D4, 0x447577, 0x4475AA, and 2 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40A7ED, 0x447F8A, 0x448031, 0x44806F, and 14 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40A7FB, 0x447F9C, 0x447FBA, 0x44803B, and 23 more...\nfunction @ 0x40AD7C\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40AD7C\n      mnemonic: movzx @ 0x40AF89, 0x44FB38\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x44FAEE, 0x44FAFC, 0x44FB1F, 0x44FCE1\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40ADD7, 0x40B08A\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40AD92, 0x40AF43, 0x40B0D0, 0x44FAA7, and 6 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40ADBC, 0x40AE73, 0x44FBCB, 0x44FC8B, and 1 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x40AFA8, 0x40B019, 0x40B02B, 0x44FBCF, and 2 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40ADB8, 0x40AF21, 0x40AF49, 0x40B0CC, and 6 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40AF4D, 0x40AFCD, 0x40B011, 0x44FC5F, and 2 more...\nfunction @ 0x40D840\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40D840\n      mnemonic: movzx @ 0x40DD22, 0x40DEE0, 0x40DEE7, 0x40DEF0, and 4 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x40D863, 0x40D996, 0x40DD88, 0x40DE6E, and 8 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40D8C7\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40D92B, 0x40D989, 0x40D9C0, 0x40DA03, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40D8E3, 0x40DC92, 0x40DCC7, 0x40DFCA, and 8 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x40D8CB, 0x40D927, 0x40DAB6, 0x40DBBC, and 14 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40D9B7, 0x40DA33, 0x40DAC0, 0x40DB79, and 20 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40D85D, 0x40D922, 0x40D98E, 0x40DE85, and 11 more...\nfunction @ 0x410540\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x410540\n      mnemonic: movzx @ 0x410600, 0x41062B, 0x41066B, 0x4107F2, and 29 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x410592\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x410876, 0x410AAA, 0x410BFC, 0x410C2C, and 7 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x41059A, 0x4105D1, 0x410652, 0x4106C4, and 22 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x410A1F, 0x411150, 0x411166, 0x4112C1, and 9 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x41058A, 0x4105B5, 0x41065A, 0x410A26, and 14 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x410552, 0x4108D8, 0x41092E, 0x410938, and 23 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x410691, 0x410842, 0x4108BB, 0x4108C4, and 27 more...\nfunction @ 0x41BEAD\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x41BEAD\n      mnemonic: movzx @ 0x41C06A, 0x41C091, 0x41C0A0, 0x41C0A8, and 128 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x41C16F, 0x45A1E8, 0x45A34E, 0x45B07F\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x459C84, 0x45B005\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x459F7A, 0x45B03F, 0x45B060, 0x45B07C, and 2 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45933F, 0x45AF58, 0x45B1CB, 0x45B252\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x41C052, 0x41C302, 0x41C338, 0x41C408, and 23 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x458F91, 0x458FCD, 0x459172, 0x4591C1, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x459046, 0x459E17\nfunction @ 0x466502\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x466502\n      mnemonic: movzx @ 0x4666E8, 0x4667E7, 0x4669E6, 0x4669EC\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x46656E, 0x46659F, 0x466602, 0x46674E, and 7 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46661E\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x466641, 0x466652, 0x466662, 0x466686, and 11 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x466554, 0x466571, 0x46657B, 0x46682E, and 7 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x466596, 0x4665CF, 0x466616, 0x4667A9, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4665C4, 0x46665B, 0x4667AD, 0x46683F, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x46671D, 0x466769, 0x4667B1, 0x4667CC, and 2 more...\nfunction @ 0x4681EE\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4681EE\n      mnemonic: movzx @ 0x468256, 0x46826B, 0x4682A7, 0x4682F8, and 8 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4684CE\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46852F\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4683DF, 0x4686B0\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x468378, 0x468407, 0x468439\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x468401\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4683E5, 0x468612\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4683FB, 0x4687AF\nfunction @ 0x4763AC\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4763AC\n      mnemonic: movzx @ 0x47645E, 0x476474, 0x476480, 0x476489\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x476405, 0x476580, 0x476597, 0x4767DE\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x476707\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x47652F, 0x4765A3, 0x4765EC, 0x476638, and 4 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4763D3, 0x47642F, 0x4764C2, 0x4764C7, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x476626\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x476542, 0x4765C2, 0x4765F9, 0x476645, and 9 more...\nfunction @ 0x476E0F\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x476E0F\n      mnemonic: movzx @ 0x476EA3, 0x476EA6\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x476E8F\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x477044, 0x4770D8, 0x4771A4\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x476E7D, 0x476E9B, 0x476EAA, 0x476FA1, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x476E26, 0x476EE6, 0x476EFE, 0x476F13, and 4 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x476F24, 0x476F3C, 0x47706B, 0x4770B0\nfunction @ 0x47902A\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x47902A\n      mnemonic: movzx @ 0x47912D, 0x47913D, 0x47916B, 0x479184\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4790E8, 0x479508\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x479080\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x479131, 0x479174, 0x479266, 0x47929D, and 3 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4791BC, 0x4791CA, 0x4791F4, 0x479225, and 4 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x479051, 0x4790B8, 0x479202, 0x47930A, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x47916F, 0x47927E, 0x4792D5, 0x4794E8, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x47926E, 0x4794FC\nfunction @ 0x487E80\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x487E80\n      mnemonic: movzx @ 0x487E8C\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x487FF3, 0x48829E\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x487F41, 0x4881C4, 0x488201\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x487EF1, 0x487F23, 0x487F9A, 0x487FDB, and 7 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x488092, 0x488118, 0x488136\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x487FBF, 0x488192, 0x488197, 0x4881DA, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x487F38, 0x487FAF, 0x487FEA, 0x488018, and 7 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x487FE6, 0x487FF8, 0x488004, 0x48808E, and 2 more...\nfunction @ 0x490F26\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x49110E, 0x4912C4, 0x4912CA\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x491140, 0x491288\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x491028\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x490FB0, 0x490FC8, 0x490FDA, 0x490FED, and 6 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x490F4B, 0x490FD6, 0x4910C5\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x490F43, 0x49107D, 0x4912B0\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x49106A, 0x4910BB, 0x491298, 0x4912A6, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x490F57, 0x490FC4, 0x4910E2, 0x491184, and 2 more...\n\nexecute shellcode via indirect call\nnamespace  load-code/shellcode            \nauthor     ronnie.salomonsen@mandiant.com \nscope      function                       \nmbc        Memory::Allocate Memory [C0007]\nfunction @ 0x4895BB\n  and:\n    match: allocate or change RWX memory @ 0x489881\n      or:\n        basic block:\n          and:\n            or:\n              match: allocate memory @ 0x489881\n                or:\n                  api: VirtualAlloc @ 0x489895\n            or:\n              number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x489881\n    or:\n      characteristic: indirect call @ 0x48963F, 0x489682\n\ncreate shortcut via IShellLink (2 matches)\nnamespace   persistence                                                         \nauthor      matthew.williams@mandiant.com                                       \nscope       function                                                            \natt&ck      Persistence::Boot or Logon Autostart Execution::Shortcut            \n            Modification [T1547.009]                                            \nreferences  https://docs.microsoft.com/en-us/windows/win32/shell/links#creating…\nfunction @ 0x47573C\n  and:\n    offset: 0x50 = psl->SetPath @ 0x475910, 0x4759CE, 0x4759FC\n    offset: 0x18 = ppf->Save @ 0x475790, 0x4757C8, 0x47585F, 0x475864, and 4 more...\n    api: CoCreateInstance @ 0x4758CC\n    bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x4758C7\n    bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x475AB3\n    or:\n      bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x4758BE\nfunction @ 0x4763AC\n  and:\n    offset: 0x50 = psl->SetPath @ 0x4763F4, 0x476610, 0x47665C, 0x4766A8, and 2 more...\n    offset: 0x18 = ppf->Save @ 0x476542, 0x4765C2, 0x4765F9, 0x476645, and 9 more...\n    api: CoCreateInstance @ 0x47656E\n    bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x476569\n    bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x476585\n    or:\n      bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x476562\n\n\n\n"},"hashes":{"md5":"1a7bbf68c09e364ac325434493133305","sha1":"b6e8fae23eca1afff3e815286136cfbfa7b11eb9","sha256":"952afbda734257d5e14c9f4b09bc8bb48a60e37e7c17a9f3f27b0a96f4f0fc47"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 2043</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 120247</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"2aa5ce3561dc657a157460383c7c9b\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"1a7bbf68c09e364ac325434493133305\",\n        \"sha256\": \"952afbda734257d5e14c9f4b09bc8bb48a60e37e7c17a9f3f27b0a9\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"allocate memory (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46B26C\",\n      \"label\": \"Block 0x46B26C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46B26C\"\n    },\n    {\n      \"id\": \"api_VirtualAllocEx\",\n      \"label\": \"VirtualAllocEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_library_rule_\",\n      \"label\": \"library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Modulo [C0058]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (489 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x401202\",\n      \"label\": \"Function 0x401202\",\n      \"type\": \"function\",\n      \"address\": \"0x401202\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__13_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (13 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40533E\",\n      \"label\": \"Block 0x40533E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40533E\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (37 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40F4AF\",\n      \"label\": \"Block 0x40F4AF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40F4AF\"\n    },\n    {\n      \"id\": \"api_Sleep\",\n      \"label\": \"Sleep\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"open process (7 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Open Process [C0065]\"\n      ]\n    },\n    {\n      \"id\": \"api_OpenProcess\",\n      \"label\": \"OpenProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"label\": \"check for time delay via QueryPerformanceCounter (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"QueryPerformanceCounter [B0001.033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x469B67\",\n      \"label\": \"Function 0x469B67\",\n      \"type\": \"function\",\n      \"address\": \"0x469B67\"\n    },\n    {\n      \"id\": \"func_0x46E899\",\n      \"label\": \"Function 0x46E899\",\n      \"type\": \"function\",\n      \"address\": \"0x46E899\"\n    },\n    {\n      \"id\": \"func_0x469B7E\",\n      \"label\": \"Function 0x469B7E\",\n      \"type\": \"function\",\n      \"address\": \"0x469B7E\"\n    },\n    {\n      \"id\": \"func_0x46AFC6\",\n      \"label\": \"Function 0x46AFC6\",\n      \"type\": \"function\",\n      \"address\": \"0x46AFC6\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"QueryPerformanceCounter [B0001.033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"label\": \"check for unmoving mouse cursor (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection::Human User\",\n        \"Check [B0009.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x499468\",\n      \"label\": \"Function 0x499468\",\n      \"type\": \"function\",\n      \"address\": \"0x499468\"\n    },\n    {\n      \"id\": \"func_0x498EBB\",\n      \"label\": \"Function 0x498EBB\",\n      \"type\": \"function\",\n      \"address\": \"0x498EBB\"\n    },\n    {\n      \"id\": \"cap_author______bitsofbinary\",\n      \"label\": \"author      BitsOfBinary\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection::Human User\",\n        \"Check [B0009.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes__9_matches_\",\n      \"label\": \"log keystrokes (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x462CEB\",\n      \"label\": \"Function 0x462CEB\",\n      \"type\": \"function\",\n      \"address\": \"0x462CEB\"\n    },\n    {\n      \"id\": \"func_0x46B04D\",\n      \"label\": \"Function 0x46B04D\",\n      \"type\": \"function\",\n      \"address\": \"0x46B04D\"\n    },\n    {\n      \"id\": \"func_0x4624E6\",\n      \"label\": \"Function 0x4624E6\",\n      \"type\": \"function\",\n      \"address\": \"0x4624E6\"\n    },\n    {\n      \"id\": \"func_0x4034CE\",\n      \"label\": \"Function 0x4034CE\",\n      \"type\": \"function\",\n      \"address\": \"0x4034CE\"\n    },\n    {\n      \"id\": \"func_0x41EFAD\",\n      \"label\": \"Function 0x41EFAD\",\n      \"type\": \"function\",\n      \"address\": \"0x41EFAD\"\n    },\n    {\n      \"id\": \"func_0x46A90B\",\n      \"label\": \"Function 0x46A90B\",\n      \"type\": \"function\",\n      \"address\": \"0x46A90B\"\n    },\n    {\n      \"id\": \"func_0x463985\",\n      \"label\": \"Function 0x463985\",\n      \"type\": \"function\",\n      \"address\": \"0x463985\"\n    },\n    {\n      \"id\": \"func_0x46B1FD\",\n      \"label\": \"Function 0x46B1FD\",\n      \"type\": \"function\",\n      \"address\": \"0x46B1FD\"\n    },\n    {\n      \"id\": \"func_0x46B198\",\n      \"label\": \"Function 0x46B198\",\n      \"type\": \"function\",\n      \"address\": \"0x46B198\"\n    },\n    {\n      \"id\": \"api_MapVirtualKey\",\n      \"label\": \"MapVirtualKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_AttachThreadInput\",\n      \"label\": \"AttachThreadInput\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"label\": \"log keystrokes via polling (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46ABF8\",\n      \"label\": \"Function 0x46ABF8\",\n      \"type\": \"function\",\n      \"address\": \"0x46ABF8\"\n    },\n    {\n      \"id\": \"func_0x469B97\",\n      \"label\": \"Function 0x469B97\",\n      \"type\": \"function\",\n      \"address\": \"0x469B97\"\n    },\n    {\n      \"id\": \"func_0x469EAF\",\n      \"label\": \"Function 0x469EAF\",\n      \"type\": \"function\",\n      \"address\": \"0x469EAF\"\n    },\n    {\n      \"id\": \"func_0x41EA9A\",\n      \"label\": \"Function 0x41EA9A\",\n      \"type\": \"function\",\n      \"address\": \"0x41EA9A\"\n    },\n    {\n      \"id\": \"func_0x46A975\",\n      \"label\": \"Function 0x46A975\",\n      \"type\": \"function\",\n      \"address\": \"0x46A975\"\n    },\n    {\n      \"id\": \"func_0x46ADD8\",\n      \"label\": \"Function 0x46ADD8\",\n      \"type\": \"function\",\n      \"address\": \"0x46ADD8\"\n    },\n    {\n      \"id\": \"func_0x4028C0\",\n      \"label\": \"Function 0x4028C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4028C0\"\n    },\n    {\n      \"id\": \"func_0x46AABA\",\n      \"label\": \"Function 0x46AABA\",\n      \"type\": \"function\",\n      \"address\": \"0x46AABA\"\n    },\n    {\n      \"id\": \"api_GetAsyncKeyState\",\n      \"label\": \"GetAsyncKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_VkKeyScan\",\n      \"label\": \"VkKeyScan\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyboardState\",\n      \"label\": \"GetKeyboardState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_capture_screenshot\",\n      \"label\": \"capture screenshot\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x482483\",\n      \"label\": \"Function 0x482483\",\n      \"type\": \"function\",\n      \"address\": \"0x482483\"\n    },\n    {\n      \"id\": \"api_CreateCompatibleBitmap\",\n      \"label\": \"CreateCompatibleBitmap\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateCompatibleDC\",\n      \"label\": \"CreateCompatibleDC\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDC\",\n      \"label\": \"GetDC\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDIBits\",\n      \"label\": \"GetDIBits\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_remote_server_for_available_data\",\n      \"label\": \"query remote server for available data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x47CE38\",\n      \"label\": \"Block 0x47CE38\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47CE38\"\n    },\n    {\n      \"id\": \"api_InternetQueryDataAvailable\",\n      \"label\": \"InternetQueryDataAvailable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_receive_data__4_matches_\",\n      \"label\": \"receive data (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x481B87\",\n      \"label\": \"Function 0x481B87\",\n      \"type\": \"function\",\n      \"address\": \"0x481B87\"\n    },\n    {\n      \"id\": \"func_0x47CE38\",\n      \"label\": \"Function 0x47CE38\",\n      \"type\": \"function\",\n      \"address\": \"0x47CE38\"\n    },\n    {\n      \"id\": \"func_0x48135A\",\n      \"label\": \"Function 0x48135A\",\n      \"type\": \"function\",\n      \"address\": \"0x48135A\"\n    },\n    {\n      \"id\": \"func_0x47CD62\",\n      \"label\": \"Function 0x47CD62\",\n      \"type\": \"function\",\n      \"address\": \"0x47CD62\"\n    },\n    {\n      \"id\": \"api_recvfrom\",\n      \"label\": \"recvfrom\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_InternetReadFile\",\n      \"label\": \"InternetReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api_recv\",\n      \"label\": \"recv\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data__3_matches_\",\n      \"label\": \"send data (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4814F1\",\n      \"label\": \"Function 0x4814F1\",\n      \"type\": \"function\",\n      \"address\": \"0x4814F1\"\n    },\n    {\n      \"id\": \"func_0x481F24\",\n      \"label\": \"Function 0x481F24\",\n      \"type\": \"function\",\n      \"address\": \"0x481F24\"\n    },\n    {\n      \"id\": \"func_0x47C394\",\n      \"label\": \"Function 0x47C394\",\n      \"type\": \"function\",\n      \"address\": \"0x47C394\"\n    },\n    {\n      \"id\": \"api_sendto\",\n      \"label\": \"sendto\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_send\",\n      \"label\": \"send\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_HttpSendRequest\",\n      \"label\": \"HttpSendRequest\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_InternetConnect\",\n      \"label\": \"InternetConnect\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_HttpOpenRequest\",\n      \"label\": \"HttpOpenRequest\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_download_and_write_a_file\",\n      \"label\": \"download and write a file\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"downloader\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Server to Client\",\n        \"File Transfer [B0030.003]\"\n      ]\n    },\n    {\n      \"id\": \"api__fwrite\",\n      \"label\": \"_fwrite\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_fwrite\",\n      \"label\": \"fwrite\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_maec_malware_category__downloader\",\n      \"label\": \"maec/malware-category  downloader\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"downloader\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Server to Client\",\n        \"File Transfer [B0030.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"label\": \"receive and write data from server to client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_resolve_dns__3_matches_\",\n      \"label\": \"resolve DNS (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DD45\",\n      \"label\": \"Function 0x46DD45\",\n      \"type\": \"function\",\n      \"address\": \"0x46DD45\"\n    },\n    {\n      \"id\": \"func_0x481288\",\n      \"label\": \"Function 0x481288\",\n      \"type\": \"function\",\n      \"address\": \"0x481288\"\n    },\n    {\n      \"id\": \"func_0x480482\",\n      \"label\": \"Function 0x480482\",\n      \"type\": \"function\",\n      \"address\": \"0x480482\"\n    },\n    {\n      \"id\": \"api_gethostbyname\",\n      \"label\": \"gethostbyname\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_michael_hunhoff_mandiant_com\",\n      \"label\": \"michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_connect_network_resource\",\n      \"label\": \"connect network resource\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4605C7\",\n      \"label\": \"Function 0x4605C7\",\n      \"type\": \"function\",\n      \"address\": \"0x4605C7\"\n    },\n    {\n      \"id\": \"api_WNetAddConnection2\",\n      \"label\": \"WNetAddConnection2\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"label\": \"author       michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_parse_url\",\n      \"label\": \"parse URL\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x47D012\",\n      \"label\": \"Block 0x47D012\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47D012\"\n    },\n    {\n      \"id\": \"api_InternetCrackUrl\",\n      \"label\": \"InternetCrackUrl\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_connect_to_http_server__2_matches_\",\n      \"label\": \"connect to HTTP server (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Connect to Server [C0002.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47C061\",\n      \"label\": \"Function 0x47C061\",\n      \"type\": \"function\",\n      \"address\": \"0x47C061\"\n    },\n    {\n      \"id\": \"cap_connect_to_url\",\n      \"label\": \"connect to URL\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Open URL [C0002.004]\"\n      ]\n    },\n    {\n      \"id\": \"api_InternetOpenUrl\",\n      \"label\": \"InternetOpenUrl\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_create_http_request\",\n      \"label\": \"create HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47CC3C\",\n      \"label\": \"Function 0x47CC3C\",\n      \"type\": \"function\",\n      \"address\": \"0x47CC3C\"\n    },\n    {\n      \"id\": \"api_InternetOpen\",\n      \"label\": \"InternetOpen\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_data_from_internet__2_matches_\",\n      \"label\": \"read data from Internet (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_http_request\",\n      \"label\": \"send HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_icmp_echo_request\",\n      \"label\": \"send ICMP echo request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::ICMP Communication::Echo Request [C0014.002]\"\n      ]\n    },\n    {\n      \"id\": \"api_IcmpCloseHandle\",\n      \"label\": \"IcmpCloseHandle\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IcmpSendEcho\",\n      \"label\": \"IcmpSendEcho\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IcmpCreateFile\",\n      \"label\": \"IcmpCreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::ICMP Communication::Echo Request [C0014.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_pipe__2_matches_\",\n      \"label\": \"create pipe (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Create Pipe [C0003.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4703F0\",\n      \"label\": \"Function 0x4703F0\",\n      \"type\": \"function\",\n      \"address\": \"0x4703F0\"\n    },\n    {\n      \"id\": \"func_0x4704C5\",\n      \"label\": \"Function 0x4704C5\",\n      \"type\": \"function\",\n      \"address\": \"0x4704C5\"\n    },\n    {\n      \"id\": \"api_CreatePipe\",\n      \"label\": \"CreatePipe\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_connect_socket\",\n      \"label\": \"connect socket\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x4810AF\",\n      \"label\": \"Block 0x4810AF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4810AF\"\n    },\n    {\n      \"id\": \"api_connect\",\n      \"label\": \"connect\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_mrhafizfarhad_gmail_com\",\n      \"label\": \"mrhafizfarhad@gmail.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_socket_status\",\n      \"label\": \"get socket status\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Get Socket Status [C0001.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x483070\",\n      \"label\": \"Function 0x483070\",\n      \"type\": \"function\",\n      \"address\": \"0x483070\"\n    },\n    {\n      \"id\": \"api_select\",\n      \"label\": \"select\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_initialize_winsock_library__3_matches_\",\n      \"label\": \"initialize Winsock library (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Initialize Winsock Library\",\n        \"[C0001.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4815DA\",\n      \"label\": \"Function 0x4815DA\",\n      \"type\": \"function\",\n      \"address\": \"0x4815DA\"\n    },\n    {\n      \"id\": \"api_WSAStartup\",\n      \"label\": \"WSAStartup\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_socket_configuration__3_matches_\",\n      \"label\": \"set socket configuration (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Set Socket Config [C0001.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x482F75\",\n      \"label\": \"Function 0x482F75\",\n      \"type\": \"function\",\n      \"address\": \"0x482F75\"\n    },\n    {\n      \"id\": \"func_0x4819FD\",\n      \"label\": \"Function 0x4819FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4819FD\"\n    },\n    {\n      \"id\": \"api_setsockopt\",\n      \"label\": \"setsockopt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_ioctlsocket\",\n      \"label\": \"ioctlsocket\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_receive_data_on_socket__2_matches_\",\n      \"label\": \"receive data on socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Receive Data [C0001.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data_on_socket__2_matches_\",\n      \"label\": \"send data on socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Send Data [C0001.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Send Data [C0001.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_connect_tcp_socket\",\n      \"label\": \"connect TCP socket\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Connect Socket [C0001.004]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x480FDF\",\n      \"label\": \"Function 0x480FDF\",\n      \"type\": \"function\",\n      \"address\": \"0x480FDF\"\n    },\n    {\n      \"id\": \"api_socket\",\n      \"label\": \"socket\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_tcp_socket__2_matches_\",\n      \"label\": \"create TCP socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x481197\",\n      \"label\": \"Block 0x481197\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x481197\"\n    },\n    {\n      \"id\": \"bb_0x481033\",\n      \"label\": \"Block 0x481033\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x481033\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_udp_socket__2_matches_\",\n      \"label\": \"create UDP socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create UDP Socket [C0001.010]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4819FD\",\n      \"label\": \"Block 0x4819FD\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4819FD\"\n    },\n    {\n      \"id\": \"bb_0x48177E\",\n      \"label\": \"Block 0x48177E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48177E\"\n    },\n    {\n      \"id\": \"cap_act_as_tcp_client\",\n      \"label\": \"act as TCP client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compiled_with_autoit\",\n      \"label\": \"compiled with AutoIt\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [T1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [T1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_with_crc32\",\n      \"label\": \"hash data with CRC32\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Checksum::CRC32 [C0032.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4823E8\",\n      \"label\": \"Function 0x4823E8\",\n      \"type\": \"function\",\n      \"address\": \"0x4823E8\"\n    },\n    {\n      \"id\": \"cap_encode_data_using_base64\",\n      \"label\": \"encode data using Base64\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Encoding-Standard\",\n        \"Algorithm [E1027.m02]\",\n        \"Data::Encode Data::Base64 [C0026.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41BEAD\",\n      \"label\": \"Function 0x41BEAD\",\n      \"type\": \"function\",\n      \"address\": \"0x41BEAD\"\n    },\n    {\n      \"id\": \"cap_hash_data_using_djb2\",\n      \"label\": \"hash data using djb2\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Non-Cryptographic Hash::djb2 [C0030.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408273\",\n      \"label\": \"Function 0x408273\",\n      \"type\": \"function\",\n      \"address\": \"0x408273\"\n    },\n    {\n      \"id\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"label\": \"author      awillia2@cisco.com, still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Non-Cryptographic Hash::djb2 [C0030.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_authenticate_hmac\",\n      \"label\": \"authenticate HMAC\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Hashed Message Authentication Code [C0061]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Hashed Message Authentication Code [C0061]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"label\": \"generate random numbers using a Mersenne Twister (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence [C0021]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x471E7A\",\n      \"label\": \"Function 0x471E7A\",\n      \"type\": \"function\",\n      \"address\": \"0x471E7A\"\n    },\n    {\n      \"id\": \"func_0x471EC0\",\n      \"label\": \"Function 0x471EC0\",\n      \"type\": \"function\",\n      \"address\": \"0x471EC0\"\n    },\n    {\n      \"id\": \"func_0x471F64\",\n      \"label\": \"Function 0x471F64\",\n      \"type\": \"function\",\n      \"address\": \"0x471F64\"\n    },\n    {\n      \"id\": \"func_0x471F24\",\n      \"label\": \"Function 0x471F24\",\n      \"type\": \"function\",\n      \"address\": \"0x471F24\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x406122\",\n      \"label\": \"Function 0x406122\",\n      \"type\": \"function\",\n      \"address\": \"0x406122\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResourceEx\",\n      \"label\": \"FindResourceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_list_drag_and_drop_files\",\n      \"label\": \"list drag and drop files\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EA26\",\n      \"label\": \"Function 0x47EA26\",\n      \"type\": \"function\",\n      \"address\": \"0x47EA26\"\n    },\n    {\n      \"id\": \"api_DragQueryFile\",\n      \"label\": \"DragQueryFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetClipboardData\",\n      \"label\": \"GetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_clipboard__2_matches_\",\n      \"label\": \"open clipboard (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EC91\",\n      \"label\": \"Function 0x47EC91\",\n      \"type\": \"function\",\n      \"address\": \"0x47EC91\"\n    },\n    {\n      \"id\": \"api_CloseClipboard\",\n      \"label\": \"CloseClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_OpenClipboard\",\n      \"label\": \"OpenClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read_clipboard_data\",\n      \"label\": \"read clipboard data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"api_GlobalLock\",\n      \"label\": \"GlobalLock\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GlobalUnlock\",\n      \"label\": \"GlobalUnlock\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_clipboard_data\",\n      \"label\": \"write clipboard data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"api_EmptyClipboard\",\n      \"label\": \"EmptyClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetClipboardData\",\n      \"label\": \"SetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"label\": \"interact with driver via IOCTL (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_DeviceIoControl\",\n      \"label\": \"DeviceIoControl\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_comspec_environment_variable\",\n      \"label\": \"get COMSPEC environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable [C0034]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41D70E\",\n      \"label\": \"Function 0x41D70E\",\n      \"type\": \"function\",\n      \"address\": \"0x41D70E\"\n    },\n    {\n      \"id\": \"api_GetEnvironmentVariable\",\n      \"label\": \"GetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"label\": \"author     matthew.williams@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable [C0034]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable__3_matches_\",\n      \"label\": \"query environment variable (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EE14\",\n      \"label\": \"Function 0x47EE14\",\n      \"type\": \"function\",\n      \"address\": \"0x47EE14\"\n    },\n    {\n      \"id\": \"func_0x487559\",\n      \"label\": \"Function 0x487559\",\n      \"type\": \"function\",\n      \"address\": \"0x487559\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_environment_variable__2_matches_\",\n      \"label\": \"set environment variable (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable::Set Variable [C0034.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x43D170\",\n      \"label\": \"Function 0x43D170\",\n      \"type\": \"function\",\n      \"address\": \"0x43D170\"\n    },\n    {\n      \"id\": \"func_0x47EE84\",\n      \"label\": \"Function 0x47EE84\",\n      \"type\": \"function\",\n      \"address\": \"0x47EE84\"\n    },\n    {\n      \"id\": \"api_SetEnvironmentVariable\",\n      \"label\": \"SetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__9_matches_\",\n      \"label\": \"get common file path (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DE45\",\n      \"label\": \"Function 0x46DE45\",\n      \"type\": \"function\",\n      \"address\": \"0x46DE45\"\n    },\n    {\n      \"id\": \"func_0x472F35\",\n      \"label\": \"Function 0x472F35\",\n      \"type\": \"function\",\n      \"address\": \"0x472F35\"\n    },\n    {\n      \"id\": \"func_0x40445D\",\n      \"label\": \"Function 0x40445D\",\n      \"type\": \"function\",\n      \"address\": \"0x40445D\"\n    },\n    {\n      \"id\": \"func_0x4779B4\",\n      \"label\": \"Function 0x4779B4\",\n      \"type\": \"function\",\n      \"address\": \"0x4779B4\"\n    },\n    {\n      \"id\": \"func_0x477D0E\",\n      \"label\": \"Function 0x477D0E\",\n      \"type\": \"function\",\n      \"address\": \"0x477D0E\"\n    },\n    {\n      \"id\": \"func_0x48AF20\",\n      \"label\": \"Function 0x48AF20\",\n      \"type\": \"function\",\n      \"address\": \"0x48AF20\"\n    },\n    {\n      \"id\": \"func_0x41F962\",\n      \"label\": \"Function 0x41F962\",\n      \"type\": \"function\",\n      \"address\": \"0x41F962\"\n    },\n    {\n      \"id\": \"func_0x4780B3\",\n      \"label\": \"Function 0x4780B3\",\n      \"type\": \"function\",\n      \"address\": \"0x4780B3\"\n    },\n    {\n      \"id\": \"api_SHGetSpecialFolderLocation\",\n      \"label\": \"SHGetSpecialFolderLocation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SHGetFolderPath\",\n      \"label\": \"SHGetFolderPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetCurrentDirectory\",\n      \"label\": \"GetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempFileName\",\n      \"label\": \"GetTempFileName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_current_directory__7_matches_\",\n      \"label\": \"set current directory (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40AD7C\",\n      \"label\": \"Function 0x40AD7C\",\n      \"type\": \"function\",\n      \"address\": \"0x40AD7C\"\n    },\n    {\n      \"id\": \"func_0x479560\",\n      \"label\": \"Function 0x479560\",\n      \"type\": \"function\",\n      \"address\": \"0x479560\"\n    },\n    {\n      \"id\": \"func_0x4753D4\",\n      \"label\": \"Function 0x4753D4\",\n      \"type\": \"function\",\n      \"address\": \"0x4753D4\"\n    },\n    {\n      \"id\": \"func_0x4796BB\",\n      \"label\": \"Function 0x4796BB\",\n      \"type\": \"function\",\n      \"address\": \"0x4796BB\"\n    },\n    {\n      \"id\": \"api_SetCurrentDirectory\",\n      \"label\": \"SetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_copy_file__3_matches_\",\n      \"label\": \"copy file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x472865\",\n      \"label\": \"Function 0x472865\",\n      \"type\": \"function\",\n      \"address\": \"0x472865\"\n    },\n    {\n      \"id\": \"func_0x46D1BA\",\n      \"label\": \"Function 0x46D1BA\",\n      \"type\": \"function\",\n      \"address\": \"0x46D1BA\"\n    },\n    {\n      \"id\": \"func_0x46CE1E\",\n      \"label\": \"Function 0x46CE1E\",\n      \"type\": \"function\",\n      \"address\": \"0x46CE1E\"\n    },\n    {\n      \"id\": \"api_CopyFileEx\",\n      \"label\": \"CopyFileEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SHFileOperation\",\n      \"label\": \"SHFileOperation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CopyFile\",\n      \"label\": \"CopyFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_directory__2_matches_\",\n      \"label\": \"create directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46D1DF\",\n      \"label\": \"Function 0x46D1DF\",\n      \"type\": \"function\",\n      \"address\": \"0x46D1DF\"\n    },\n    {\n      \"id\": \"func_0x473C3C\",\n      \"label\": \"Function 0x473C3C\",\n      \"type\": \"function\",\n      \"address\": \"0x473C3C\"\n    },\n    {\n      \"id\": \"api_CreateDirectory\",\n      \"label\": \"CreateDirectory\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_delete_directory__2_matches_\",\n      \"label\": \"delete directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E77B\",\n      \"label\": \"Function 0x46E77B\",\n      \"type\": \"function\",\n      \"address\": \"0x46E77B\"\n    },\n    {\n      \"id\": \"api_RemoveDirectory\",\n      \"label\": \"RemoveDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_file__6_matches_\",\n      \"label\": \"delete file (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46CF94\",\n      \"label\": \"Function 0x46CF94\",\n      \"type\": \"function\",\n      \"address\": \"0x46CF94\"\n    },\n    {\n      \"id\": \"func_0x4778BA\",\n      \"label\": \"Function 0x4778BA\",\n      \"type\": \"function\",\n      \"address\": \"0x4778BA\"\n    },\n    {\n      \"id\": \"func_0x46D2C7\",\n      \"label\": \"Function 0x46D2C7\",\n      \"type\": \"function\",\n      \"address\": \"0x46D2C7\"\n    },\n    {\n      \"id\": \"func_0x4755F7\",\n      \"label\": \"Function 0x4755F7\",\n      \"type\": \"function\",\n      \"address\": \"0x4755F7\"\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__3_matches_\",\n      \"label\": \"check if file exists (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E0B7\",\n      \"label\": \"Function 0x46E0B7\",\n      \"type\": \"function\",\n      \"address\": \"0x46E0B7\"\n    },\n    {\n      \"id\": \"func_0x46DADC\",\n      \"label\": \"Function 0x46DADC\",\n      \"type\": \"function\",\n      \"address\": \"0x46DADC\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api_GetLastError\",\n      \"label\": \"GetLastError\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"label\": \"enumerate files on Windows (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x479A49\",\n      \"label\": \"Function 0x479A49\",\n      \"type\": \"function\",\n      \"address\": \"0x479A49\"\n    },\n    {\n      \"id\": \"func_0x475BB5\",\n      \"label\": \"Function 0x475BB5\",\n      \"type\": \"function\",\n      \"address\": \"0x475BB5\"\n    },\n    {\n      \"id\": \"api_FindClose\",\n      \"label\": \"FindClose\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextFile\",\n      \"label\": \"FindNextFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindFirstFile\",\n      \"label\": \"FindFirstFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"label\": \"enumerate files recursively (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     @_re_fox, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes__5_matches_\",\n      \"label\": \"get file attributes (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x477F04\",\n      \"label\": \"Block 0x477F04\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x477F04\"\n    },\n    {\n      \"id\": \"bb_0x46D1DF\",\n      \"label\": \"Block 0x46D1DF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46D1DF\"\n    },\n    {\n      \"id\": \"bb_0x46E0B7\",\n      \"label\": \"Block 0x46E0B7\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E0B7\"\n    },\n    {\n      \"id\": \"bb_0x46DAFA\",\n      \"label\": \"Block 0x46DAFA\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46DAFA\"\n    },\n    {\n      \"id\": \"bb_0x4795B8\",\n      \"label\": \"Block 0x4795B8\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4795B8\"\n    },\n    {\n      \"id\": \"cap_get_file_size__2_matches_\",\n      \"label\": \"get file size (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x482A05\",\n      \"label\": \"Function 0x482A05\",\n      \"type\": \"function\",\n      \"address\": \"0x482A05\"\n    },\n    {\n      \"id\": \"func_0x498461\",\n      \"label\": \"Function 0x498461\",\n      \"type\": \"function\",\n      \"address\": \"0x498461\"\n    },\n    {\n      \"id\": \"api_GetFileSize\",\n      \"label\": \"GetFileSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_file_version_info\",\n      \"label\": \"get file version info\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DB2C\",\n      \"label\": \"Function 0x46DB2C\",\n      \"type\": \"function\",\n      \"address\": \"0x46DB2C\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfoSize\",\n      \"label\": \"GetFileVersionInfoSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_VerQueryValue\",\n      \"label\": \"VerQueryValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfo\",\n      \"label\": \"GetFileVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_file_attributes__2_matches_\",\n      \"label\": \"set file attributes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Set File Attributes [C0050]\"\n      ]\n    },\n    {\n      \"id\": \"api_SetFileAttributes\",\n      \"label\": \"SetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_move_file__3_matches_\",\n      \"label\": \"move file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Move File [C0063]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E319\",\n      \"label\": \"Function 0x46E319\",\n      \"type\": \"function\",\n      \"address\": \"0x46E319\"\n    },\n    {\n      \"id\": \"api_MoveFile\",\n      \"label\": \"MoveFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read__ini_file__4_matches_\",\n      \"label\": \"read .ini file (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x478A19\",\n      \"label\": \"Function 0x478A19\",\n      \"type\": \"function\",\n      \"address\": \"0x478A19\"\n    },\n    {\n      \"id\": \"func_0x4783FD\",\n      \"label\": \"Function 0x4783FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4783FD\"\n    },\n    {\n      \"id\": \"func_0x4787FC\",\n      \"label\": \"Function 0x4787FC\",\n      \"type\": \"function\",\n      \"address\": \"0x4787FC\"\n    },\n    {\n      \"id\": \"func_0x4784BF\",\n      \"label\": \"Function 0x4784BF\",\n      \"type\": \"function\",\n      \"address\": \"0x4784BF\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileString\",\n      \"label\": \"GetPrivateProfileString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileSectionNames\",\n      \"label\": \"GetPrivateProfileSectionNames\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileSection\",\n      \"label\": \"GetPrivateProfileSection\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__9_matches_\",\n      \"label\": \"read file on Windows (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x43921B\",\n      \"label\": \"Function 0x43921B\",\n      \"type\": \"function\",\n      \"address\": \"0x43921B\"\n    },\n    {\n      \"id\": \"func_0x472475\",\n      \"label\": \"Function 0x472475\",\n      \"type\": \"function\",\n      \"address\": \"0x472475\"\n    },\n    {\n      \"id\": \"func_0x47070D\",\n      \"label\": \"Function 0x47070D\",\n      \"type\": \"function\",\n      \"address\": \"0x47070D\"\n    },\n    {\n      \"id\": \"func_0x4725B1\",\n      \"label\": \"Function 0x4725B1\",\n      \"type\": \"function\",\n      \"address\": \"0x4725B1\"\n    },\n    {\n      \"id\": \"func_0x40B230\",\n      \"label\": \"Function 0x40B230\",\n      \"type\": \"function\",\n      \"address\": \"0x40B230\"\n    },\n    {\n      \"id\": \"func_0x40B3B0\",\n      \"label\": \"Function 0x40B3B0\",\n      \"type\": \"function\",\n      \"address\": \"0x40B3B0\"\n    },\n    {\n      \"id\": \"func_0x406A95\",\n      \"label\": \"Function 0x406A95\",\n      \"type\": \"function\",\n      \"address\": \"0x406A95\"\n    },\n    {\n      \"id\": \"api__read\",\n      \"label\": \"_read\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_fread\",\n      \"label\": \"fread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_clear_file_content\",\n      \"label\": \"clear file content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x477FD5\",\n      \"label\": \"Function 0x477FD5\",\n      \"type\": \"function\",\n      \"address\": \"0x477FD5\"\n    },\n    {\n      \"id\": \"api_SetEndOfFile\",\n      \"label\": \"SetEndOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetFilePointer\",\n      \"label\": \"SetFilePointer\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____jakeperalta7\",\n      \"label\": \"author     jakeperalta7\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__7_matches_\",\n      \"label\": \"write file on Windows (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41F5B3\",\n      \"label\": \"Function 0x41F5B3\",\n      \"type\": \"function\",\n      \"address\": \"0x41F5B3\"\n    },\n    {\n      \"id\": \"func_0x472642\",\n      \"label\": \"Function 0x472642\",\n      \"type\": \"function\",\n      \"address\": \"0x472642\"\n    },\n    {\n      \"id\": \"func_0x4725F5\",\n      \"label\": \"Function 0x4725F5\",\n      \"type\": \"function\",\n      \"address\": \"0x4725F5\"\n    },\n    {\n      \"id\": \"func_0x470633\",\n      \"label\": \"Function 0x470633\",\n      \"type\": \"function\",\n      \"address\": \"0x470633\"\n    },\n    {\n      \"id\": \"func_0x46CC1D\",\n      \"label\": \"Function 0x46CC1D\",\n      \"type\": \"function\",\n      \"address\": \"0x46CC1D\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources\",\n      \"label\": \"enumerate gui resources\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x464144\",\n      \"label\": \"Function 0x464144\",\n      \"type\": \"function\",\n      \"address\": \"0x464144\"\n    },\n    {\n      \"id\": \"api_EnumWindows\",\n      \"label\": \"EnumWindows\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_taskbar__3_matches_\",\n      \"label\": \"find taskbar (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Taskbar Discovery [B0043]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x492255\",\n      \"label\": \"Block 0x492255\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x492255\"\n    },\n    {\n      \"id\": \"bb_0x492289\",\n      \"label\": \"Block 0x492289\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x492289\"\n    },\n    {\n      \"id\": \"bb_0x41EFCE\",\n      \"label\": \"Block 0x41EFCE\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41EFCE\"\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_find_graphical_window__4_matches_\",\n      \"label\": \"find graphical window (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindowEx\",\n      \"label\": \"FindWindowEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text__11_matches_\",\n      \"label\": \"get graphical window text (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x464BD3\",\n      \"label\": \"Function 0x464BD3\",\n      \"type\": \"function\",\n      \"address\": \"0x464BD3\"\n    },\n    {\n      \"id\": \"func_0x47E8F7\",\n      \"label\": \"Function 0x47E8F7\",\n      \"type\": \"function\",\n      \"address\": \"0x47E8F7\"\n    },\n    {\n      \"id\": \"func_0x461A70\",\n      \"label\": \"Function 0x461A70\",\n      \"type\": \"function\",\n      \"address\": \"0x461A70\"\n    },\n    {\n      \"id\": \"func_0x496FA4\",\n      \"label\": \"Function 0x496FA4\",\n      \"type\": \"function\",\n      \"address\": \"0x496FA4\"\n    },\n    {\n      \"id\": \"func_0x465B9A\",\n      \"label\": \"Function 0x465B9A\",\n      \"type\": \"function\",\n      \"address\": \"0x465B9A\"\n    },\n    {\n      \"id\": \"func_0x46359E\",\n      \"label\": \"Function 0x46359E\",\n      \"type\": \"function\",\n      \"address\": \"0x46359E\"\n    },\n    {\n      \"id\": \"func_0x4947A8\",\n      \"label\": \"Function 0x4947A8\",\n      \"type\": \"function\",\n      \"address\": \"0x4947A8\"\n    },\n    {\n      \"id\": \"func_0x46489C\",\n      \"label\": \"Function 0x46489C\",\n      \"type\": \"function\",\n      \"address\": \"0x46489C\"\n    },\n    {\n      \"id\": \"func_0x463B0C\",\n      \"label\": \"Function 0x463B0C\",\n      \"type\": \"function\",\n      \"address\": \"0x463B0C\"\n    },\n    {\n      \"id\": \"func_0x4972B7\",\n      \"label\": \"Function 0x4972B7\",\n      \"type\": \"function\",\n      \"address\": \"0x4972B7\"\n    },\n    {\n      \"id\": \"func_0x491E0D\",\n      \"label\": \"Function 0x491E0D\",\n      \"type\": \"function\",\n      \"address\": \"0x491E0D\"\n    },\n    {\n      \"id\": \"api_SendMessage\",\n      \"label\": \"SendMessage\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IsWindowVisible\",\n      \"label\": \"IsWindowVisible\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_graphical_window__8_matches_\",\n      \"label\": \"hide graphical window (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4981BF\",\n      \"label\": \"Block 0x4981BF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4981BF\"\n    },\n    {\n      \"id\": \"bb_0x4827C2\",\n      \"label\": \"Block 0x4827C2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4827C2\"\n    },\n    {\n      \"id\": \"bb_0x4950F2\",\n      \"label\": \"Block 0x4950F2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4950F2\"\n    },\n    {\n      \"id\": \"bb_0x49015D\",\n      \"label\": \"Block 0x49015D\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49015D\"\n    },\n    {\n      \"id\": \"bb_0x45F0F9\",\n      \"label\": \"Block 0x45F0F9\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x45F0F9\"\n    },\n    {\n      \"id\": \"bb_0x496B61\",\n      \"label\": \"Block 0x496B61\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x496B61\"\n    },\n    {\n      \"id\": \"bb_0x49A198\",\n      \"label\": \"Block 0x49A198\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49A198\"\n    },\n    {\n      \"id\": \"bb_0x49813A\",\n      \"label\": \"Block 0x49813A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49813A\"\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_keyboard_layout\",\n      \"label\": \"get keyboard layout\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery::System Language Discovery\",\n        \"[T1614.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetKeyboardLayoutName\",\n      \"label\": \"GetKeyboardLayoutName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_memory_capacity\",\n      \"label\": \"get memory capacity\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41F370\",\n      \"label\": \"Function 0x41F370\",\n      \"type\": \"function\",\n      \"address\": \"0x41F370\"\n    },\n    {\n      \"id\": \"api_GlobalMemoryStatusEx\",\n      \"label\": \"GlobalMemoryStatusEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_information__6_matches_\",\n      \"label\": \"get disk information (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x474844\",\n      \"label\": \"Function 0x474844\",\n      \"type\": \"function\",\n      \"address\": \"0x474844\"\n    },\n    {\n      \"id\": \"func_0x4749FD\",\n      \"label\": \"Function 0x4749FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4749FD\"\n    },\n    {\n      \"id\": \"func_0x474912\",\n      \"label\": \"Function 0x474912\",\n      \"type\": \"function\",\n      \"address\": \"0x474912\"\n    },\n    {\n      \"id\": \"func_0x4743DE\",\n      \"label\": \"Function 0x4743DE\",\n      \"type\": \"function\",\n      \"address\": \"0x4743DE\"\n    },\n    {\n      \"id\": \"func_0x474776\",\n      \"label\": \"Function 0x474776\",\n      \"type\": \"function\",\n      \"address\": \"0x474776\"\n    },\n    {\n      \"id\": \"func_0x473D97\",\n      \"label\": \"Function 0x473D97\",\n      \"type\": \"function\",\n      \"address\": \"0x473D97\"\n    },\n    {\n      \"id\": \"api_GetDriveType\",\n      \"label\": \"GetDriveType\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetVolumeInformation\",\n      \"label\": \"GetVolumeInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_size__3_matches_\",\n      \"label\": \"get disk size (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4750EB\",\n      \"label\": \"Function 0x4750EB\",\n      \"type\": \"function\",\n      \"address\": \"0x4750EB\"\n    },\n    {\n      \"id\": \"func_0x4751CE\",\n      \"label\": \"Function 0x4751CE\",\n      \"type\": \"function\",\n      \"address\": \"0x4751CE\"\n    },\n    {\n      \"id\": \"func_0x4752B1\",\n      \"label\": \"Function 0x4752B1\",\n      \"type\": \"function\",\n      \"address\": \"0x4752B1\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpace\",\n      \"label\": \"GetDiskFreeSpace\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpaceEx\",\n      \"label\": \"GetDiskFreeSpaceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_storage_device_properties__2_matches_\",\n      \"label\": \"get storage device properties (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x46D588\",\n      \"label\": \"Function 0x46D588\",\n      \"type\": \"function\",\n      \"address\": \"0x46D588\"\n    },\n    {\n      \"id\": \"func_0x46D509\",\n      \"label\": \"Function 0x46D509\",\n      \"type\": \"function\",\n      \"address\": \"0x46D509\"\n    },\n    {\n      \"id\": \"cap_print_debug_messages\",\n      \"label\": \"print debug messages\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_OutputDebugString\",\n      \"label\": \"OutputDebugString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_shutdown_system\",\n      \"label\": \"shutdown system\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::System Shutdown/Reboot [T1529]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E814\",\n      \"label\": \"Function 0x46E814\",\n      \"type\": \"function\",\n      \"address\": \"0x46E814\"\n    },\n    {\n      \"id\": \"api_ExitWindowsEx\",\n      \"label\": \"ExitWindowsEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_InitiateSystemShutdownEx\",\n      \"label\": \"InitiateSystemShutdownEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_hostname__2_matches_\",\n      \"label\": \"get hostname (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetComputerName\",\n      \"label\": \"GetComputerName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_gethostname\",\n      \"label\": \"gethostname\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_system_information_on_windows\",\n      \"label\": \"get system information on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40615E\",\n      \"label\": \"Function 0x40615E\",\n      \"type\": \"function\",\n      \"address\": \"0x40615E\"\n    },\n    {\n      \"id\": \"api_GetSystemInfo\",\n      \"label\": \"GetSystemInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__6_matches_\",\n      \"label\": \"create process on Windows (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x498064\",\n      \"label\": \"Block 0x498064\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x498064\"\n    },\n    {\n      \"id\": \"bb_0x4437E0\",\n      \"label\": \"Block 0x4437E0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4437E0\"\n    },\n    {\n      \"id\": \"bb_0x461472\",\n      \"label\": \"Block 0x461472\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x461472\"\n    },\n    {\n      \"id\": \"bb_0x48B2C1\",\n      \"label\": \"Block 0x48B2C1\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48B2C1\"\n    },\n    {\n      \"id\": \"bb_0x46134A\",\n      \"label\": \"Block 0x46134A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46134A\"\n    },\n    {\n      \"id\": \"bb_0x48AD7A\",\n      \"label\": \"Block 0x48AD7A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48AD7A\"\n    },\n    {\n      \"id\": \"api_ShellExecuteEx\",\n      \"label\": \"ShellExecuteEx\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcessWithLogon\",\n      \"label\": \"CreateProcessWithLogon\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcessAsUser\",\n      \"label\": \"CreateProcessAsUser\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_ShellExecute\",\n      \"label\": \"ShellExecute\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcess\",\n      \"label\": \"CreateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_allocate_or_change_rwx_memory\",\n      \"label\": \"allocate or change RWX memory\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x489881\",\n      \"label\": \"Block 0x489881\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x489881\"\n    },\n    {\n      \"id\": \"api_VirtualAlloc\",\n      \"label\": \"VirtualAlloc\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"label\": \"author     @mr-tz, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes__2_matches_\",\n      \"label\": \"enumerate processes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46D3FA\",\n      \"label\": \"Function 0x46D3FA\",\n      \"type\": \"function\",\n      \"address\": \"0x46D3FA\"\n    },\n    {\n      \"id\": \"func_0x48A5A3\",\n      \"label\": \"Function 0x48A5A3\",\n      \"type\": \"function\",\n      \"address\": \"0x48A5A3\"\n    },\n    {\n      \"id\": \"api_Process32First\",\n      \"label\": \"Process32First\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32Next\",\n      \"label\": \"Process32Next\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateToolhelp32Snapshot\",\n      \"label\": \"CreateToolhelp32Snapshot\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_acquire_debug_privileges\",\n      \"label\": \"acquire debug privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x48A0B6\",\n      \"label\": \"Block 0x48A0B6\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48A0B6\"\n    },\n    {\n      \"id\": \"cap_modify_access_privileges__2_matches_\",\n      \"label\": \"modify access privileges (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_terminate_process__3_matches_\",\n      \"label\": \"terminate process (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x487E80\",\n      \"label\": \"Function 0x487E80\",\n      \"type\": \"function\",\n      \"address\": \"0x487E80\"\n    },\n    {\n      \"id\": \"func_0x46EA3E\",\n      \"label\": \"Function 0x46EA3E\",\n      \"type\": \"function\",\n      \"address\": \"0x46EA3E\"\n    },\n    {\n      \"id\": \"func_0x48A009\",\n      \"label\": \"Function 0x48A009\",\n      \"type\": \"function\",\n      \"address\": \"0x48A009\"\n    },\n    {\n      \"id\": \"api_TerminateProcess\",\n      \"label\": \"TerminateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_empty_the_recycle_bin\",\n      \"label\": \"empty the recycle bin\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x477953\",\n      \"label\": \"Function 0x477953\",\n      \"type\": \"function\",\n      \"address\": \"0x477953\"\n    },\n    {\n      \"id\": \"api_SHEmptyRecycleBin\",\n      \"label\": \"SHEmptyRecycleBin\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"label\": \"query or enumerate registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48B8F0\",\n      \"label\": \"Function 0x48B8F0\",\n      \"type\": \"function\",\n      \"address\": \"0x48B8F0\"\n    },\n    {\n      \"id\": \"func_0x48CB5B\",\n      \"label\": \"Function 0x48CB5B\",\n      \"type\": \"function\",\n      \"address\": \"0x48CB5B\"\n    },\n    {\n      \"id\": \"api_RegEnumKeyEx\",\n      \"label\": \"RegEnumKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"label\": \"query or enumerate registry value (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48BD6B\",\n      \"label\": \"Function 0x48BD6B\",\n      \"type\": \"function\",\n      \"address\": \"0x48BD6B\"\n    },\n    {\n      \"id\": \"func_0x48BB02\",\n      \"label\": \"Function 0x48BB02\",\n      \"type\": \"function\",\n      \"address\": \"0x48BB02\"\n    },\n    {\n      \"id\": \"func_0x40533E\",\n      \"label\": \"Function 0x40533E\",\n      \"type\": \"function\",\n      \"address\": \"0x40533E\"\n    },\n    {\n      \"id\": \"func_0x4059A7\",\n      \"label\": \"Function 0x4059A7\",\n      \"type\": \"function\",\n      \"address\": \"0x4059A7\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_RegEnumValue\",\n      \"label\": \"RegEnumValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_registry_value\",\n      \"label\": \"set registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48C2DE\",\n      \"label\": \"Function 0x48C2DE\",\n      \"type\": \"function\",\n      \"address\": \"0x48C2DE\"\n    },\n    {\n      \"id\": \"api_RegCreateKeyEx\",\n      \"label\": \"RegCreateKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"api_RegSetValueEx\",\n      \"label\": \"RegSetValueEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delete_registry_key__2_matches_\",\n      \"label\": \"delete registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48B535\",\n      \"label\": \"Function 0x48B535\",\n      \"type\": \"function\",\n      \"address\": \"0x48B535\"\n    },\n    {\n      \"id\": \"api_RegDeleteKey\",\n      \"label\": \"RegDeleteKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value\",\n      \"label\": \"delete registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegDeleteValue\",\n      \"label\": \"RegDeleteValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_session_user_name\",\n      \"label\": \"get session user name\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetUserName\",\n      \"label\": \"GetUserName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_token_membership\",\n      \"label\": \"get token membership\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4615A7\",\n      \"label\": \"Function 0x4615A7\",\n      \"type\": \"function\",\n      \"address\": \"0x4615A7\"\n    },\n    {\n      \"id\": \"api_FreeSid\",\n      \"label\": \"FreeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_AllocateAndInitializeSid\",\n      \"label\": \"AllocateAndInitializeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CheckTokenMembership\",\n      \"label\": \"CheckTokenMembership\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_token_privileges\",\n      \"label\": \"get token privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x460F58\",\n      \"label\": \"Function 0x460F58\",\n      \"type\": \"function\",\n      \"address\": \"0x460F58\"\n    },\n    {\n      \"id\": \"api_GetTokenInformation\",\n      \"label\": \"GetTokenInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_thread__5_matches_\",\n      \"label\": \"create thread (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x47D13B\",\n      \"label\": \"Block 0x47D13B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47D13B\"\n    },\n    {\n      \"id\": \"bb_0x461747\",\n      \"label\": \"Block 0x461747\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x461747\"\n    },\n    {\n      \"id\": \"bb_0x470870\",\n      \"label\": \"Block 0x470870\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x470870\"\n    },\n    {\n      \"id\": \"bb_0x46E114\",\n      \"label\": \"Block 0x46E114\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E114\"\n    },\n    {\n      \"id\": \"api_CreateThread\",\n      \"label\": \"CreateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api__beginthreadex\",\n      \"label\": \"_beginthreadex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api__beginthread\",\n      \"label\": \"_beginthread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_terminate_thread\",\n      \"label\": \"terminate thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Thread [C0039]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4708A6\",\n      \"label\": \"Block 0x4708A6\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4708A6\"\n    },\n    {\n      \"id\": \"api_TerminateThread\",\n      \"label\": \"TerminateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_impersonate_user\",\n      \"label\": \"impersonate user\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x461145\",\n      \"label\": \"Function 0x461145\",\n      \"type\": \"function\",\n      \"address\": \"0x461145\"\n    },\n    {\n      \"id\": \"api_LoadUserProfile\",\n      \"label\": \"LoadUserProfile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LogonUser\",\n      \"label\": \"LogonUser\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal__autoit_file_limitation\",\n      \"label\": \"(internal) autoit file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__13_matches_\",\n      \"label\": \"link function at runtime on Windows (13 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_pe_header\",\n      \"label\": \"parse PE header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B7E0\",\n      \"label\": \"Function 0x40B7E0\",\n      \"type\": \"function\",\n      \"address\": \"0x40B7E0\"\n    },\n    {\n      \"id\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"label\": \"resolve function by parsing PE exports (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x476E0F\",\n      \"label\": \"Function 0x476E0F\",\n      \"type\": \"function\",\n      \"address\": \"0x476E0F\"\n    },\n    {\n      \"id\": \"func_0x40D840\",\n      \"label\": \"Function 0x40D840\",\n      \"type\": \"function\",\n      \"address\": \"0x40D840\"\n    },\n    {\n      \"id\": \"func_0x47902A\",\n      \"label\": \"Function 0x47902A\",\n      \"type\": \"function\",\n      \"address\": \"0x47902A\"\n    },\n    {\n      \"id\": \"func_0x40A180\",\n      \"label\": \"Function 0x40A180\",\n      \"type\": \"function\",\n      \"address\": \"0x40A180\"\n    },\n    {\n      \"id\": \"func_0x490F26\",\n      \"label\": \"Function 0x490F26\",\n      \"type\": \"function\",\n      \"address\": \"0x490F26\"\n    },\n    {\n      \"id\": \"func_0x466502\",\n      \"label\": \"Function 0x466502\",\n      \"type\": \"function\",\n      \"address\": \"0x466502\"\n    },\n    {\n      \"id\": \"func_0x401641\",\n      \"label\": \"Function 0x401641\",\n      \"type\": \"function\",\n      \"address\": \"0x401641\"\n    },\n    {\n      \"id\": \"func_0x4681EE\",\n      \"label\": \"Function 0x4681EE\",\n      \"type\": \"function\",\n      \"address\": \"0x4681EE\"\n    },\n    {\n      \"id\": \"func_0x4763AC\",\n      \"label\": \"Function 0x4763AC\",\n      \"type\": \"function\",\n      \"address\": \"0x4763AC\"\n    },\n    {\n      \"id\": \"func_0x408BAA\",\n      \"label\": \"Function 0x408BAA\",\n      \"type\": \"function\",\n      \"address\": \"0x408BAA\"\n    },\n    {\n      \"id\": \"func_0x410540\",\n      \"label\": \"Function 0x410540\",\n      \"type\": \"function\",\n      \"address\": \"0x410540\"\n    },\n    {\n      \"id\": \"func_0x4095C0\",\n      \"label\": \"Function 0x4095C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4095C0\"\n    },\n    {\n      \"id\": \"cap_author_____sara_rn\",\n      \"label\": \"author     sara-rn\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_execute_shellcode_via_indirect_call\",\n      \"label\": \"execute shellcode via indirect call\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4895BB\",\n      \"label\": \"Function 0x4895BB\",\n      \"type\": \"function\",\n      \"address\": \"0x4895BB\"\n    },\n    {\n      \"id\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"label\": \"author     ronnie.salomonsen@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"label\": \"create shortcut via IShellLink (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Boot or Logon Autostart Execution::Shortcut\",\n        \"Modification [T1547.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47573C\",\n      \"label\": \"Function 0x47573C\",\n      \"type\": \"function\",\n      \"address\": \"0x47573C\"\n    },\n    {\n      \"id\": \"api_CoCreateInstance\",\n      \"label\": \"CoCreateInstance\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______matthew_williams_mandiant_com\",\n      \"label\": \"author      matthew.williams@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Boot or Logon Autostart Execution::Shortcut\",\n        \"Modification [T1547.009]\"\n      ]\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x46B26C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x401202\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__13_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x40F4AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x46B26C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x469B67\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x46E899\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x469B7E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x46AFC6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B67\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E899\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B7E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46AFC6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"target\": \"func_0x498EBB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______bitsofbinary\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______bitsofbinary\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______bitsofbinary\",\n      \"target\": \"func_0x498EBB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x462CEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B04D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x4624E6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x4034CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x41EFAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x463985\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B1FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x462CEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B04D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4624E6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4034CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41EFAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x463985\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B1FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46ABF8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x469B97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x469EAF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x41EA9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46A975\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46ADD8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x4028C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46AABA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ABF8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469EAF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41EA9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46A975\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ADD8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4028C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46AABA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_capture_screenshot\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_capture_screenshot\",\n      \"target\": \"func_0x482483\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleBitmap\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDIBits\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x482483\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleBitmap\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDIBits\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_remote_server_for_available_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_remote_server_for_available_data\",\n      \"target\": \"bb_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_download_and_write_a_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_download_and_write_a_file\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_maec_malware_category__downloader\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_maec_malware_category__downloader\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_dns__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x481288\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481288\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481288\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481288\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_network_resource\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_network_resource\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_WNetAddConnection2\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_WNetAddConnection2\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_url\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_url\",\n      \"target\": \"bb_0x47D012\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x47D012\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_to_http_server__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_to_http_server__2_matches_\",\n      \"target\": \"func_0x47C061\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_http_server__2_matches_\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C061\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C061\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C061\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_to_url\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_http_request\",\n      \"target\": \"func_0x47CC3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CC3C\",\n      \"target\": \"api_InternetOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CC3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CC3C\",\n      \"target\": \"api_InternetOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_data_from_internet__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_data_from_internet__2_matches_\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_data_from_internet__2_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_http_request\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_icmp_echo_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_icmp_echo_request\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCloseHandle\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpSendEcho\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCloseHandle\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpSendEcho\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_pipe__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_pipe__2_matches_\",\n      \"target\": \"func_0x4703F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_pipe__2_matches_\",\n      \"target\": \"func_0x4704C5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4703F0\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4704C5\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4703F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4704C5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4703F0\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4704C5\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_socket\",\n      \"target\": \"bb_0x4810AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mrhafizfarhad_gmail_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_mrhafizfarhad_gmail_com\",\n      \"target\": \"bb_0x4810AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_socket_status\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_socket_status\",\n      \"target\": \"func_0x483070\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x483070\",\n      \"target\": \"api_select\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x483070\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x483070\",\n      \"target\": \"api_select\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_initialize_winsock_library__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x4815DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4815DA\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4815DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4815DA\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_socket_configuration__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x482F75\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x482F75\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data_on_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_data_on_socket__2_matches_\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data_on_socket__2_matches_\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data_on_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_data_on_socket__2_matches_\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data_on_socket__2_matches_\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_tcp_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_tcp_socket\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_mrhafizfarhad_gmail_com\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_tcp_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_tcp_socket__2_matches_\",\n      \"target\": \"bb_0x481197\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_tcp_socket__2_matches_\",\n      \"target\": \"bb_0x481033\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x481197\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x481033\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_udp_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_udp_socket__2_matches_\",\n      \"target\": \"bb_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_udp_socket__2_matches_\",\n      \"target\": \"bb_0x48177E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x48177E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_act_as_tcp_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_act_as_tcp_client\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_with_autoit\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_with_crc32\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_with_crc32\",\n      \"target\": \"func_0x4823E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4823E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encode_data_using_base64\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_encode_data_using_base64\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_using_djb2\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_using_djb2\",\n      \"target\": \"func_0x408273\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"target\": \"func_0x408273\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_authenticate_hmac\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_authenticate_hmac\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471E7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471EC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471F64\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471E7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471EC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471F64\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions\",\n      \"target\": \"func_0x406122\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x406122\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_list_drag_and_drop_files\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_list_drag_and_drop_files\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_DragQueryFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_DragQueryFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_clipboard__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__2_matches_\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__2_matches_\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_clipboard_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_clipboard_data\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalLock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalUnlock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalLock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalUnlock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_clipboard_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_comspec_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_comspec_environment_variable\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x47EE14\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x487559\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EE14\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487559\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x47EE14\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x487559\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EE14\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487559\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_environment_variable__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_environment_variable__2_matches_\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_environment_variable__2_matches_\",\n      \"target\": \"func_0x47EE84\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x43D170\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EE84\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EE84\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x43D170\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EE84\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46DE45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x472F35\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x4779B4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x48AF20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x41F962\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DE45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472F35\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4779B4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48AF20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41F962\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_current_directory__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4753D4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40AD7C\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4753D4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4753D4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40AD7C\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4753D4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_copy_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x46D1BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_directory__2_matches_\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_directory__2_matches_\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x4778BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x4755F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4778BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4755F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46DADC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DADC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x475BB5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x475BB5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46DAFA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46DAFA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_size__2_matches_\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__2_matches_\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_version_info\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_version_info\",\n      \"target\": \"func_0x46DB2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DB2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_file_attributes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__2_matches_\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__2_matches_\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_move_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46E319\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E319\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read__ini_file__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x478A19\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4783FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4787FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4784BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x478A19\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4783FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4787FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4784BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x43921B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x472475\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x47070D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x4725B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x40B230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x40B3B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x406A95\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x43921B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472475\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47070D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4725B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B3B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x406A95\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_clear_file_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_clear_file_content\",\n      \"target\": \"func_0x477FD5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____jakeperalta7\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____jakeperalta7\",\n      \"target\": \"func_0x477FD5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x472642\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x4725F5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x470633\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x46CC1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472642\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4725F5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x470633\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46CC1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_gui_resources\",\n      \"target\": \"func_0x464144\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464144\",\n      \"target\": \"api_EnumWindows\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x464144\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464144\",\n      \"target\": \"api_EnumWindows\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_taskbar__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x492255\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x492289\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x41EFCE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x492255\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x492289\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x41EFCE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x464BD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x47E8F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x461A70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x496FA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x465B9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x46359E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x4947A8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x46489C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x463B0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x4972B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x491E0D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x464BD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x47E8F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x461A70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x496FA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x465B9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46359E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4947A8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46489C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x463B0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4972B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x491E0D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4981BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4827C2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4950F2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49015D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x45F0F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x496B61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49A198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49813A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4981BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4827C2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4950F2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49015D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x45F0F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x496B61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49A198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49813A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_keyboard_layout\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_keyboard_layout\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetKeyboardLayoutName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetKeyboardLayoutName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_memory_capacity\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_memory_capacity\",\n      \"target\": \"func_0x41F370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F370\",\n      \"target\": \"api_GlobalMemoryStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41F370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F370\",\n      \"target\": \"api_GlobalMemoryStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474844\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x4749FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474912\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x4743DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x473D97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474844\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4749FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474912\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4743DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x473D97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4750EB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4751CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4752B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4750EB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4751CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4752B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_storage_device_properties__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_storage_device_properties__2_matches_\",\n      \"target\": \"func_0x46D588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_storage_device_properties__2_matches_\",\n      \"target\": \"func_0x46D509\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D588\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D509\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D509\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D588\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D509\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_print_debug_messages\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_print_debug_messages\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_OutputDebugString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_OutputDebugString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_shutdown_system\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_shutdown_system\",\n      \"target\": \"func_0x46E814\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E814\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_hostname__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_hostname__2_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_hostname__2_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_system_information_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_system_information_on_windows\",\n      \"target\": \"func_0x40615E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40615E\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40615E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40615E\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x498064\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x4437E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x461472\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x48B2C1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x46134A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x48AD7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x498064\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4437E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x461472\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x48B2C1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x46134A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x48AD7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_or_change_rwx_memory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_or_change_rwx_memory\",\n      \"target\": \"bb_0x489881\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"target\": \"bb_0x489881\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes__2_matches_\",\n      \"target\": \"func_0x46D3FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes__2_matches_\",\n      \"target\": \"func_0x48A5A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D3FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48A5A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_acquire_debug_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_acquire_debug_privileges\",\n      \"target\": \"bb_0x48A0B6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"bb_0x48A0B6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x46EA3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x48A009\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46EA3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48A009\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_empty_the_recycle_bin\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_empty_the_recycle_bin\",\n      \"target\": \"func_0x477953\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477953\",\n      \"target\": \"api_SHEmptyRecycleBin\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x477953\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477953\",\n      \"target\": \"api_SHEmptyRecycleBin\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"target\": \"func_0x48B8F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48B8F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x48BD6B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x48BB02\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x4059A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48BD6B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48BB02\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4059A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_registry_value\",\n      \"target\": \"func_0x48C2DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48C2DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__2_matches_\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__2_matches_\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_value\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_session_user_name\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_token_membership\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_token_membership\",\n      \"target\": \"func_0x4615A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4615A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_token_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_token_privileges\",\n      \"target\": \"func_0x460F58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x460F58\",\n      \"target\": \"api_GetTokenInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x460F58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x460F58\",\n      \"target\": \"api_GetTokenInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x47D13B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x461747\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x470870\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x46E114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x47D13B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x461747\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x470870\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46E114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_thread\",\n      \"target\": \"bb_0x4708A6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4708A6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_impersonate_user\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_impersonate_user\",\n      \"target\": \"func_0x461145\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LoadUserProfile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LogonUser\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"target\": \"func_0x461145\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LoadUserProfile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LogonUser\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal__autoit_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__13_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header\",\n      \"target\": \"func_0x40B7E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40B7E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x476E0F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40D840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x47902A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40A180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x490F26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x466502\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x401641\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4681EE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x408BAA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x410540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4095C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____sara_rn\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x476E0F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40D840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x47902A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40A180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x490F26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x466502\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x401641\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4681EE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x408BAA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x410540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4095C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_execute_shellcode_via_indirect_call\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_execute_shellcode_via_indirect_call\",\n      \"target\": \"func_0x4895BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4895BB\",\n      \"target\": \"api_VirtualAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"target\": \"func_0x4895BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4895BB\",\n      \"target\": \"api_VirtualAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"target\": \"func_0x47573C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47573C\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4763AC\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______matthew_williams_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______matthew_williams_mandiant_com\",\n      \"target\": \"func_0x47573C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______matthew_williams_mandiant_com\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47573C\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4763AC\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-15 14:32:59.377830\",\n    \"total_functions\": \"2043\",\n    \"total_features\": \"120247\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-15 14:33:03"}
{"_id":{"$oid":"69edf02059a6632dae07de43"},"sha256":"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_w6xzywcd/secondary_sample_try_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_w6xzywcd/secondary_sample_try_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_w6xzywcd/secondary_sample_try_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 74bb3514f737d1386b7ced741ec1e098                                  │\n│ sha1     │ 25de16039754b3870676911b146a956d30b2e8fa                          │\n│ sha256   │ 02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d  │\n│ analysis │ static                                                            │\n│ os       │ any                                                               │\n│ format   │ dotnet                                                            │\n│ arch     │ i386                                                              │\n│ path     │ /home/apogean/projects/malware/windows/all_runs/secondary_sample… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic        ┃ ATT&CK Technique                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Archive Collected Data::Archive via Library           │\n│                      │ [T1560.002]                                           │\n│ DEFENSE EVASION      │ Deobfuscate/Decode Files or Information [T1140]       │\n│                      │ Indicator Removal::File Deletion [T1070.004]          │\n│                      │ Modify Registry [T1112]                               │\n│                      │ Obfuscated Files or Information [T1027]               │\n│                      │ Reflective Code Loading [T1620]                       │\n│                      │ Virtualization/Sandbox Evasion::System Checks         │\n│                      │ [T1497.001]                                           │\n│ DISCOVERY            │ Account Discovery [T1087]                             │\n│                      │ File and Directory Discovery [T1083]                  │\n│                      │ Process Discovery [T1057]                             │\n│                      │ Query Registry [T1012]                                │\n│                      │ Software Discovery [T1518]                            │\n│                      │ System Information Discovery [T1082]                  │\n│                      │ System Owner/User Discovery [T1033]                   │\n│ EXECUTION            │ Windows Management Instrumentation [T1047]            │\n│ PERSISTENCE          │ Scheduled Task/Job::Scheduled Task [T1053.005]        │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective            ┃ MBC Behavior                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ ANTI-BEHAVIORAL ANALYSIS │ Debugger Detection::CheckRemoteDebuggerPresent    │\n│                          │ [B0001.002]                                       │\n│                          │ Debugger Detection::WudfIsAnyDebuggerPresent      │\n│                          │ [B0001.031]                                       │\n│                          │ Sandbox Detection [B0007]                         │\n│                          │ Virtual Machine Detection [B0009]                 │\n│ COMMAND AND CONTROL      │ C2 Communication::Receive Data [B0030.002]        │\n│ COMMUNICATION            │ DNS Communication::Resolve [C0011.001]            │\n│                          │ HTTP Communication::Get Response [C0002.017]      │\n│                          │ Socket Communication::Create TCP Socket           │\n│                          │ [C0001.011]                                       │\n│                          │ Socket Communication::Create UDP Socket           │\n│                          │ [C0001.010]                                       │\n│ CRYPTOGRAPHY             │ Cryptographic Hash::MD5 [C0029.001]               │\n│                          │ Cryptographic Hash::SHA256 [C0029.003]            │\n│                          │ Generate Pseudo-random Sequence::Use API          │\n│                          │ [C0021.003]                                       │\n│ DATA                     │ Compress Data [C0024]                             │\n│                          │ Decode Data::Base64 [C0053.001]                   │\n│                          │ Encode Data::Base64 [C0026.001]                   │\n│ DEFENSE EVASION          │ Obfuscated Files or                               │\n│                          │ Information::Encoding-Standard Algorithm          │\n│                          │ [E1027.m02]                                       │\n│                          │ Self Deletion::COMSPEC Environment Variable       │\n│                          │ [F0007.001]                                       │\n│ DISCOVERY                │ Application Window Discovery [E1010]              │\n│                          │ File and Directory Discovery [E1083]              │\n│                          │ System Information Discovery [E1082]              │\n│ FILE SYSTEM              │ Delete File [C0047]                               │\n│                          │ Read File [C0051]                                 │\n│ OPERATING SYSTEM         │ Registry::Delete Registry Key [C0036.002]         │\n│                          │ Registry::Delete Registry Value [C0036.007]       │\n│                          │ Registry::Query Registry Key [C0036.005]          │\n│                          │ Registry::Query Registry Value [C0036.006]        │\n│                          │ Registry::Set Registry Key [C0036.001]            │\n│ PROCESS                  │ Create Mutex [C0042]                              │\n│                          │ Create Process [C0017]                            │\n│                          │ Create Thread [C0038]                             │\n│                          │ Suspend Thread [C0055]                            │\n│                          │ Terminate Process [C0018]                         │\n└──────────────────────────┴───────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                            ┃ Namespace                            ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ check for sandbox and av modules      │ anti-analysis/anti-av                │\n│ check for debugger via API            │ anti-analysis/anti-debugging/debugg… │\n│ self delete (2 matches)               │ anti-analysis/anti-forensic/self-de… │\n│ reference anti-VM strings targeting   │ anti-analysis/anti-vm/vm-detection   │\n│ VMWare                                │                                      │\n│ reference anti-VM strings targeting   │ anti-analysis/anti-vm/vm-detection   │\n│ VirtualBox                            │                                      │\n│ receive data                          │ communication                        │\n│ manipulate network credentials in     │ communication/authentication         │\n│ .NET                                  │                                      │\n│ resolve DNS                           │ communication/dns                    │\n│ create TCP socket                     │ communication/socket/tcp             │\n│ create UDP socket                     │ communication/socket/udp/send        │\n│ compress data using GZip in .NET (2   │ data-manipulation/compression        │\n│ matches)                              │                                      │\n│ decode data using Base64 in .NET (3   │ data-manipulation/encoding/base64    │\n│ matches)                              │                                      │\n│ encode data using Base64              │ data-manipulation/encoding/base64    │\n│ hash data with MD5                    │ data-manipulation/hashing/md5        │\n│ hash data using SHA256 (2 matches)    │ data-manipulation/hashing/sha256     │\n│ generate random numbers in .NET       │ data-manipulation/prng               │\n│ query environment variable            │ host-interaction/environment-variab… │\n│ generate random filename in .NET      │ host-interaction/file-system         │\n│ get common file path (2 matches)      │ host-interaction/file-system         │\n│ delete file                           │ host-interaction/file-system/delete  │\n│ check if file exists (2 matches)      │ host-interaction/file-system/exists  │\n│ read file on Windows                  │ host-interaction/file-system/read    │\n│ get graphical window text             │ host-interaction/gui/window/get-text │\n│ get number of processors              │ host-interaction/hardware/cpu        │\n│ get disk size (2 matches)             │ host-interaction/hardware/storage    │\n│ create or open mutex on Windows       │ host-interaction/mutex               │\n│ get hostname (2 matches)              │ host-interaction/os/hostname         │\n│ get OS version in .NET (3 matches)    │ host-interaction/os/version          │\n│ get process image filename            │ host-interaction/process             │\n│ create a process with modified I/O    │ host-interaction/process/create      │\n│ handles and window                    │                                      │\n│ create process on Windows             │ host-interaction/process/create      │\n│ enumerate processes                   │ host-interaction/process/list        │\n│ enter debug mode in .NET              │ host-interaction/process/modify      │\n│ terminate process (2 matches)         │ host-interaction/process/terminate   │\n│ query or enumerate registry key (2    │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ query or enumerate registry value     │ host-interaction/registry            │\n│ set registry value (3 matches)        │ host-interaction/registry/create     │\n│ delete registry key                   │ host-interaction/registry/delete     │\n│ delete registry value                 │ host-interaction/registry/delete     │\n│ get session integrity level           │ host-interaction/session             │\n│ get session user name (3 matches)     │ host-interaction/session             │\n│ create thread                         │ host-interaction/thread/create       │\n│ suspend thread (4 matches)            │ host-interaction/thread/suspend      │\n│ execute via timer in .NET             │ host-interaction/thread/timer        │\n│ access WMI data in .NET (2 matches)   │ host-interaction/wmi                 │\n│ load .NET assembly                    │ load-code/dotnet                     │\n│ schedule task via schtasks (4         │ persistence/scheduled-tasks          │\n│ matches)                              │                                      │\n│ unmanaged call (6 matches)            │ runtime                              │\n│ compiled to the .NET platform         │ runtime/dotnet                       │\n└───────────────────────────────────────┴──────────────────────────────────────┘\n\n","verbose":"md5                     74bb3514f737d1386b7ced741ec1e098                        \nsha1                    25de16039754b3870676911b146a956d30b2e8fa                \nsha256                  02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19595680…\npath                    /home/apogean/projects/malware/windows/all_runs/seconda…\ntimestamp               2026-04-29 18:18:25.046336                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    i386                                                    \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEI30NzcH/rules                                   \nfunction count          157                                                     \nlibrary function count  0                                                       \ntotal feature count     4647                                                    \n\ncheck for sandbox and av modules\nnamespace  anti-analysis/anti-av\nscope      basic block          \nmatches    token(0x600002B)     \n\ncheck for debugger via API\nnamespace  anti-analysis/anti-debugging/debugger-detection\nscope      function                                       \nmatches    token(0x600002A)                               \n\nself delete (2 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion\nscope      function                                 \nmatches    token(0x6000024)                         \n           token(0x6000024)                         \n\nreference anti-VM strings targeting VMWare\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreference anti-VM strings targeting VirtualBox\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreceive data\nnamespace    communication                                                     \ndescription  all known techniques for receiving data from a potential C2 server\nscope        function                                                          \nmatches      token(0x600001B)                                                  \n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nscope      function                    \nmatches    token(0x600001B)            \n\nresolve DNS\nnamespace  communication/dns\nscope      function         \nmatches    token(0x600001B) \n\nread data from Internet\nnamespace  communication/http/client\nscope      function                 \nmatches    token(0x600001B)         \n\ncreate TCP socket\nnamespace  communication/socket/tcp\nscope      basic block             \nmatches    token(0x600001B)        \n\ncreate UDP socket\nnamespace  communication/socket/udp/send\nscope      basic block                  \nmatches    token(0x600001B)             \n\ncompress data using GZip in .NET (2 matches)\nnamespace  data-manipulation/compression\nscope      function                     \nmatches    token(0x60000A2)             \n           token(0x60000A3)             \n\ndecode data using Base64 in .NET (3 matches)\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    token(0x6000003)                 \n           token(0x6000004)                 \n           token(0x600004E)                 \n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    token(0x600004C)                 \n\nhash data with MD5\nnamespace  data-manipulation/hashing/md5\nscope      function                     \nmatches    token(0x600002E)             \n\nhash data using SHA256 (2 matches)\nnamespace  data-manipulation/hashing/sha256\nscope      function                        \nmatches    token(0x6000052)                \n           token(0x6000053)                \n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng\nscope      function              \nmatches    token(0x600001B)      \n\nquery environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    token(0x6000024)                     \n\ngenerate random filename in .NET\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x6000024)            \n\nget common file path (2 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    token(0x6000027)            \n           token(0x600002D)            \n\ndelete file\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    token(0x6000024)                   \n\ncheck if file exists (2 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    token(0x6000024)                   \n           token(0x600007D)                   \n\nread file on Windows\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    token(0x6000024)                 \n\nget graphical window text\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    token(0x6000035)                    \n\nget number of processors\nnamespace  host-interaction/hardware/cpu\nscope      function                     \nmatches    token(0x600002D)             \n\nget disk size (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    token(0x6000027)                 \n           token(0x600002D)                 \n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex\nscope      instruction           \nmatches    token(0x6000036)+0x8  \n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname\nscope      function                    \nmatches    token(0x600002D)            \n           token(0x6000032)            \n\nget OS version in .NET (3 matches)\nnamespace  host-interaction/os/version\nscope      basic block                \nmatches    token(0x6000028)           \n           token(0x600002D)           \n           token(0x600002F)           \n\nget process image filename\nnamespace  host-interaction/process\nscope      basic block             \nmatches    token(0x6000024)        \n\ncreate a process with modified I/O handles and window\nnamespace  host-interaction/process/create\nscope      function                       \nmatches    token(0x6000024)               \n\ncreate process on Windows\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    token(0x6000024)               \n\nenumerate processes\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    token(0x6000024)             \n\nenter debug mode in .NET\nnamespace    host-interaction/process/modify                                    \ndescription  Often used by debuggers and malware to attach to and modify other  \n             processes.                                                         \nscope        basic block                                                        \nmatches      token(0x600003F)                                                   \n\nterminate process (2 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    token(0x6000001)                  \n           token(0x6000024)                  \n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x6000024)         \n           token(0x6000044)         \n\nquery or enumerate registry value\nnamespace  host-interaction/registry\nscope      function                 \nmatches    token(0x6000042)         \n\nset registry value (3 matches)\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    token(0x6000024)                \n           token(0x6000024)                \n           token(0x6000041)                \n\ndelete registry key\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x6000044)                \n\ndelete registry value\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    token(0x6000043)                \n\nget session integrity level\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x6000030)        \n\nget session user name (3 matches)\nnamespace  host-interaction/session\nscope      function                \nmatches    token(0x600002D)        \n           token(0x600002F)        \n           token(0x6000030)        \n\ncreate thread\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    token(0x600001F)              \n\nsuspend thread (4 matches)\nnamespace  host-interaction/thread/suspend\nscope      basic block                    \nmatches    token(0x6000001)               \n           token(0x6000024)               \n           token(0x6000040)               \n           token(0x6000048)               \n\nexecute via timer in .NET\nnamespace  host-interaction/thread/timer\nscope      function                     \nmatches    token(0x600001B)             \n\naccess WMI data in .NET (2 matches)\nnamespace  host-interaction/wmi\nscope      function            \nmatches    token(0x6000029)    \n           token(0x6000032)    \n\nload .NET assembly\nnamespace  load-code/dotnet\nscope      function        \nmatches    token(0x6000047)\n\nschedule task via schtasks (4 matches)\nnamespace  persistence/scheduled-tasks\nscope      function                   \nmatches    token(0x6000024)           \n           token(0x6000024)           \n           token(0x6000024)           \n           token(0x6000024)           \n\nunmanaged call (6 matches)\nnamespace    runtime                                                       \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nscope        function                                                      \nmatches      token(0x600002A)                                              \n             token(0x600002B)                                              \n             token(0x6000034)                                              \n             token(0x6000035)                                              \n             token(0x600003F)                                              \n             token(0x6000040)                                              \n\ncompiled to the .NET platform\nnamespace  runtime/dotnet\nscope      file          \n\n\n\n","very_verbose":"md5                     74bb3514f737d1386b7ced741ec1e098                        \nsha1                    25de16039754b3870676911b146a956d30b2e8fa                \nsha256                  02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19595680…\npath                    /home/apogean/projects/malware/windows/all_runs/seconda…\ntimestamp               2026-04-29 18:18:27.618563                              \ncapa version            9.2.1                                                   \nos                      any                                                     \nformat                  dotnet                                                  \narch                    i386                                                    \nanalysis                static                                                  \nextractor               DnfileFeatureExtractor                                  \nbase address            global                                                  \nrules                   /tmp/_MEIR8q40Z/rules                                   \nfunction count          157                                                     \nlibrary function count  0                                                       \ntotal feature count     4647                                                    \n\ncontain loop (2 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ token(0x600006B)\n  or:\n    characteristic: recursive call @ token(0x600006B)\n\ncreate or open registry key (5 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ token(0x6000024) in function token(0x6000024)\n  or:\n    api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000024)+0x114\n\ncheck for sandbox and av modules\nnamespace  anti-analysis/anti-av                                                \nauthor     @_re_fox                                                             \nscope      basic block                                                          \nmbc        Anti-Behavioral Analysis::Virtual Machine Detection [B0009],         \n           Anti-Behavioral Analysis::Sandbox Detection [B0007]                  \nbasic block @ token(0x600002B) in function token(0x600002B)\n  and:\n    api: GetModuleHandle @ token(0x600002B)+0x5\n    or:\n      regex: /sbiedll\\.dll/i\n        - \"SbieDll.dll\" @ token(0x600002B)+0x0\n\ncheck for debugger via API\nnamespace   anti-analysis/anti-debugging/debugger-detection                     \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \nmbc         Anti-Behavioral Analysis::Debugger                                  \n            Detection::CheckRemoteDebuggerPresent [B0001.002], Anti-Behavioral  \n            Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]  \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ token(0x600002A)\n  or:\n    api: CheckRemoteDebuggerPresent @ token(0x600002A)+0xE\n\nself delete (2 matches)\nnamespace  anti-analysis/anti-forensic/self-deletion                            \nauthor     michael.hunhoff@mandiant.com, @mr-tz                                 \nscope      function                                                             \natt&ck     Defense Evasion::Indicator Removal::File Deletion [T1070.004]        \nmbc        Defense Evasion::Self Deletion::COMSPEC Environment Variable         \n           [F0007.001]                                                          \nfunction @ token(0x6000024)\n  and:\n    optional:\n      regex: /\\s*>\\s*nul\\s*/i\n        - \"timeout 3 > NUL\" @ token(0x6000024)+0x1C8\n    or:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DEL \\\"\" @ token(0x6000024)+0x206\nfunction @ token(0x6000024)\n  and:\n    optional:\n      regex: /\\s*>\\s*nul\\s*/i\n        - \"timeout 3 > NUL\" @ token(0x6000024)+0x1C8\n    or:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n    or:\n      regex: /(^|[\\&;\\|]\\s*)del(\\s.*)?/i\n        - \"DEL \\\"\" @ token(0x6000024)+0x206\n\nreference anti-VM strings targeting VMWare\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com, @johnk3r                              \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /VMWare/i\n    - \"vmware\" @ file+0x9B51\n\nreference anti-VM strings targeting VirtualBox\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /VirtualBox/i\n    - \"VirtualBox\" @ file+0x9B5F\n\nreceive data\nnamespace    communication                                                     \nauthor       william.ballenthin@mandiant.com                                   \nscope        function                                                          \nmbc          Command and Control::C2 Communication::Receive Data [B0030.002]   \ndescription  all known techniques for receiving data from a potential C2 server\nfunction @ token(0x600001B)\n  or:\n    match: read data from Internet @ token(0x600001B)\n      and:\n        or:\n          api: System.Net.WebClient::DownloadString @ token(0x600001B)+0x142\n\nmanipulate network credentials in .NET\nnamespace  communication/authentication\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x600001B)\n  and:\n    api: System.Net.NetworkCredential::ctor @ token(0x600001B)+0x12B\n\nresolve DNS\nnamespace  communication/dns                                                    \nauthor     william.ballenthin@mandiant.com, johnk3r, joakim@intezer.com,        \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::DNS Communication::Resolve [C0011.001]                \nfunction @ token(0x600001B)\n  or:\n    api: System.Net.Dns::GetHostAddresses @ token(0x600001B)+0xB8\n\nread data from Internet\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Get Response [C0002.017]  \nfunction @ token(0x600001B)\n  and:\n    or:\n      api: System.Net.WebClient::DownloadString @ token(0x600001B)+0x142\n\ncreate TCP socket\nnamespace   communication/socket/tcp                                            \nauthor      william.ballenthin@mandiant.com, joakim@intezer.com,                \n            anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com       \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create TCP Socket [C0001.011]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ token(0x600001B) in function token(0x600001B)\n  or:\n    and:\n      or:\n        number: 0x0 = protocol (default) @ token(0x600001B)+0x43, token(0x600001B)+0x5D, token(0x600001B)+0x7B, \ntoken(0x600001B)+0x95, and 13 more...\n        number: 0x6 = IPPROTO_TCP @ token(0x600001B)+0x2\n      number: 0x1 = SOCK_STREAM @ token(0x600001B)+0x1, token(0x600001B)+0x3C, token(0x600001B)+0x56, \ntoken(0x600001B)+0x74, and 9 more...\n      number: 0x2 = AF_INET @ token(0x600001B)+0x0\n      or:\n        api: System.Net.Sockets.Socket::ctor @ token(0x600001B)+0x3\n\ncreate UDP socket\nnamespace   communication/socket/udp/send                                       \nauthor      moritz.raabe@mandiant.com, joakim@intezer.com,                      \n            michael.hunhoff@mandiant.com                                        \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create UDP Socket [C0001.010]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ token(0x600001B) in function token(0x600001B)\n  or:\n    and:\n      number: 0x2 = AF_INET @ token(0x600001B)+0x0\n      or:\n        number: 0x0 = protocol (default) @ token(0x600001B)+0x43, token(0x600001B)+0x5D, token(0x600001B)+0x7B, \ntoken(0x600001B)+0x95, and 13 more...\n      or:\n        api: System.Net.Sockets.Socket::ctor @ token(0x600001B)+0x3\n\ncompress data using GZip in .NET (2 matches)\nnamespace  data-manipulation/compression                                      \nauthor     michael.hunhoff@mandiant.com                                       \nscope      function                                                           \natt&ck     Collection::Archive Collected Data::Archive via Library [T1560.002]\nmbc        Data::Compress Data [C0024]                                        \nfunction @ token(0x60000A2)\n  or:\n    api: System.IO.Compression.GZipStream::ctor @ token(0x60000A2)+0x22\nfunction @ token(0x60000A3)\n  or:\n    api: System.IO.Compression.GZipStream::ctor @ token(0x60000A3)+0x1A\n\ndecode data using Base64 in .NET (3 matches)\nnamespace  data-manipulation/encoding/base64                               \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \natt&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]\nmbc        Data::Decode Data::Base64 [C0053.001]                           \nfunction @ token(0x6000003)\n  or:\n    api: System.Convert::FromBase64String @ token(0x6000003)+0xA, token(0x6000003)+0x109\nfunction @ token(0x6000004)\n  or:\n    api: System.Convert::FromBase64String @ token(0x6000004)+0x37\nfunction @ token(0x600004E)\n  or:\n    api: System.Convert::FromBase64String @ token(0x600004E)+0x7\n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64                                    \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]         \nfunction @ token(0x600004C)\n  or:\n    api: System.Convert::ToBase64String @ token(0x600004C)+0x11\n\nhash data with MD5\nnamespace   data-manipulation/hashing/md5                                       \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,         \n            michael.hunhoff@mandiant.com                                        \nscope       function                                                            \nmbc         Cryptography::Cryptographic Hash::MD5 [C0029.001]                   \nreferences  https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/tes…\nfunction @ token(0x600002E)\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Security.Cryptography.MD5CryptoServiceProvider::ctor @ token(0x600002E)+0x0\n      optional:\n        api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x600002E)+0x12\n\nhash data using SHA256 (2 matches)\nnamespace   data-manipulation/hashing/sha256                                    \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,         \n            william.ballenthin@mandiant.com                                     \nscope       function                                                            \nmbc         Cryptography::Cryptographic Hash::SHA256 [C0029.003]                \nreferences  https://www.rfc-editor.org/rfc/rfc6234                              \nfunction @ token(0x6000052)\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Security.Cryptography.SHA256Managed::ctor @ token(0x6000052)+0xC\n      api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x6000052)+0x14\nfunction @ token(0x6000053)\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Security.Cryptography.SHA256Managed::ctor @ token(0x6000053)+0x0\n      api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x6000053)+0x8\n\ngenerate random numbers in .NET\nnamespace  data-manipulation/prng                                            \nauthor     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com     \nscope      function                                                          \nmbc        Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\nfunction @ token(0x600001B)\n  or:\n    api: System.Random::Next @ token(0x600001B)+0x68, token(0x600001B)+0xA0, token(0x600001B)+0x176, \ntoken(0x600001B)+0x26F, and 1 more...\n\nquery environment variable\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ token(0x6000024)\n  or:\n    api: System.Environment::ExpandEnvironmentVariables @ token(0x6000024)+0x5\n\ngenerate random filename in .NET\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ token(0x6000024)\n  or:\n    api: System.IO.Path::GetTempFileName @ token(0x6000024)+0x1A0\n\nget common file path (2 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ token(0x6000027)\n  or:\n    property/read: System.Environment::SystemDirectory @ token(0x6000027)+0xA\nfunction @ token(0x600002D)\n  or:\n    property/read: System.Environment::SystemDirectory @ token(0x600002D)+0x2D\n\ndelete file\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ token(0x6000024)\n  or:\n    api: System.IO.File::Delete @ token(0x6000024)+0x16C\n\ncheck if file exists (2 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ token(0x6000024)\n  or:\n    api: System.IO.File::Exists @ token(0x6000024)+0x15C\nfunction @ token(0x600007D)\n  or:\n    api: System.IO.File::Exists @ token(0x600007D)+0x1\n\nread file on Windows\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ token(0x6000024)\n  or:\n    api: System.IO.File::ReadAllBytes @ token(0x6000024)+0x188\n\nget graphical window text\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ token(0x6000035)\n  or:\n    and:\n      optional:\n        api: GetForegroundWindow @ token(0x6000035)+0xB\n      api: GetWindowText @ token(0x6000035)+0x16\n\nget number of processors\nnamespace   host-interaction/hardware/cpu                                       \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/bed03d2f849d9060c6…\nfunction @ token(0x600002D)\n  or:\n    property/read: System.Environment::ProcessorCount @ token(0x600002D)+0x8\n\nget disk size (2 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ token(0x6000027)\n  or:\n    property/read: System.IO.DriveInfo::TotalSize @ token(0x6000027)+0x19\nfunction @ token(0x600002D)\n  or:\n    property/read: System.IO.DriveInfo::TotalSize @ token(0x600002D)+0x3C\n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex                                               \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           mehunhoff@google.com                                                 \nscope      instruction                                                          \nmbc        Process::Create Mutex [C0042]                                        \ninstruction @ token(0x6000036)+0x8\n  or:\n    and:\n      format: dotnet\n      or:\n        api: System.Threading.Mutex::ctor @ token(0x6000036)+0x8\n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nmbc        Discovery::System Information Discovery [E1082]                      \nfunction @ token(0x600002D)\n  or:\n    property/read: System.Environment::MachineName @ token(0x600002D)+0x1D\nfunction @ token(0x6000032)\n  or:\n    property/read: System.Environment::MachineName @ token(0x6000032)+0x5\n\nget OS version in .NET (3 matches)\nnamespace  host-interaction/os/version                    \nauthor     michael.hunhoff@mandiant.com                   \nscope      basic block                                    \natt&ck     Discovery::System Information Discovery [T1082]\nbasic block @ token(0x6000028) in function token(0x6000028)\n  or:\n    property/read: Microsoft.VisualBasic.Devices.ComputerInfo::OSFullName @ token(0x6000028)+0x5\nbasic block @ token(0x600002D) in function token(0x600002D)\n  or:\n    property/read: System.Environment::OSVersion @ token(0x600002D)+0x25\nbasic block @ token(0x600002F) in function token(0x600002F)\n  or:\n    property/read: System.Environment::Is64BitOperatingSystem @ token(0x600002F)+0x73\n    property/read: Microsoft.VisualBasic.Devices.ComputerInfo::OSFullName @ token(0x600002F)+0x59\n\nget process image filename\nnamespace  host-interaction/process    \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ token(0x6000024) in function token(0x6000024)\n  or:\n    and:\n      api: System.Diagnostics.Process::GetCurrentProcess @ token(0x6000024)+0x1A\n      property/read: System.Diagnostics.Process::MainModule @ token(0x6000024)+0x1F, token(0x6000024)+0x53\n      property/read: System.Diagnostics.ProcessModule::FileName @ token(0x6000024)+0x24, token(0x6000024)+0x58\n\ncreate a process with modified I/O handles and window\nnamespace   host-interaction/process/create                                     \nauthor      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com      \nscope       function                                                            \nmbc         Process::Create Process [C0017]                                     \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsap…\nfunction @ token(0x6000024)\n  or:\n    and:\n      api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n      or:\n        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n        property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n        property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n\ncreate process on Windows\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ token(0x6000024) in function token(0x6000024)\n  or:\n    api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n\nenumerate processes\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ token(0x6000024)\n  or:\n    api: System.Diagnostics.Process::GetProcesses @ token(0x6000024)+0x3B\n\nenter debug mode in .NET\nnamespace    host-interaction/process/modify                                    \nauthor       @v1bh475u                                                          \nscope        basic block                                                        \nreferences   https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.pr…\ndescription  Often used by debuggers and malware to attach to and modify other  \n             processes.                                                         \nbasic block @ token(0x600003F) in function token(0x600003F)\n  and:\n    format: dotnet\n    api: System.Diagnostics.Process::EnterDebugMode @ token(0x600003F)+0x11\n\nterminate process (2 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ token(0x6000001)\n  or:\n    api: System.Environment::Exit @ token(0x6000001)+0x2D, token(0x6000001)+0x3E\nfunction @ token(0x6000024)\n  or:\n    api: System.Diagnostics.Process::Kill @ token(0x6000024)+0x6F\n    api: System.Environment::Exit @ token(0x6000024)+0x265\n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ token(0x6000024)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000024)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000024)+0x114\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000024)+0x114\nfunction @ token(0x6000044)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000044)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000044)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000044)+0xB\n\nquery or enumerate registry value\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ token(0x6000042)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000042)\n        or:\n          api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000042)+0xA\n    or:\n      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000042)+0x12\n\nset registry value (3 matches)\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ token(0x6000024)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000024)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000024)+0x114\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000024)+0x13D\nfunction @ token(0x6000024)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000024)\n          or:\n            api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000024)+0x114\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000024)+0x13D\nfunction @ token(0x6000041)\n  or:\n    and:\n      optional:\n        match: create or open registry key @ token(0x6000041)\n          or:\n            api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000041)+0xB\n      or:\n        api: Microsoft.Win32.RegistryKey::SetValue @ token(0x6000041)+0x15\n\ndelete registry key\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ token(0x6000044)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000044)\n        or:\n          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000044)+0xB\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteSubKeyTree @ token(0x6000044)+0x17\n\ndelete registry value\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ token(0x6000043)\n  and:\n    optional:\n      match: create or open registry key @ token(0x6000043)\n        or:\n          api: Microsoft.Win32.RegistryKey::CreateSubKey @ token(0x6000043)+0xA\n    or:\n      api: Microsoft.Win32.RegistryKey::DeleteValue @ token(0x6000043)+0x12\n\nget session integrity level\nnamespace  host-interaction/session                                     \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::System Owner/User Discovery [T1033]               \nfunction @ token(0x6000030)\n  or:\n    and:\n      api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x6000030)+0x0\n      number: 0x220 = BUILTIN\\Administrators @ token(0x6000030)+0xA\n      api: System.Security.Principal.WindowsPrincipal::IsInRole @ token(0x6000030)+0xF\n\nget session user name (3 matches)\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ token(0x600002D)\n  or:\n    property/read: System.Environment::UserName @ token(0x600002D)+0x15\nfunction @ token(0x600002F)\n  or:\n    property/read: System.Environment::UserName @ token(0x600002F)+0x3A\nfunction @ token(0x6000030)\n  or:\n    api: System.Security.Principal.WindowsIdentity::GetCurrent @ token(0x6000030)+0x0\n\ncreate thread\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ token(0x600001F) in function token(0x600001F)\n  or:\n    and:\n      api: System.Threading.Thread::Start @ token(0x600001F)+0x112\n      optional:\n        api: System.Threading.Thread::ctor @ token(0x600001F)+0x108\n\nsuspend thread (4 matches)\nnamespace  host-interaction/thread/suspend                    \nauthor     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\nscope      basic block                                        \nmbc        Process::Suspend Thread [C0055]                    \nbasic block @ token(0x6000001) in function token(0x6000001)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000001)+0xC, token(0x6000001)+0xBE\nbasic block @ token(0x6000024) in function token(0x6000024)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000024)+0x176\nbasic block @ token(0x6000040) in function token(0x6000040)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000040)+0x13\nbasic block @ token(0x6000048) in function token(0x6000048)\n  or:\n    api: System.Threading.Thread::Sleep @ token(0x6000048)+0x29\n\nexecute via timer in .NET\nnamespace  host-interaction/thread/timer\nauthor     michael.hunhoff@mandiant.com \nscope      function                     \nfunction @ token(0x600001B)\n  or:\n    api: System.Threading.Timer::ctor @ token(0x600001B)+0x288, token(0x600001B)+0x2A1\n\naccess WMI data in .NET (2 matches)\nnamespace  host-interaction/wmi                                 \nauthor     michael.hunhoff@mandiant.com                         \nscope      function                                             \natt&ck     Execution::Windows Management Instrumentation [T1047]\nfunction @ token(0x6000029)\n  or:\n    and:\n      api: System.Management.ManagementObjectSearcher::Get @ token(0x6000029)+0xC\n      optional:\n        api: System.Management.ManagementObjectSearcher::ctor @ token(0x6000029)+0x5\nfunction @ token(0x6000032)\n  or:\n    and:\n      api: System.Management.ManagementObjectSearcher::Get @ token(0x6000032)+0x26\n      optional:\n        api: System.Management.ManagementObjectSearcher::ctor @ token(0x6000032)+0x19\n\n(internal) .NET file limitation\nnamespace    internal/limitation/dynamic                        \nauthor       @v1bh475u                                          \nscope        file                                               \ndescription  This dynamic analysis trace describes a .NET file. \n                                                                \n             capa rules are not yet tuned for the .NET runtime, \n             so its analysis may be incomplete or misleading.   \n                                                                \nor:\n  format: dotnet\n\nload .NET assembly\nnamespace  load-code/dotnet                                \nauthor     anushka.virgaonkar@mandiant.com                 \nscope      function                                        \natt&ck     Defense Evasion::Reflective Code Loading [T1620]\nfunction @ token(0x6000047)\n  or:\n    api: System.AppDomain::Load @ token(0x6000047)+0x1F\n\nschedule task via schtasks (4 matches)\nnamespace   persistence/scheduled-tasks                                         \nauthor      0x534a@mailbox.org, j.j.vannielen@utwente.nl                        \nscope       function                                                            \natt&ck      Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]         \nreferences  https://learn.microsoft.com/en-us/windows/win32/taskschd/task-sched…\n            https://stmxcsr.com/persistence/scheduled-tasks.html                \nfunction @ token(0x6000024)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n      or:\n        and:\n          regex: /schtasks/i\n            - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\n          or:\n            regex: /\\/create/i\n              - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\nfunction @ token(0x6000024)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n      or:\n        and:\n          regex: /schtasks/i\n            - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\n          or:\n            regex: /\\/create/i\n              - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\nfunction @ token(0x6000024)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n      or:\n        and:\n          regex: /schtasks/i\n            - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\n          or:\n            regex: /\\/create/i\n              - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\nfunction @ token(0x6000024)\n  or:\n    and:\n      match: host-interaction/process/create @ token(0x6000024)\n        or:\n          api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n        or:\n          and:\n            api: System.Diagnostics.Process::Start @ token(0x6000024)+0xF9, token(0x6000024)+0x25E\n            or:\n              property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000024)+0x252\n              property/write: System.Diagnostics.ProcessStartInfo::WindowStyle @ token(0x6000024)+0xEA, token(0x6000024)+0x259\n              property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000024)+0xA1, token(0x6000024)+0x23D\n              property/write: System.Diagnostics.ProcessStartInfo::Arguments @ token(0x6000024)+0xE2\n              property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000024)+0xF2, token(0x6000024)+0x244\n      or:\n        and:\n          regex: /schtasks/i\n            - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\n          or:\n            regex: /\\/create/i\n              - \"/c schtasks /create /f /sc onlogon /rl highest /tn \\\"\" @ token(0x6000024)+0xB0\n\nunmanaged call (6 matches)\nnamespace    runtime                                                       \nauthor       michael.hunhoff@mandiant.com                                  \nscope        function                                                      \ndescription  managed code calls unmanaged (native) code, often seen in .NET\nfunction @ token(0x600002A)\n  or:\n    characteristic: unmanaged call @ token(0x600002A)+0xE\nfunction @ token(0x600002B)\n  or:\n    characteristic: unmanaged call @ token(0x600002B)+0x5\nfunction @ token(0x6000034)\n  or:\n    characteristic: unmanaged call @ token(0x6000034)+0x5\nfunction @ token(0x6000035)\n  or:\n    characteristic: unmanaged call @ token(0x6000035)+0xB, token(0x6000035)+0x16\nfunction @ token(0x600003F)\n  or:\n    characteristic: unmanaged call @ token(0x600003F)+0x19\nfunction @ token(0x6000040)\n  or:\n    characteristic: unmanaged call @ token(0x6000040)+0x3\n\ncompiled to the .NET platform\nnamespace  runtime/dotnet                 \nauthor     william.ballenthin@mandiant.com\nscope      file                           \nor:\n  format: dotnet\n\n\n\n"},"hashes":{"md5":"74bb3514f737d1386b7ced741ec1e098","sha1":"25de16039754b3870676911b146a956d30b2e8fa","sha256":"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 157</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 4647</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"seconda\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"74bb3514f737d1386b7ced741ec1e098\",\n        \"sha256\": \"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19595680\",\n        \"arch\": \"i386\",\n        \"os\": \"any\",\n        \"format\": \"dotnet\"\n      }\n    },\n    {\n      \"id\": \"cap_contain_loop__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"api_Microsoft\",\n      \"label\": \"Microsoft\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_check_for_sandbox_and_av_modules\",\n      \"label\": \"check for sandbox and av modules\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\",\n        \"Anti-Behavioral Analysis::Sandbox Detection [B0007]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetModuleHandle\",\n      \"label\": \"GetModuleHandle\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox\",\n      \"label\": \"author     @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\",\n        \"Anti-Behavioral Analysis::Sandbox Detection [B0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_for_debugger_via_api\",\n      \"label\": \"check for debugger via API\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger\",\n        \"Detection::CheckRemoteDebuggerPresent [B0001.002]\",\n        \"Anti-Behavioral\",\n        \"Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\"\n      ]\n    },\n    {\n      \"id\": \"api_CheckRemoteDebuggerPresent\",\n      \"label\": \"CheckRemoteDebuggerPresent\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger\",\n        \"Detection::CheckRemoteDebuggerPresent [B0001.002]\",\n        \"Anti-Behavioral\",\n        \"Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\"\n      ]\n    },\n    {\n      \"id\": \"cap_self_delete__2_matches_\",\n      \"label\": \"self delete (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_System\",\n      \"label\": \"System\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Self Deletion::COMSPEC Environment Variable\",\n        \"[F0007.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_vmware\",\n      \"label\": \"reference anti-VM strings targeting VMWare\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com___johnk3r\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, @johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_virtualbox\",\n      \"label\": \"reference anti-VM strings targeting VirtualBox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_data\",\n      \"label\": \"receive data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_manipulate_network_credentials_in__net\",\n      \"label\": \"manipulate network credentials in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_resolve_dns\",\n      \"label\": \"resolve DNS\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_michael_hunhoff_mandiant_com\",\n      \"label\": \"michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_data_from_internet\",\n      \"label\": \"read data from Internet\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_tcp_socket\",\n      \"label\": \"create TCP socket\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_udp_socket\",\n      \"label\": \"create UDP socket\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create UDP Socket [C0001.010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compress_data_using_gzip_in__net__2_matches_\",\n      \"label\": \"compress data using GZip in .NET (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Compress Data [C0024]\"\n      ]\n    },\n    {\n      \"id\": \"cap_decode_data_using_base64_in__net__3_matches_\",\n      \"label\": \"decode data using Base64 in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Decode Data::Base64 [C0053.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_encode_data_using_base64\",\n      \"label\": \"encode data using Base64\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Encoding-Standard\",\n        \"Algorithm [E1027.m02]\",\n        \"Data::Encode Data::Base64 [C0026.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_with_md5\",\n      \"label\": \"hash data with MD5\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash::MD5 [C0029.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_using_sha256__2_matches_\",\n      \"label\": \"hash data using SHA256 (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash::SHA256 [C0029.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_william_ballenthin_mandiant_com\",\n      \"label\": \"william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash::SHA256 [C0029.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_in__net\",\n      \"label\": \"generate random numbers in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable\",\n      \"label\": \"query environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_filename_in__net\",\n      \"label\": \"generate random filename in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__2_matches_\",\n      \"label\": \"get common file path (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_file\",\n      \"label\": \"delete file\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__2_matches_\",\n      \"label\": \"check if file exists (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows\",\n      \"label\": \"read file on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text\",\n      \"label\": \"get graphical window text\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetForegroundWindow\",\n      \"label\": \"GetForegroundWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_number_of_processors\",\n      \"label\": \"get number of processors\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_size__2_matches_\",\n      \"label\": \"get disk size (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_or_open_mutex_on_windows\",\n      \"label\": \"create or open mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_mehunhoff_google_com\",\n      \"label\": \"mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_hostname__2_matches_\",\n      \"label\": \"get hostname (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_os_version_in__net__3_matches_\",\n      \"label\": \"get OS version in .NET (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_process_image_filename\",\n      \"label\": \"get process image filename\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_a_process_with_modified_i_o_handles_and_window\",\n      \"label\": \"create a process with modified I/O handles and window\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows\",\n      \"label\": \"create process on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes\",\n      \"label\": \"enumerate processes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enter_debug_mode_in__net\",\n      \"label\": \"enter debug mode in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author________v1bh475u\",\n      \"label\": \"author       @v1bh475u\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_terminate_process__2_matches_\",\n      \"label\": \"terminate process (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"label\": \"query or enumerate registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value\",\n      \"label\": \"query or enumerate registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_registry_value__3_matches_\",\n      \"label\": \"set registry value (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_key\",\n      \"label\": \"delete registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value\",\n      \"label\": \"delete registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_integrity_level\",\n      \"label\": \"get session integrity level\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_session_user_name__3_matches_\",\n      \"label\": \"get session user name (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_thread\",\n      \"label\": \"create thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_suspend_thread__4_matches_\",\n      \"label\": \"suspend thread (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     0x534a@mailbox.org, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Suspend Thread [C0055]\"\n      ]\n    },\n    {\n      \"id\": \"cap_execute_via_timer_in__net\",\n      \"label\": \"execute via timer in .NET\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_access_wmi_data_in__net__2_matches_\",\n      \"label\": \"access WMI data in .NET (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Windows Management Instrumentation [T1047]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal___net_file_limitation\",\n      \"label\": \"(internal) .NET file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_load__net_assembly\",\n      \"label\": \"load .NET assembly\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Reflective Code Loading [T1620]\"\n      ]\n    },\n    {\n      \"id\": \"cap_schedule_task_via_schtasks__4_matches_\",\n      \"label\": \"schedule task via schtasks (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"label\": \"author      0x534a@mailbox.org, j.j.vannielen@utwente.nl\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]\"\n      ]\n    },\n    {\n      \"id\": \"cap_unmanaged_call__6_matches_\",\n      \"label\": \"unmanaged call (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"label\": \"author       michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_compiled_to_the__net_platform\",\n      \"label\": \"compiled to the .NET platform\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_sandbox_and_av_modules\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_debugger_via_api\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_self_delete__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com___mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_vmware\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com___johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_virtualbox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_network_credentials_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_dns\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_data_from_internet\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_tcp_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_udp_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compress_data_using_gzip_in__net__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_decode_data_using_base64_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encode_data_using_base64\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_with_md5\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_using_sha256__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_filename_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_number_of_processors\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_hostname__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version_in__net__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_process_image_filename\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_a_process_with_modified_i_o_handles_and_window\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______matthew_williams_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enter_debug_mode_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author________v1bh475u\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_integrity_level\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_suspend_thread__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____0x534a_mailbox_org__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_execute_via_timer_in__net\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_access_wmi_data_in__net__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal___net_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_load__net_assembly\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_schedule_task_via_schtasks__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______0x534a_mailbox_org__j_j_vannielen_utwente_nl\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_unmanaged_call__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_to_the__net_platform\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-29 18:18:27.618563\",\n    \"total_functions\": \"157\",\n    \"total_features\": \"4647\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-29 18:18:28"}
{"_id":{"$oid":"69edf1b159a6632dae07de54"},"sha256":"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"WARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n"},"verbose":{"success":true,"path":"/tmp/sdm_capa_618p8xof/3_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_618p8xof/3_very_verbose.txt"}},"outputs":{"normal":"ERROR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n\n\nSTDOUT:\n\n\nSTDERR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n","verbose":"md5                     c2bf2a9e6beaff5b5321917475545ef4                        \nsha1                    7b33e010b7a815cbf97cc04b3adbfc009791b727                \nsha256                  6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57…\npath                    /home/apogean/projects/malware/windows/all_runs/3       \ntimestamp               2026-04-27 00:05:11.323866                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    amd64                                                   \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x140000000                                             \nrules                   /tmp/_MEI3gMxmZ/rules                                   \nfunction count          84                                                      \nlibrary function count  16                                                      \ntotal feature count     31900                                                   \n\nreference anti-VM strings targeting Xen\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\npackaged as an IExpress self-extracting archive\nnamespace  executable/installer/iexpress\nscope      file                         \n\nextract resource via kernel32 functions (5 matches)\nnamespace  executable/resource\nscope      function           \nmatches    0x140002DB4        \n           0x140005050        \n           0x140005D90        \n           0x14000772C        \n           0x140007AC8        \n\nquery environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x14000261C                          \n\nget common file path (10 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x140001D28                 \n           0x140002244                 \n           0x140002468                 \n           0x14000261C                 \n           0x1400030EC                 \n           0x1400040C4                 \n           0x140004A60                 \n           0x1400063B8                 \n           0x1400066C4                 \n           0x140006CA4                 \n\nset current directory (3 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x1400030EC                 \n           0x1400061EC                 \n           0x140006CA4                 \n\ncreate directory (5 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    0x140003530                        \n           0x140005380                        \n           0x1400063B8                        \n           0x1400064E4                        \n           0x1400066C4                        \n\ndelete directory (3 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x14000204C                        \n           0x1400063B8                        \n           0x1400064E4                        \n\ndelete file (3 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x14000204C                        \n           0x1400061EC                        \n           0x1400063B8                        \n\ncheck if file exists (7 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x140001684                        \n           0x140003530                        \n           0x1400051BC                        \n           0x1400063B8                        \n           0x1400066C4                        \n           0x140006B70                        \n           0x1400079F0                        \n\nenumerate files on Windows\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x14000204C                            \n\nenumerate files recursively\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x14000204C                            \n\nget file attributes (9 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x14000184D                      \n           0x140001AEB                      \n           0x140003694                      \n           0x1400051BC                      \n           0x1400063E3                      \n           0x140006916                      \n           0x140006A16                      \n           0x140006C61                      \n           0x140007A44                      \n\nget file version info\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x140002834                      \n\nset file attributes (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x1400021A3                      \n           0x140005246                      \n           0x140005A06                      \n           0x140006229                      \n           0x140006A6D                      \n\nread .ini file\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x140001684                      \n\nread file on Windows\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x1400055E0                      \n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x140005690                       \n           0x1400078B0                       \n\nget disk information (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x1400066C4                      \n           0x140006CA4                      \n\nget disk size (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x1400066C4                      \n           0x140006CA4                      \n\ncheck mutex on Windows\nnamespace  host-interaction/mutex\nscope      function              \nmatches    0x140002DB4           \n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex\nscope      instruction           \nmatches    0x140002F06           \n\nshutdown system (2 matches)\nnamespace  host-interaction/os\nscope      function           \nmatches    0x140001C0C        \n           0x140002C54        \n\nget system information on Windows\nnamespace  host-interaction/os/info\nscope      function                \nmatches    0x1400064E4             \n\ncheck OS version (3 matches)\nnamespace  host-interaction/os/version\nscope      function                   \nmatches    0x140002C54                \n           0x140003BF4                \n           0x140007F04                \n\ncreate process on Windows\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x14000473C                    \n\nmodify access privileges\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    0x140001CB2                    \n\nterminate process\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x140008218                       \n\nquery or enumerate registry key\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x140002318              \n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x140001D28              \n           0x140002318              \n           0x14000261C              \n           0x1400040C4              \n           0x140007F04              \n\nset registry value (2 matches)\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    0x140001D28                     \n           0x1400040C4                     \n\ndelete registry value\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x1400061EC                     \n\ncompare security identifiers\nnamespace  host-interaction/sid\nscope      basic block         \nmatches    0x140001452         \n\ncreate thread\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x140003A9B                   \n\nterminate thread\nnamespace  host-interaction/thread/terminate\nscope      basic block                      \nmatches    0x14000395B                      \n\nlink function at runtime on Windows (8 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x14000122B            \n           0x140001E90            \n           0x140002CA1            \n           0x1400031A9            \n           0x1400043AF            \n           0x140004AAA            \n           0x140004ACA            \n           0x140004AEC            \n\nparse PE header (2 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x1400080D0 \n           0x1400087BC \n\npersist via Run registry key (5 matches)\nnamespace  persistence/registry/run\nscope      function                \nmatches    0x140001D28             \n           0x140001D28             \n           0x1400040C4             \n           0x1400040C4             \n           0x1400061EC             \n\n\n\n","very_verbose":"md5                     c2bf2a9e6beaff5b5321917475545ef4                        \nsha1                    7b33e010b7a815cbf97cc04b3adbfc009791b727                \nsha256                  6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57…\npath                    /home/apogean/projects/malware/windows/all_runs/3       \ntimestamp               2026-04-27 00:05:26.527665                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    amd64                                                   \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x140000000                                             \nrules                   /tmp/_MEI8zV991/rules                                   \nfunction count          84                                                      \nlibrary function count  16                                                      \ntotal feature count     31900                                                   \n\ncontain loop (37 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x1400012EC\n  or:\n    characteristic: loop @ 0x1400012EC\n\ncreate or open file (4 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x1400054C5\n  or:\n    api: CreateFile @ 0x1400054C5\n\ncreate or open registry key (7 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x140001D28 in function 0x140001D28\n  or:\n    api: RegCreateKeyEx @ 0x140001DBA\n\ndelay execution (3 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x140003B4C in function 0x140003B40\n  or:\n    and:\n      os: windows\n      or:\n        api: MsgWaitForMultipleObjects @ 0x140003B64\n\nget OS version (3 matches, only showing first match of library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x140002C54\n  or:\n    api: GetVersion @ 0x140002C69\n\nreference anti-VM strings targeting Xen\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /^Xen/i\n    - \"XeN>\" @ file+0x242553\n\npackaged as an IExpress self-extracting archive\nnamespace   executable/installer/iexpress         \nauthor      awillia2@cisco.com                    \nscope       file                                  \nreferences  https://en.wikipedia.org/wiki/IExpress\nor:\n  string: \"  <description>IExpress extraction tool</description>\" @ file+0x274D5E\n  and:\n    string: \"wextract_cleanup%d\" @ file+0xA4C0\n    string: \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ file+0xA488\n\nextract resource via kernel32 functions (5 matches)\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x140002DB4\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x140003005\n      optional:\n        or:\n          api: FindResource @ 0x140002FEE\nfunction @ 0x140005050\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x1400050C0\n        api: LockResource @ 0x1400050CF\n      optional:\n        or:\n          api: FindResource @ 0x140005078, 0x1400050AF\n        api: SizeofResource @ 0x140005089\n        api: FreeResource @ 0x1400050FD\nfunction @ 0x140005D90\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x140005DD1\n        api: LockResource @ 0x140005DE0\n      optional:\n        or:\n          api: FindResource @ 0x140005DC0\n        api: FreeResource @ 0x140005F61\nfunction @ 0x14000772C\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x140007763\n        api: LockResource @ 0x140007772\n      optional:\n        or:\n          api: FindResource @ 0x1400077EC\n        api: FreeResource @ 0x1400077B8, 0x140007805\nfunction @ 0x140007AC8\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x140007B09\n      optional:\n        or:\n          api: FindResource @ 0x140007AF2\n        api: FreeResource @ 0x140007B51\n\nquery environment variable\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x14000261C\n  or:\n    api: ExpandEnvironmentStrings @ 0x140002782\n\nget common file path (10 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x140001D28\n  or:\n    api: GetSystemDirectory @ 0x140001E4C, 0x140001EC5\nfunction @ 0x140002244\n  or:\n    api: GetWindowsDirectory @ 0x140002271\nfunction @ 0x140002468\n  or:\n    api: GetWindowsDirectory @ 0x140002494\nfunction @ 0x14000261C\n  or:\n    api: GetSystemDirectory @ 0x1400027E5\n    api: GetWindowsDirectory @ 0x1400027CF\nfunction @ 0x1400030EC\n  or:\n    api: GetSystemDirectory @ 0x140003167\n    api: GetWindowsDirectory @ 0x1400031FD\nfunction @ 0x1400040C4\n  or:\n    api: GetSystemDirectory @ 0x14000468D\nfunction @ 0x140004A60\n  or:\n    api: GetTempPath @ 0x140004B1B\nfunction @ 0x1400063B8\n  or:\n    api: GetTempFileName @ 0x14000645B\nfunction @ 0x1400066C4\n  or:\n    api: GetTempPath @ 0x140006862\n    api: GetWindowsDirectory @ 0x140006A0A, 0x140006AE3\nfunction @ 0x140006CA4\n  or:\n    api: GetCurrentDirectory @ 0x140006CEE\n\nset current directory (3 matches)\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x1400030EC\n  or:\n    api: SetCurrentDirectory @ 0x14000327A\nfunction @ 0x1400061EC\n  or:\n    api: SetCurrentDirectory @ 0x1400062FB\nfunction @ 0x140006CA4\n  or:\n    api: SetCurrentDirectory @ 0x140006CFD, 0x140006E4A, 0x140006FDD\n\ncreate directory (5 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ 0x140003530\n  or:\n    api: CreateDirectory @ 0x1400036D9\nfunction @ 0x140005380\n  or:\n    api: CreateDirectory @ 0x14000553A\nfunction @ 0x1400063B8\n  or:\n    api: CreateDirectory @ 0x140006484, 0x1400064BB\nfunction @ 0x1400064E4\n  or:\n    api: CreateDirectory @ 0x14000662F\nfunction @ 0x1400066C4\n  or:\n    api: CreateDirectory @ 0x140006A47\n\ndelete directory (3 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ 0x14000204C\n  or:\n    api: RemoveDirectory @ 0x140002207\nfunction @ 0x1400063B8\n  or:\n    api: RemoveDirectory @ 0x140006423\nfunction @ 0x1400064E4\n  or:\n    api: RemoveDirectory @ 0x14000666F\n\ndelete file (3 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x14000204C\n  or:\n    api: DeleteFile @ 0x1400021CD\nfunction @ 0x1400061EC\n  or:\n    api: DeleteFile @ 0x140006240\nfunction @ 0x1400063B8\n  or:\n    api: DeleteFile @ 0x140006473\n\ncheck if file exists (7 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x140001684\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x140001AF0\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140001AFC\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x140001AFC\n      and:\n        api: GetFileAttributes @ 0x140001852\n        instruction:\n          and:\n            mnemonic: cmp @ 0x14000185E\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x14000185E\nfunction @ 0x140003530\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x140003697\n        instruction:\n          and:\n            mnemonic: cmp @ 0x1400036A3\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x1400036A3\nfunction @ 0x1400051BC\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x1400051C9\n        instruction:\n          and:\n            mnemonic: cmp @ 0x1400051D5\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x1400051D5\nfunction @ 0x1400063B8\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x140006432\n        instruction:\n          and:\n            mnemonic: cmp @ 0x14000643E\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x14000643E\nfunction @ 0x1400066C4\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x14000691B\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140006927\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x140006927\n      and:\n        api: GetFileAttributes @ 0x140006A2F\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140006A3B\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x140006A3B\nfunction @ 0x140006B70\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x140006C73\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140006C7F\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x140006C7F\nfunction @ 0x1400079F0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x140007A68\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140007A74\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x140007A74\n\nenumerate files on Windows\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ 0x14000204C\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x1400020E5\n      or:\n        api: FindNextFile @ 0x1400021E1\n      optional:\n        api: FindClose @ 0x1400021F8\n        match: contain loop @ 0x14000204C\n          or:\n            characteristic: loop @ 0x14000204C\n            characteristic: recursive call @ 0x14000204C\n\nenumerate files recursively\nnamespace  host-interaction/file-system/files/list        \nauthor     @_re_fox, anushka.virgaonkar@mandiant.com      \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nmbc        Discovery::File and Directory Discovery [E1083]\nfunction @ 0x14000204C\n  and:\n    characteristic: recursive call @ 0x14000204C\n    or:\n      match: enumerate files on Windows @ 0x14000204C\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x1400020E5\n            or:\n              api: FindNextFile @ 0x1400021E1\n            optional:\n              api: FindClose @ 0x1400021F8\n              match: contain loop @ 0x14000204C\n                or:\n                  characteristic: loop @ 0x14000204C\n                  characteristic: recursive call @ 0x14000204C\n\nget file attributes (9 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x14000184D in function 0x140001684\n  or:\n    api: GetFileAttributes @ 0x140001852\nbasic block @ 0x140001AEB in function 0x140001684\n  or:\n    api: GetFileAttributes @ 0x140001AF0\nbasic block @ 0x140003694 in function 0x140003530\n  or:\n    api: GetFileAttributes @ 0x140003697\nbasic block @ 0x1400051BC in function 0x1400051BC\n  or:\n    api: GetFileAttributes @ 0x1400051C9\nbasic block @ 0x1400063E3 in function 0x1400063B8\n  or:\n    api: GetFileAttributes @ 0x140006432\nbasic block @ 0x140006916 in function 0x1400066C4\n  or:\n    api: GetFileAttributes @ 0x14000691B\nbasic block @ 0x140006A16 in function 0x1400066C4\n  or:\n    api: GetFileAttributes @ 0x140006A2F\nbasic block @ 0x140006C61 in function 0x140006B70\n  or:\n    api: GetFileAttributes @ 0x140006C73\nbasic block @ 0x140007A44 in function 0x1400079F0\n  or:\n    api: GetFileAttributes @ 0x140007A68\n\nget file version info\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x140002834\n  and:\n    or:\n      api: GetFileVersionInfo @ 0x14000290C\n    optional: = retrieve specified version information from the version-information resource\n      api: VerQueryValue @ 0x140002932\n      or:\n        api: GetFileVersionInfoSize @ 0x1400028AC\n\nset file attributes (5 matches)\nnamespace  host-interaction/file-system/meta                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \natt&ck     Defense Evasion::File and Directory Permissions Modification [T1222] \nmbc        File System::Set File Attributes [C0050]                             \nbasic block @ 0x1400021A3 in function 0x14000204C\n  or:\n    api: SetFileAttributes @ 0x1400021BD\nbasic block @ 0x140005246 in function 0x1400051BC\n  or:\n    api: SetFileAttributes @ 0x14000524E\nbasic block @ 0x140005A06 in function 0x1400058B0\n  or:\n    api: SetFileAttributes @ 0x140005A0B\nbasic block @ 0x140006229 in function 0x1400061EC\n  or:\n    api: SetFileAttributes @ 0x140006231\nbasic block @ 0x140006A6D in function 0x1400066C4\n  or:\n    api: SetFileAttributes @ 0x140006A77\n\nread .ini file\nnamespace  host-interaction/file-system/read     \nauthor     @_re_fox, michael.hunhoff@mandiant.com\nscope      function                              \nmbc        File System::Read File [C0051]        \nfunction @ 0x140001684\n  and:\n    or:\n      api: GetPrivateProfileInt @ 0x1400018FC\n      api: GetPrivateProfileString @ 0x14000193F\n\nread file on Windows\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x1400055E0\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x140005651\n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x140005690\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x1400056E4\nfunction @ 0x1400078B0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x40000000 = GENERIC_WRITE @ 0x140007956\n            number: 0x2 = FILE_WRITE_DATA @ 0x14000794E\n            match: create or open file @ 0x14000795B\n              or:\n                api: CreateFile @ 0x14000795B\n      or:\n        api: WriteFile @ 0x140007992\n\nget disk information (2 matches)\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ 0x1400066C4\n  or:\n    api: GetDriveType @ 0x1400068FE\nfunction @ 0x140006CA4\n  or:\n    api: GetVolumeInformation @ 0x140006DD6\n\nget disk size (2 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ 0x1400066C4\n  or:\n    api: GetDiskFreeSpace @ 0x140006973\nfunction @ 0x140006CA4\n  or:\n    api: GetDiskFreeSpace @ 0x140006D6C\n\ncheck mutex on Windows\nnamespace  host-interaction/mutex                         \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      function                                       \nmbc        Process::Check Mutex [C0043]                   \nfunction @ 0x140002DB4\n  or:\n    and:\n      match: create or open mutex on Windows @ 0x140002F06\n        or:\n          api: CreateMutex @ 0x140002F06\n      or:\n        basic block:\n          and:\n            api: GetLastError @ 0x140002F22\n            or:\n              number: 0xB7 = ERROR_ALREADY_EXISTS @ 0x140002F2E\n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex                                               \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           mehunhoff@google.com                                                 \nscope      instruction                                                          \nmbc        Process::Create Mutex [C0042]                                        \ninstruction @ 0x140002F06\n  or:\n    api: CreateMutex @ 0x140002F06\n\nshutdown system (2 matches)\nnamespace  host-interaction/os                   \nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \natt&ck     Impact::System Shutdown/Reboot [T1529]\nfunction @ 0x140001C0C\n  or:\n    api: ExitWindowsEx @ 0x140001CF1\nfunction @ 0x140002C54\n  or:\n    api: ExitWindowsEx @ 0x140002D6C\n\nget system information on Windows\nnamespace  host-interaction/os/info                       \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x1400064E4\n  and:\n    os: windows\n    or:\n      api: GetSystemInfo @ 0x14000657C\n\ncheck OS version (3 matches)\nnamespace  host-interaction/os/version                    \nauthor     michael.hunhoff@mandiant.com, johnk3r          \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x140002C54\n  and:\n    match: get OS version @ 0x140002C54\n      or:\n        api: GetVersion @ 0x140002C69\n    or:\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140002D59\n            number: 0x6 = Windows Vista / Windows Server 2008 @ 0x140002D59\n          and:\n            mnemonic: cmp @ 0x140002C7B\n            number: 0x6 = Windows Vista / Windows Server 2008 @ 0x140002C7B\nfunction @ 0x140003BF4\n  and:\n    match: get OS version @ 0x140003BF4\n      or:\n        api: GetVersionEx @ 0x140003C3F\n    or:\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140003CC2\n            number: 0x5 = Windows 2000 @ 0x140003CC2\n        optional:\n          instruction:\n            and:\n              mnemonic: cmp @ 0x140003C70\n              or:\n                number: 0x1 = Windows XP @ 0x140003C70\n            and:\n              mnemonic: cmp @ 0x140003E28\n              or:\n                number: 0x2 = Windows XP 64-bit / Windows Server 2003 / Windows Server 2003 R2 @ 0x140003E28\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140003F05\n            number: 0x6 = Windows Vista / Windows Server 2008 @ 0x140003F05\n        optional:\n          instruction:\n            and:\n              mnemonic: cmp @ 0x140003C70\n              or:\n                number: 0x1 = Windows Server 2008 R2 / Windows 7 @ 0x140003C70\n            and:\n              mnemonic: cmp @ 0x140003E28\n              or:\n                number: 0x2 = Windows Server 2012 / Windows 8 @ 0x140003E28\nfunction @ 0x140007F04\n  and:\n    match: get OS version @ 0x140007F04\n      or:\n        api: GetVersionEx @ 0x140007F59\n    or:\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140008057\n            number: 0x5 = Windows 2000 @ 0x140008057\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x140007F85\n            number: 0xA = Windows Server 2016 / Windows Server 2019 / Windows 10 @ 0x140007F85\n\ncreate process on Windows\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x14000473C in function 0x14000473C\n  or:\n    api: CreateProcess @ 0x1400047AE\n\nmodify access privileges\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ 0x140001CB2\n  and:\n    api: AdjustTokenPrivileges @ 0x140001CB2\n\nterminate process\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x140008218\n  or:\n    api: exit @ 0x1400083C9\n\nquery or enumerate registry key\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ 0x140002318\n  and:\n    optional:\n      match: create or open registry key @ 0x14000234A, 0x1400023CB\n        or:\n          api: RegOpenKeyEx @ 0x14000236D\n        or:\n          api: RegOpenKeyEx @ 0x1400023EE\n    or:\n      api: RegQueryInfoKeyA @ 0x140002436\n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x140001D28\n  and:\n    optional:\n      match: create or open registry key @ 0x140001D28\n        or:\n          api: RegCreateKeyEx @ 0x140001DBA\n    or:\n      api: RegQueryValueEx @ 0x140001E0F\nfunction @ 0x140002318\n  and:\n    optional:\n      match: create or open registry key @ 0x14000234A, 0x1400023CB\n        or:\n          api: RegOpenKeyEx @ 0x14000236D\n        or:\n          api: RegOpenKeyEx @ 0x1400023EE\n    or:\n      api: RegQueryValueEx @ 0x14000239C\nfunction @ 0x14000261C\n  and:\n    optional:\n      match: create or open registry key @ 0x1400026E5\n        or:\n          api: RegOpenKeyEx @ 0x140002724\n    or:\n      api: RegQueryValueEx @ 0x14000275B\nfunction @ 0x1400040C4\n  and:\n    optional:\n      match: create or open registry key @ 0x1400045F2\n        or:\n          api: RegOpenKeyEx @ 0x140004613\n    or:\n      api: RegQueryValueEx @ 0x140004658\nfunction @ 0x140007F04\n  and:\n    optional:\n      match: create or open registry key @ 0x140007FA7\n        or:\n          api: RegOpenKeyEx @ 0x140007FC8\n    or:\n      api: RegQueryValueEx @ 0x140008003\n\nset registry value (2 matches)\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ 0x140001D28\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x140001D28\n          or:\n            api: RegCreateKeyEx @ 0x140001DBA\n      or:\n        api: RegSetValueEx @ 0x140001FED\nfunction @ 0x1400040C4\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x1400045F2\n          or:\n            api: RegOpenKeyEx @ 0x140004613\n      or:\n        api: RegSetValueEx @ 0x140004710\n\ndelete registry value\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ 0x1400061EC\n  and:\n    optional:\n      match: create or open registry key @ 0x14000632D\n        or:\n          api: RegOpenKeyEx @ 0x14000634E\n    or:\n      api: RegDeleteValue @ 0x14000636A\n\ncompare security identifiers\nnamespace  host-interaction/sid        \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ 0x140001452 in function 0x1400012EC\n  or:\n    api: EqualSid @ 0x140001460\n\ncreate thread\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x140003A9B in function 0x140003910\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x140003AD0\n\nterminate thread\nnamespace  host-interaction/thread/terminate                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \nmbc        Process::Terminate Thread [C0039]                                    \nbasic block @ 0x14000395B in function 0x140003910\n  or:\n    api: TerminateThread @ 0x140003964\n\n(internal) installer file limitation\nnamespace    internal/limitation/static                                         \nauthor       william.ballenthin@mandiant.com                                    \nscope        file                                                               \ndescription  This sample appears to be an installer.                            \n                                                                                \n             capa cannot handle installers well. This means the results may be  \n             misleading or incomplete.                                          \n             You should try to understand the install mechanism and analyze     \n             created files with capa.                                           \n                                                                                \nor:\n  match: executable/installer @ global\n    or:\n      string: \"  <description>IExpress extraction tool</description>\" @ file+0x274D5E\n      and:\n        string: \"wextract_cleanup%d\" @ file+0xA4C0\n        string: \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ file+0xA488\n\nlink function at runtime on Windows (8 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x14000122B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x14000122B\ninstruction @ 0x140001E90\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x140001E90\ninstruction @ 0x140002CA1\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x140002CA1\ninstruction @ 0x1400031A9\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x1400031A9\ninstruction @ 0x1400043AF\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x1400043AF\ninstruction @ 0x140004AAA\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x140004AAA\ninstruction @ 0x140004ACA\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x140004ACA\ninstruction @ 0x140004AEC\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x140004AEC\n\nparse PE header (2 matches)\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x1400080D0\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x1400080D9, 0x1400080F7, 0x140008104, 0x14000810F, and 5 more...\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x1400080F7\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x1400080D4\nfunction @ 0x1400087BC\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x1400087C6, 0x1400087D1, 0x1400087D6, 0x1400087DB, and 1 more...\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x1400087EF\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x1400087CC\n\npersist via Run registry key (5 matches)\nnamespace  persistence/registry/run                                             \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com                      \nscope      function                                                             \natt&ck     Persistence::Boot or Logon Autostart Execution::Registry Run Keys /  \n           Startup Folder [T1547.001]                                           \nmbc        Persistence::Registry Run Keys / Startup Folder [F0012]              \nfunction @ 0x140001D28\n  and:\n    or:\n      match: set registry value @ 0x140001D28\n        or:\n          and:\n            optional:\n              match: create or open registry key @ 0x140001D28\n                or:\n                  api: RegCreateKeyEx @ 0x140001DBA\n            or:\n              api: RegSetValueEx @ 0x140001FED\n      number: 0x80000002 = HKEY_LOCAL_MACHINE @ 0x140001DA6\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ 0x140001D8A\nfunction @ 0x140001D28\n  and:\n    or:\n      match: set registry value @ 0x140001D28\n        or:\n          and:\n            optional:\n              match: create or open registry key @ 0x140001D28\n                or:\n                  api: RegCreateKeyEx @ 0x140001DBA\n            or:\n              api: RegSetValueEx @ 0x140001FED\n      number: 0x80000002 = HKEY_LOCAL_MACHINE @ 0x140001DA6\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ 0x140001D8A\nfunction @ 0x1400040C4\n  and:\n    or:\n      match: set registry value @ 0x1400040C4\n        or:\n          and:\n            optional:\n              match: create or open registry key @ 0x1400045F2\n                or:\n                  api: RegOpenKeyEx @ 0x140004613\n            or:\n              api: RegSetValueEx @ 0x140004710\n      number: 0x80000002 = HKEY_LOCAL_MACHINE @ 0x14000460C\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ 0x140004605\nfunction @ 0x1400040C4\n  and:\n    or:\n      match: set registry value @ 0x1400040C4\n        or:\n          and:\n            optional:\n              match: create or open registry key @ 0x1400045F2\n                or:\n                  api: RegOpenKeyEx @ 0x140004613\n            or:\n              api: RegSetValueEx @ 0x140004710\n      number: 0x80000002 = HKEY_LOCAL_MACHINE @ 0x14000460C\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ 0x140004605\nfunction @ 0x1400061EC\n  and:\n    or:\n      number: 0x80000002 = HKEY_LOCAL_MACHINE @ 0x140006347\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\" @ 0x140006340\n\n\n\n"},"hashes":{"md5":"c2bf2a9e6beaff5b5321917475545ef4","sha1":"7b33e010b7a815cbf97cc04b3adbfc009791b727","sha256":"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 84</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 31900</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"3\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"c2bf2a9e6beaff5b5321917475545ef4\",\n        \"sha256\": \"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57\",\n        \"arch\": \"amd64\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (37 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x1400012EC\",\n      \"label\": \"Function 0x1400012EC\",\n      \"type\": \"function\",\n      \"address\": \"0x1400012EC\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__4_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (4 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x140001D28\",\n      \"label\": \"Block 0x140001D28\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140001D28\"\n    },\n    {\n      \"id\": \"api_RegCreateKeyEx\",\n      \"label\": \"RegCreateKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delay_execution__3_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (3 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x140003B4C\",\n      \"label\": \"Block 0x140003B4C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140003B4C\"\n    },\n    {\n      \"id\": \"api_MsgWaitForMultipleObjects\",\n      \"label\": \"MsgWaitForMultipleObjects\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_os_version__3_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"get OS version (3 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x140002C54\",\n      \"label\": \"Function 0x140002C54\",\n      \"type\": \"function\",\n      \"address\": \"0x140002C54\"\n    },\n    {\n      \"id\": \"api_GetVersion\",\n      \"label\": \"GetVersion\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_xen\",\n      \"label\": \"reference anti-VM strings targeting Xen\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_packaged_as_an_iexpress_self_extracting_archive\",\n      \"label\": \"packaged as an IExpress self-extracting archive\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author______awillia2_cisco_com\",\n      \"label\": \"author      awillia2@cisco.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"label\": \"extract resource via kernel32 functions (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x14000772C\",\n      \"label\": \"Function 0x14000772C\",\n      \"type\": \"function\",\n      \"address\": \"0x14000772C\"\n    },\n    {\n      \"id\": \"func_0x140005D90\",\n      \"label\": \"Function 0x140005D90\",\n      \"type\": \"function\",\n      \"address\": \"0x140005D90\"\n    },\n    {\n      \"id\": \"func_0x140002DB4\",\n      \"label\": \"Function 0x140002DB4\",\n      \"type\": \"function\",\n      \"address\": \"0x140002DB4\"\n    },\n    {\n      \"id\": \"func_0x140005050\",\n      \"label\": \"Function 0x140005050\",\n      \"type\": \"function\",\n      \"address\": \"0x140005050\"\n    },\n    {\n      \"id\": \"func_0x140007AC8\",\n      \"label\": \"Function 0x140007AC8\",\n      \"type\": \"function\",\n      \"address\": \"0x140007AC8\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FreeResource\",\n      \"label\": \"FreeResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_query_environment_variable\",\n      \"label\": \"query environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x14000261C\",\n      \"label\": \"Function 0x14000261C\",\n      \"type\": \"function\",\n      \"address\": \"0x14000261C\"\n    },\n    {\n      \"id\": \"api_ExpandEnvironmentStrings\",\n      \"label\": \"ExpandEnvironmentStrings\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_common_file_path__10_matches_\",\n      \"label\": \"get common file path (10 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x1400030EC\",\n      \"label\": \"Function 0x1400030EC\",\n      \"type\": \"function\",\n      \"address\": \"0x1400030EC\"\n    },\n    {\n      \"id\": \"func_0x1400040C4\",\n      \"label\": \"Function 0x1400040C4\",\n      \"type\": \"function\",\n      \"address\": \"0x1400040C4\"\n    },\n    {\n      \"id\": \"func_0x140002468\",\n      \"label\": \"Function 0x140002468\",\n      \"type\": \"function\",\n      \"address\": \"0x140002468\"\n    },\n    {\n      \"id\": \"func_0x1400063B8\",\n      \"label\": \"Function 0x1400063B8\",\n      \"type\": \"function\",\n      \"address\": \"0x1400063B8\"\n    },\n    {\n      \"id\": \"func_0x1400066C4\",\n      \"label\": \"Function 0x1400066C4\",\n      \"type\": \"function\",\n      \"address\": \"0x1400066C4\"\n    },\n    {\n      \"id\": \"func_0x140004A60\",\n      \"label\": \"Function 0x140004A60\",\n      \"type\": \"function\",\n      \"address\": \"0x140004A60\"\n    },\n    {\n      \"id\": \"func_0x140002244\",\n      \"label\": \"Function 0x140002244\",\n      \"type\": \"function\",\n      \"address\": \"0x140002244\"\n    },\n    {\n      \"id\": \"func_0x140006CA4\",\n      \"label\": \"Function 0x140006CA4\",\n      \"type\": \"function\",\n      \"address\": \"0x140006CA4\"\n    },\n    {\n      \"id\": \"func_0x140001D28\",\n      \"label\": \"Function 0x140001D28\",\n      \"type\": \"function\",\n      \"address\": \"0x140001D28\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempFileName\",\n      \"label\": \"GetTempFileName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetCurrentDirectory\",\n      \"label\": \"GetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_current_directory__3_matches_\",\n      \"label\": \"set current directory (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x1400061EC\",\n      \"label\": \"Function 0x1400061EC\",\n      \"type\": \"function\",\n      \"address\": \"0x1400061EC\"\n    },\n    {\n      \"id\": \"api_SetCurrentDirectory\",\n      \"label\": \"SetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_directory__5_matches_\",\n      \"label\": \"create directory (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x1400064E4\",\n      \"label\": \"Function 0x1400064E4\",\n      \"type\": \"function\",\n      \"address\": \"0x1400064E4\"\n    },\n    {\n      \"id\": \"func_0x140005380\",\n      \"label\": \"Function 0x140005380\",\n      \"type\": \"function\",\n      \"address\": \"0x140005380\"\n    },\n    {\n      \"id\": \"func_0x140003530\",\n      \"label\": \"Function 0x140003530\",\n      \"type\": \"function\",\n      \"address\": \"0x140003530\"\n    },\n    {\n      \"id\": \"api_CreateDirectory\",\n      \"label\": \"CreateDirectory\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_directory__3_matches_\",\n      \"label\": \"delete directory (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x14000204C\",\n      \"label\": \"Function 0x14000204C\",\n      \"type\": \"function\",\n      \"address\": \"0x14000204C\"\n    },\n    {\n      \"id\": \"api_RemoveDirectory\",\n      \"label\": \"RemoveDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_file__3_matches_\",\n      \"label\": \"delete file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__7_matches_\",\n      \"label\": \"check if file exists (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140006B70\",\n      \"label\": \"Function 0x140006B70\",\n      \"type\": \"function\",\n      \"address\": \"0x140006B70\"\n    },\n    {\n      \"id\": \"func_0x140001684\",\n      \"label\": \"Function 0x140001684\",\n      \"type\": \"function\",\n      \"address\": \"0x140001684\"\n    },\n    {\n      \"id\": \"func_0x1400051BC\",\n      \"label\": \"Function 0x1400051BC\",\n      \"type\": \"function\",\n      \"address\": \"0x1400051BC\"\n    },\n    {\n      \"id\": \"func_0x1400079F0\",\n      \"label\": \"Function 0x1400079F0\",\n      \"type\": \"function\",\n      \"address\": \"0x1400079F0\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_enumerate_files_on_windows\",\n      \"label\": \"enumerate files on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindClose\",\n      \"label\": \"FindClose\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindFirstFile\",\n      \"label\": \"FindFirstFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextFile\",\n      \"label\": \"FindNextFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_files_recursively\",\n      \"label\": \"enumerate files recursively\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     @_re_fox, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes__9_matches_\",\n      \"label\": \"get file attributes (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x140006916\",\n      \"label\": \"Block 0x140006916\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140006916\"\n    },\n    {\n      \"id\": \"bb_0x1400063E3\",\n      \"label\": \"Block 0x1400063E3\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x1400063E3\"\n    },\n    {\n      \"id\": \"bb_0x140003694\",\n      \"label\": \"Block 0x140003694\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140003694\"\n    },\n    {\n      \"id\": \"bb_0x140001AEB\",\n      \"label\": \"Block 0x140001AEB\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140001AEB\"\n    },\n    {\n      \"id\": \"bb_0x140006C61\",\n      \"label\": \"Block 0x140006C61\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140006C61\"\n    },\n    {\n      \"id\": \"bb_0x140007A44\",\n      \"label\": \"Block 0x140007A44\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140007A44\"\n    },\n    {\n      \"id\": \"bb_0x14000184D\",\n      \"label\": \"Block 0x14000184D\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x14000184D\"\n    },\n    {\n      \"id\": \"bb_0x1400051BC\",\n      \"label\": \"Block 0x1400051BC\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x1400051BC\"\n    },\n    {\n      \"id\": \"bb_0x140006A16\",\n      \"label\": \"Block 0x140006A16\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140006A16\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_version_info\",\n      \"label\": \"get file version info\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140002834\",\n      \"label\": \"Function 0x140002834\",\n      \"type\": \"function\",\n      \"address\": \"0x140002834\"\n    },\n    {\n      \"id\": \"api_VerQueryValue\",\n      \"label\": \"VerQueryValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfoSize\",\n      \"label\": \"GetFileVersionInfoSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfo\",\n      \"label\": \"GetFileVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_file_attributes__5_matches_\",\n      \"label\": \"set file attributes (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Set File Attributes [C0050]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x1400021A3\",\n      \"label\": \"Block 0x1400021A3\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x1400021A3\"\n    },\n    {\n      \"id\": \"bb_0x140005246\",\n      \"label\": \"Block 0x140005246\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140005246\"\n    },\n    {\n      \"id\": \"bb_0x140006A6D\",\n      \"label\": \"Block 0x140006A6D\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140006A6D\"\n    },\n    {\n      \"id\": \"bb_0x140006229\",\n      \"label\": \"Block 0x140006229\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140006229\"\n    },\n    {\n      \"id\": \"bb_0x140005A06\",\n      \"label\": \"Block 0x140005A06\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140005A06\"\n    },\n    {\n      \"id\": \"api_SetFileAttributes\",\n      \"label\": \"SetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read__ini_file\",\n      \"label\": \"read .ini file\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetPrivateProfileString\",\n      \"label\": \"GetPrivateProfileString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileInt\",\n      \"label\": \"GetPrivateProfileInt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows\",\n      \"label\": \"read file on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x1400055E0\",\n      \"label\": \"Function 0x1400055E0\",\n      \"type\": \"function\",\n      \"address\": \"0x1400055E0\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__2_matches_\",\n      \"label\": \"write file on Windows (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140005690\",\n      \"label\": \"Function 0x140005690\",\n      \"type\": \"function\",\n      \"address\": \"0x140005690\"\n    },\n    {\n      \"id\": \"func_0x1400078B0\",\n      \"label\": \"Function 0x1400078B0\",\n      \"type\": \"function\",\n      \"address\": \"0x1400078B0\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_information__2_matches_\",\n      \"label\": \"get disk information (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetVolumeInformation\",\n      \"label\": \"GetVolumeInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDriveType\",\n      \"label\": \"GetDriveType\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_size__2_matches_\",\n      \"label\": \"get disk size (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpace\",\n      \"label\": \"GetDiskFreeSpace\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_mutex_on_windows\",\n      \"label\": \"check mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Check Mutex [C0043]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetLastError\",\n      \"label\": \"GetLastError\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateMutex\",\n      \"label\": \"CreateMutex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Check Mutex [C0043]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_or_open_mutex_on_windows\",\n      \"label\": \"create or open mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_mehunhoff_google_com\",\n      \"label\": \"mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_shutdown_system__2_matches_\",\n      \"label\": \"shutdown system (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::System Shutdown/Reboot [T1529]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140001C0C\",\n      \"label\": \"Function 0x140001C0C\",\n      \"type\": \"function\",\n      \"address\": \"0x140001C0C\"\n    },\n    {\n      \"id\": \"api_ExitWindowsEx\",\n      \"label\": \"ExitWindowsEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_system_information_on_windows\",\n      \"label\": \"get system information on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetSystemInfo\",\n      \"label\": \"GetSystemInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_os_version__3_matches_\",\n      \"label\": \"check OS version (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140003BF4\",\n      \"label\": \"Function 0x140003BF4\",\n      \"type\": \"function\",\n      \"address\": \"0x140003BF4\"\n    },\n    {\n      \"id\": \"func_0x140007F04\",\n      \"label\": \"Function 0x140007F04\",\n      \"type\": \"function\",\n      \"address\": \"0x140007F04\"\n    },\n    {\n      \"id\": \"api_GetVersionEx\",\n      \"label\": \"GetVersionEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows\",\n      \"label\": \"create process on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x14000473C\",\n      \"label\": \"Block 0x14000473C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x14000473C\"\n    },\n    {\n      \"id\": \"api_CreateProcess\",\n      \"label\": \"CreateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_modify_access_privileges\",\n      \"label\": \"modify access privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_terminate_process\",\n      \"label\": \"terminate process\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140008218\",\n      \"label\": \"Function 0x140008218\",\n      \"type\": \"function\",\n      \"address\": \"0x140008218\"\n    },\n    {\n      \"id\": \"api_exit\",\n      \"label\": \"exit\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key\",\n      \"label\": \"query or enumerate registry key\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x140002318\",\n      \"label\": \"Function 0x140002318\",\n      \"type\": \"function\",\n      \"address\": \"0x140002318\"\n    },\n    {\n      \"id\": \"api_RegQueryInfoKeyA\",\n      \"label\": \"RegQueryInfoKeyA\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"label\": \"query or enumerate registry value (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_registry_value__2_matches_\",\n      \"label\": \"set registry value (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegSetValueEx\",\n      \"label\": \"RegSetValueEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delete_registry_value\",\n      \"label\": \"delete registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegDeleteValue\",\n      \"label\": \"RegDeleteValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_compare_security_identifiers\",\n      \"label\": \"compare security identifiers\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x140001452\",\n      \"label\": \"Block 0x140001452\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140001452\"\n    },\n    {\n      \"id\": \"api_EqualSid\",\n      \"label\": \"EqualSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_thread\",\n      \"label\": \"create thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x140003A9B\",\n      \"label\": \"Block 0x140003A9B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x140003A9B\"\n    },\n    {\n      \"id\": \"api_CreateThread\",\n      \"label\": \"CreateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_terminate_thread\",\n      \"label\": \"terminate thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Thread [C0039]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x14000395B\",\n      \"label\": \"Block 0x14000395B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x14000395B\"\n    },\n    {\n      \"id\": \"api_TerminateThread\",\n      \"label\": \"TerminateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap__internal__installer_file_limitation\",\n      \"label\": \"(internal) installer file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__8_matches_\",\n      \"label\": \"link function at runtime on Windows (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_parse_pe_header__2_matches_\",\n      \"label\": \"parse PE header (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x1400087BC\",\n      \"label\": \"Function 0x1400087BC\",\n      \"type\": \"function\",\n      \"address\": \"0x1400087BC\"\n    },\n    {\n      \"id\": \"func_0x1400080D0\",\n      \"label\": \"Function 0x1400080D0\",\n      \"type\": \"function\",\n      \"address\": \"0x1400080D0\"\n    },\n    {\n      \"id\": \"cap_persist_via_run_registry_key__5_matches_\",\n      \"label\": \"persist via Run registry key (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x1400012EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__4_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__3_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__3_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x140003B4C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version__3_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_os_version__3_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x140002C54\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_xen\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_packaged_as_an_iexpress_self_extracting_archive\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______awillia2_cisco_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x14000772C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x140005D90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x140002DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x140005050\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x140007AC8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x14000772C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x140005D90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x140002DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x140005050\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x140007AC8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_FreeResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000772C\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005D90\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005050\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007AC8\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__10_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x1400030EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x140002468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x140004A60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x140002244\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__10_matches_\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400030EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140002468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140004A60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140002244\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002468\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140004A60\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002244\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_current_directory__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__3_matches_\",\n      \"target\": \"func_0x1400030EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__3_matches_\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__3_matches_\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400030EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400030EC\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_directory__5_matches_\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__5_matches_\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__5_matches_\",\n      \"target\": \"func_0x140005380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__5_matches_\",\n      \"target\": \"func_0x140003530\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__5_matches_\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005380\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003530\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140005380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140003530\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005380\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003530\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_directory__3_matches_\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_directory__3_matches_\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_directory__3_matches_\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x140006B70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x140001684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x1400051BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x140003530\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x1400079F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006B70\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400051BC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003530\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400079F0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140006B70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140001684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400063B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400051BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140003530\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400079F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006B70\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400063B8\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400051BC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003530\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400079F0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_recursively\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x14000204C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000204C\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140006916\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x1400063E3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140003694\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140001AEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140006C61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140007A44\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x14000184D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x1400051BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__9_matches_\",\n      \"target\": \"bb_0x140006A16\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140006916\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x1400063E3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140003694\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140001AEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140006C61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140007A44\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x14000184D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x1400051BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140006A16\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_version_info\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_version_info\",\n      \"target\": \"func_0x140002834\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140002834\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002834\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_file_attributes__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__5_matches_\",\n      \"target\": \"bb_0x1400021A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__5_matches_\",\n      \"target\": \"bb_0x140005246\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__5_matches_\",\n      \"target\": \"bb_0x140006A6D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__5_matches_\",\n      \"target\": \"bb_0x140006229\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__5_matches_\",\n      \"target\": \"bb_0x140005A06\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x1400021A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140005246\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140006A6D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140006229\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140005A06\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read__ini_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read__ini_file\",\n      \"target\": \"func_0x140001684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140001684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001684\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows\",\n      \"target\": \"func_0x1400055E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400055E0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400055E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400055E0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x140005690\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x1400078B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140005690\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400078B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005690\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400078B0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140005690\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400078B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140005690\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400078B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140005690\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400078B0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__2_matches_\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__2_matches_\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__2_matches_\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__2_matches_\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140006CA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400066C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140006CA4\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400066C4\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_mutex_on_windows\",\n      \"target\": \"func_0x140002DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_CreateMutex\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x140002DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002DB4\",\n      \"target\": \"api_CreateMutex\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_shutdown_system__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_shutdown_system__2_matches_\",\n      \"target\": \"func_0x140001C0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_shutdown_system__2_matches_\",\n      \"target\": \"func_0x140002C54\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140001C0C\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140001C0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140002C54\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140001C0C\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_system_information_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_system_information_on_windows\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x1400064E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400064E4\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_os_version__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_os_version__3_matches_\",\n      \"target\": \"func_0x140002C54\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_os_version__3_matches_\",\n      \"target\": \"func_0x140003BF4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_os_version__3_matches_\",\n      \"target\": \"func_0x140007F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003BF4\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003BF4\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x140002C54\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x140003BF4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x140007F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003BF4\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_GetVersion\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002C54\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140003BF4\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows\",\n      \"target\": \"bb_0x14000473C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x14000473C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process\",\n      \"target\": \"func_0x140008218\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140008218\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140008218\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140008218\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key\",\n      \"target\": \"func_0x140002318\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegQueryInfoKeyA\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140002318\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegQueryInfoKeyA\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x140002318\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x140007F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140002318\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x14000261C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x140007F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140002318\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x14000261C\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140007F04\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__2_matches_\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__2_matches_\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_value\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compare_security_identifiers\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_compare_security_identifiers\",\n      \"target\": \"bb_0x140001452\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x140001452\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread\",\n      \"target\": \"bb_0x140003A9B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x140003A9B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_thread\",\n      \"target\": \"bb_0x14000395B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x14000395B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal__installer_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header__2_matches_\",\n      \"target\": \"func_0x1400087BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header__2_matches_\",\n      \"target\": \"func_0x1400080D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x1400087BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x1400080D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_run_registry_key__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__5_matches_\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__5_matches_\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__5_matches_\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x1400040C4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x140001D28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x1400061EC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400040C4\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x140001D28\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x1400061EC\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-27 00:05:26.527665\",\n    \"total_functions\": \"84\",\n    \"total_features\": \"31900\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-27 00:05:27"}
{"_id":{"$oid":"69f0fc1c59a6632dae07de68"},"sha256":"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe9c795002e","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"WARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n"},"verbose":{"success":true,"path":"/tmp/sdm_capa_xjmvdqmb/5.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_xjmvdqmb/5.exe_very_verbose.txt"}},"outputs":{"normal":"ERROR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n\n\nSTDOUT:\n\n\nSTDERR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be       common.py:90\n         compiled with AutoIt.                                                  \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  AutoIt is a freeware BASIC-like common.py:90\n         scripting language designed for automating the Windows                 \n         GUI.                                                                   \nWARNING  capa.capabilities.common:  capa cannot handle AutoIt       common.py:90\n         scripts. This means that the results will be misleading or             \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You may have to analyze the     common.py:90\n         file manually, using a tool like the AutoIt decompiler                 \n         MyAut2Exe.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         autoit file limitation                                                 \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n","verbose":"md5                     9743b958d41813a0a3f62920f90a25c8                        \nsha1                    fec4f7eea0ac8e7935081d865a2f8fee6839641b                \nsha256                  c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe…\npath                    /home/apogean/projects/malware/windows/all_runs/5.exe   \ntimestamp               2026-04-28 23:56:09.144408                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIBV9GGf/rules                                   \nfunction count          2043                                                    \nlibrary function count  714                                                     \ntotal feature count     119213                                                  \n\ncheck for time delay via QueryPerformanceCounter (4 matches)\nnamespace  anti-analysis/anti-debugging/debugger-detection\nscope      function                                       \nmatches    0x469B67                                       \n           0x469B7E                                       \n           0x46AFC6                                       \n           0x46E899                                       \n\ncheck for unmoving mouse cursor (2 matches)\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      function                          \nmatches    0x498EBB                          \n           0x499468                          \n\nlog keystrokes (9 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x4034CE         \n           0x41EFAD         \n           0x4624E6         \n           0x462CEB         \n           0x463985         \n           0x46A90B         \n           0x46B04D         \n           0x46B198         \n           0x46B1FD         \n\nlog keystrokes via polling (11 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x4028C0         \n           0x41EA9A         \n           0x469B97         \n           0x469EAF         \n           0x46A90B         \n           0x46A975         \n           0x46AABA         \n           0x46ABF8         \n           0x46ADD8         \n           0x46B198         \n           0x499468         \n\ncapture screenshot\nnamespace  collection/screenshot\nscope      function             \nmatches    0x482483             \n\nquery remote server for available data\nnamespace  communication\nscope      basic block  \nmatches    0x47CE38     \n\nreceive data (4 matches)\nnamespace    communication                                                     \ndescription  all known techniques for receiving data from a potential C2 server\nscope        function                                                          \nmatches      0x47CD62                                                          \n             0x47CE38                                                          \n             0x48135A                                                          \n             0x481B87                                                          \n\nsend data (3 matches)\nnamespace    communication                                                 \ndescription  all known techniques for sending data to a potential C2 server\nscope        function                                                      \nmatches      0x47C394                                                      \n             0x4814F1                                                      \n             0x481F24                                                      \n\nreceive and write data from server to client\nnamespace  communication/c2/file-transfer\nscope      function                      \nmatches    0x47CD62                      \n\nresolve DNS (3 matches)\nnamespace  communication/dns\nscope      function         \nmatches    0x46DD45         \n           0x480482         \n           0x481288         \n\nconnect network resource\nnamespace    communication/http               \ndescription  connect to disk or print resource\nscope        function                         \nmatches      0x4605C7                         \n\nparse URL\nnamespace  communication/http\nscope      basic block       \nmatches    0x47D012          \n\nconnect to HTTP server (2 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47C061                 \n           0x47C394                 \n\nconnect to URL\nnamespace  communication/http/client\nscope      instruction              \nmatches    0x47C190                 \n\ncreate HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47CC3C                 \n\nread data from Internet (2 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47CD62                 \n           0x47CE38                 \n\nsend HTTP request\nnamespace  communication/http/client\nscope      function                 \nmatches    0x47C394                 \n\nsend ICMP echo request\nnamespace  communication/icmp\nscope      function          \nmatches    0x480482          \n\ncreate pipe (2 matches)\nnamespace  communication/named-pipe/create\nscope      function                       \nmatches    0x4703F0                       \n           0x4704C5                       \n\nconnect socket\nnamespace    communication/socket                                               \ndescription  Detects socket connection attempts using common APIs or ConnectEx  \n             setup.                                                             \nscope        basic block                                                        \nmatches      0x4810AF                                                           \n\nget socket status\nnamespace  communication/socket\nscope      function            \nmatches    0x483070            \n\ninitialize Winsock library (3 matches)\nnamespace  communication/socket\nscope      function            \nmatches    0x46DD45            \n           0x480482            \n           0x4815DA            \n\nset socket configuration (3 matches)\nnamespace  communication/socket\nscope      function            \nmatches    0x480482            \n           0x4819FD            \n           0x482F75            \n\nreceive data on socket (2 matches)\nnamespace  communication/socket/receive\nscope      function                    \nmatches    0x48135A                    \n           0x481B87                    \n\nsend data on socket (2 matches)\nnamespace  communication/socket/send\nscope      function                 \nmatches    0x4814F1                 \n           0x481F24                 \n\nconnect TCP socket\nnamespace  communication/socket/tcp\nscope      function                \nmatches    0x480FDF                \n\ncreate TCP socket (2 matches)\nnamespace  communication/socket/tcp\nscope      basic block             \nmatches    0x481033                \n           0x481197                \n\ncreate UDP socket (2 matches)\nnamespace  communication/socket/udp/send\nscope      basic block                  \nmatches    0x48177E                     \n           0x4819FD                     \n\nact as TCP client\nnamespace  communication/tcp/client\nscope      function                \nmatches    0x480FDF                \n\ncompiled with AutoIt\nnamespace  compiler/autoit\nscope      file           \n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32\nscope      function                        \nmatches    0x4823E8                        \n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64\nscope      function                         \nmatches    0x41BEAD                         \n\nencode data using XOR (7 matches)\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x4695EE                      \n           0x471F30                      \n           0x471F9C                      \n           0x471FD6                      \n           0x47284B                      \n           0x472ABF                      \n           0x47D73F                      \n\nhash data using djb2\nnamespace  data-manipulation/hashing/djb2\nscope      function                      \nmatches    0x408273                      \n\nauthenticate HMAC\nnamespace  data-manipulation/hmac\nscope      function              \nmatches    0x41BEAD              \n\ngenerate random numbers using a Mersenne Twister (4 matches)\nnamespace  data-manipulation/prng/mersenne\nscope      function                       \nmatches    0x471E7A                       \n           0x471EC0                       \n           0x471F24                       \n           0x471F64                       \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    0x406122           \n\nlist drag and drop files\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n\nopen clipboard (2 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n           0x47EC91                  \n\nread clipboard data\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EA26                  \n\nwrite clipboard data\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x47EC91                  \n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver\nscope      instruction            \nmatches    0x46D563               \n           0x46D5DD               \n           0x46D690               \n           0x473D73               \n\nget COMSPEC environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x41D70E                             \n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x41D70E                             \n           0x47EE14                             \n           0x487559                             \n\nset environment variable (2 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x43D170                             \n           0x47EE84                             \n\nget common file path (9 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40445D                    \n           0x41D70E                    \n           0x41F962                    \n           0x46DE45                    \n           0x472F35                    \n           0x4779B4                    \n           0x477D0E                    \n           0x4780B3                    \n           0x48AF20                    \n\nset current directory (7 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40445D                    \n           0x40AD7C                    \n           0x4753D4                    \n           0x477D0E                    \n           0x4780B3                    \n           0x479560                    \n           0x4796BB                    \n\ncopy file (3 matches)\nnamespace  host-interaction/file-system/copy\nscope      function                         \nmatches    0x46CE1E                         \n           0x46D1BA                         \n           0x472865                         \n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    0x46D1DF                           \n           0x473C3C                           \n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x46E77B                           \n           0x473C3C                           \n\ndelete file (6 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x46CF94                           \n           0x46D2C7                           \n           0x46E77B                           \n           0x472865                           \n           0x4755F7                           \n           0x4778BA                           \n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x46D1DF                           \n           0x46DADC                           \n           0x46E0B7                           \n\nenumerate files on Windows (6 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x46CF94                               \n           0x46D2C7                               \n           0x475BB5                               \n           0x479560                               \n           0x4796BB                               \n           0x479A49                               \n\nenumerate files recursively (3 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x479560                               \n           0x4796BB                               \n           0x479A49                               \n\nget file attributes (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x46D1DF                         \n           0x46DAFA                         \n           0x46E0B7                         \n           0x477F04                         \n           0x4795B8                         \n\nget file size (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x482A05                         \n           0x498461                         \n\nget file version info\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x46DB2C                         \n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x477F04                         \n           0x4795B8                         \n\nmove file (3 matches)\nnamespace  host-interaction/file-system/move\nscope      function                         \nmatches    0x46CE1E                         \n           0x46CF94                         \n           0x46E319                         \n\nread .ini file (4 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x4783FD                         \n           0x4784BF                         \n           0x4787FC                         \n           0x478A19                         \n\nread file on Windows (9 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x406A95                         \n           0x40B230                         \n           0x40B3B0                         \n           0x43921B                         \n           0x47070D                         \n           0x472475                         \n           0x4725B1                         \n           0x482A05                         \n           0x498461                         \n\nclear file content\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x477FD5                          \n\nwrite file on Windows (7 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x41F5B3                          \n           0x46CC1D                          \n           0x470633                          \n           0x4725F5                          \n           0x472642                          \n           0x472865                          \n           0x47CD62                          \n\nenumerate gui resources\nnamespace  host-interaction/gui\nscope      function            \nmatches    0x464144            \n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find\nscope      basic block                      \nmatches    0x41EFCE                         \n           0x492255                         \n           0x492289                         \n\nfind graphical window (4 matches)\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    0x41EFD4                        \n           0x46E645                        \n           0x49225F                        \n           0x49229F                        \n\nget graphical window text (11 matches)\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    0x461A70                            \n           0x46359E                            \n           0x463B0C                            \n           0x46489C                            \n           0x464BD3                            \n           0x465B9A                            \n           0x47E8F7                            \n           0x491E0D                            \n           0x4947A8                            \n           0x496FA4                            \n           0x4972B7                            \n\nhide graphical window (8 matches)\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    0x45F0F9                        \n           0x4827C2                        \n           0x49015D                        \n           0x4950F2                        \n           0x496B61                        \n           0x49813A                        \n           0x4981BF                        \n           0x49A198                        \n\nget keyboard layout\nnamespace  host-interaction/hardware/keyboard\nscope      function                          \nmatches    0x41D70E                          \n\nget memory capacity\nnamespace  host-interaction/hardware/memory\nscope      function                        \nmatches    0x41F370                        \n\nget disk information (6 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x473D97                         \n           0x4743DE                         \n           0x474776                         \n           0x474844                         \n           0x474912                         \n           0x4749FD                         \n\nget disk size (3 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x4750EB                         \n           0x4751CE                         \n           0x4752B1                         \n\nget storage device properties (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x46D509                         \n           0x46D588                         \n\nprint debug messages\nnamespace  host-interaction/log/debug/write-event\nscope      function                              \nmatches    0x41F5B3                              \n\nshutdown system\nnamespace  host-interaction/os\nscope      function           \nmatches    0x46E814           \n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname\nscope      function                    \nmatches    0x41D70E                    \n           0x46DD45                    \n\nget system information on Windows\nnamespace  host-interaction/os/info\nscope      function                \nmatches    0x40615E                \n\ncreate process on Windows (6 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x4437E0                       \n           0x46134A                       \n           0x461472                       \n           0x48AD7A                       \n           0x48B2C1                       \n           0x498064                       \n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nscope      basic block                    \nmatches    0x489881                       \n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    0x46D3FA                     \n           0x48A5A3                     \n\nacquire debug privileges\nnamespace  host-interaction/process/modify\nscope      basic block                    \nmatches    0x48A0B6                       \n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    0x461018                       \n           0x46167E                       \n\nterminate process (3 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x46EA3E                          \n           0x487E80                          \n           0x48A009                          \n\nempty the recycle bin\nnamespace  host-interaction/recycle-bin\nscope      function                    \nmatches    0x477953                    \n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x48B8F0                 \n           0x48CB5B                 \n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x40533E                 \n           0x4059A7                 \n           0x4605C7                 \n           0x48BB02                 \n           0x48BD6B                 \n\nset registry value\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    0x48C2DE                        \n\ndelete registry key (2 matches)\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x48B535                        \n           0x48CB5B                        \n\ndelete registry value\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x48B535                        \n\nget session user name\nnamespace  host-interaction/session\nscope      function                \nmatches    0x41D70E                \n\nget token membership\nnamespace  host-interaction/session\nscope      function                \nmatches    0x4615A7                \n\nget token privileges\nnamespace  host-interaction/session\nscope      function                \nmatches    0x460F58                \n\ncreate thread (5 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x461747                      \n           0x46E114                      \n           0x470870                      \n           0x470870                      \n           0x47D13B                      \n\nterminate thread\nnamespace  host-interaction/thread/terminate\nscope      basic block                      \nmatches    0x4708A6                         \n\nimpersonate user\nnamespace  host-interaction/user\nscope      function             \nmatches    0x461145             \n\nlink function at runtime on Windows (13 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x4062E6               \n           0x406816               \n           0x406850               \n           0x45DB5B               \n           0x432FC7               \n           0x432FC7               \n           0x4671A3               \n           0x483FF4               \n           0x488EF7               \n           0x488F13               \n           0x488F59               \n           0x48B82B               \n           0x48CBF6               \n\nparse PE header\nnamespace  load-code/pe\nscope      function    \nmatches    0x40B7E0    \n\nresolve function by parsing PE exports (15 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x401641    \n           0x408BAA    \n           0x4095C0    \n           0x40A180    \n           0x40AD7C    \n           0x40D840    \n           0x410540    \n           0x41BEAD    \n           0x466502    \n           0x4681EE    \n           0x4763AC    \n           0x476E0F    \n           0x47902A    \n           0x487E80    \n           0x490F26    \n\nexecute shellcode via indirect call\nnamespace  load-code/shellcode\nscope      function           \nmatches    0x4895BB           \n\ncreate shortcut via IShellLink (2 matches)\nnamespace  persistence\nscope      function   \nmatches    0x47573C   \n           0x4763AC   \n\n\n\n","very_verbose":"md5                     9743b958d41813a0a3f62920f90a25c8                        \nsha1                    fec4f7eea0ac8e7935081d865a2f8fee6839641b                \nsha256                  c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe…\npath                    /home/apogean/projects/malware/windows/all_runs/5.exe   \ntimestamp               2026-04-28 23:57:35.514184                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIu2dCxA/rules                                   \nfunction count          2043                                                    \nlibrary function count  714                                                     \ntotal feature count     119213                                                  \n\nallocate memory (2 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x46B26C in function 0x46B248\n  or:\n    api: VirtualAllocEx @ 0x46B299\n\nallocate or change RW memory (library rule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x46B26C in function 0x46B248\n  and:\n    or:\n      match: allocate memory @ 0x46B26C\n        or:\n          api: VirtualAllocEx @ 0x46B299\n    or:\n      number: 0x4 = PAGE_READWRITE @ 0x46B289\n\ncalculate modulo 256 via x86 assembly (9 matches, only showing first match of \nlibrary rule)\nauthor  moritz.raabe@mandiant.com\nscope   instruction              \nmbc     Data::Modulo [C0058]     \ninstruction @ 0x436DAA\n  and:\n    or:\n      arch: i386\n    mnemonic: and @ 0x436DAA\n    or:\n      number: 0xFF @ 0x436DAA\n\ncontain loop (489 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x401202\n  or:\n    characteristic: loop @ 0x401202\n\ncreate or open file (13 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x407113\n  or:\n    api: CreateFile @ 0x407113\n\ncreate or open registry key (9 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x40533E in function 0x40533E\n  or:\n    api: RegOpenKeyEx @ 0x40545B\n\ndelay execution (37 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x40F4AF in function 0x40F060\n  or:\n    and:\n      os: windows\n      or:\n        api: Sleep @ 0x40F4B1\n\nget OS version (library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x40615E\n  or:\n    api: GetVersionEx @ 0x40618D\n\nopen process (7 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ 0x46B26C in function 0x46B248\n  or:\n    api: OpenProcess @ 0x46B283\n\nwrite process memory (library rule)\nauthor  moritz.raabe@mandiant.com                 \nscope   instruction                               \natt&ck  Defense Evasion::Process Injection [T1055]\ninstruction @ 0x46B34B\n  or:\n    api: WriteProcessMemory @ 0x46B34B\n\ncheck for time delay via QueryPerformanceCounter (4 matches)\nnamespace  anti-analysis/anti-debugging/debugger-detection                      \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check     \n           QueryPerformanceCounter [B0001.033]                                  \nfunction @ 0x469B67\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x469B7E\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x46AFC6\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46AFE2, 0x46B011\nfunction @ 0x46E899\n  and:\n    count(api(QueryPerformanceCounter)): 2 or more @ 0x46E8B5, 0x46E8D5\n\ncheck for unmoving mouse cursor (2 matches)\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      BitsOfBinary                                                        \nscope       function                                                            \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based\n            Checks [T1497.002]                                                  \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection::Human User     \n            Check [B0009.012]                                                   \nreferences  https://www.joesecurity.org/blog/5852460122427342172                \nfunction @ 0x498EBB\n  and:\n    count(api(GetCursorPos)): 2 or more @ 0x498EF3, 0x498F50\nfunction @ 0x499468\n  and:\n    count(api(GetCursorPos)): 2 or more @ 0x49990B, 0x499A5A\n\nlog keystrokes (9 matches)\nnamespace  collection/keylog                                \nauthor     moritz.raabe@mandiant.com                        \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nfunction @ 0x4034CE\n  or:\n    api: MapVirtualKey @ 0x4034FF, 0x403507, 0x403512, 0x40351D, and 2 more...\nfunction @ 0x41EFAD\n  or:\n    api: AttachThreadInput @ 0x41F029, 0x41F031, 0x41F039, 0x41F0AD, and 2 more...\n    api: MapVirtualKey @ 0x41F055, 0x41F06A, 0x41F078, 0x41F087\nfunction @ 0x4624E6\n  or:\n    api: MapVirtualKey @ 0x462501, 0x46252D, 0x462553\nfunction @ 0x462CEB\n  or:\n    api: AttachThreadInput @ 0x462D28\nfunction @ 0x463985\n  or:\n    api: AttachThreadInput @ 0x4639AD\nfunction @ 0x46A90B\n  or:\n    api: MapVirtualKey @ 0x46A93A, 0x46A956\nfunction @ 0x46B04D\n  or:\n    api: AttachThreadInput @ 0x46B099, 0x46B0C4, 0x46B0D6, 0x46B11B, and 2 more...\nfunction @ 0x46B198\n  or:\n    api: MapVirtualKey @ 0x46B1CD\nfunction @ 0x46B1FD\n  or:\n    api: MapVirtualKey @ 0x46B21B\n\nlog keystrokes via polling (11 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ 0x4028C0\n  or:\n    api: VkKeyScan @ 0x442F79, 0x442F89, 0x442FD2\nfunction @ 0x41EA9A\n  or:\n    api: GetAsyncKeyState @ 0x41EB02, 0x41EB1C\nfunction @ 0x469B97\n  or:\n    api: GetAsyncKeyState @ 0x469C40, 0x469C75, 0x469CA2, 0x469CCC, and 1 more...\n    api: GetKeyState @ 0x469C5B, 0x469C8A, 0x469CB4, 0x469CDE, and 1 more...\n    api: GetKeyboardState @ 0x469BBF\nfunction @ 0x469EAF\n  or:\n    api: GetAsyncKeyState @ 0x469FBB, 0x46A001, 0x46A03E, 0x46A075, and 1 more...\n    api: GetKeyState @ 0x469FD2, 0x46A012, 0x46A04C, 0x46A083, and 1 more...\n    api: GetKeyboardState @ 0x469F30\nfunction @ 0x46A90B\n  or:\n    api: GetKeyState @ 0x46A91B\nfunction @ 0x46A975\n  or:\n    api: GetKeyboardState @ 0x46A9CA\nfunction @ 0x46AABA\n  or:\n    api: GetKeyboardState @ 0x46AB0F\nfunction @ 0x46ABF8\n  or:\n    api: GetKeyboardState @ 0x46AC4C\nfunction @ 0x46ADD8\n  or:\n    api: GetKeyboardState @ 0x46AE2C\nfunction @ 0x46B198\n  or:\n    api: VkKeyScan @ 0x46B1B0\nfunction @ 0x499468\n  or:\n    api: GetKeyState @ 0x49967D, 0x49968A, 0x4996AA\n\ncapture screenshot\nnamespace  collection/screenshot                                            \nauthor     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\nscope      function                                                         \natt&ck     Collection::Screen Capture [T1113]                               \nmbc        Collection::Screen Capture::WinAPI [E1113.m01]                   \nfunction @ 0x482483\n  or:\n    and:\n      or:\n        api: GetDC @ 0x4824FF\n      or:\n        api: GetDIBits @ 0x4825D3, 0x4825F7\n      api: CreateCompatibleDC @ 0x48251B\n      api: CreateCompatibleBitmap @ 0x48250F\n\nquery remote server for available data\nnamespace  communication               \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ 0x47CE38 in function 0x47CE38\n  or:\n    api: InternetQueryDataAvailable @ 0x47CE56\n\nreceive data (4 matches)\nnamespace    communication                                                     \nauthor       william.ballenthin@mandiant.com                                   \nscope        function                                                          \nmbc          Command and Control::C2 Communication::Receive Data [B0030.002]   \ndescription  all known techniques for receiving data from a potential C2 server\nfunction @ 0x47CD62\n  or:\n    match: read data from Internet @ 0x47CD62\n      and:\n        or:\n          api: InternetReadFile @ 0x47CDA7\nfunction @ 0x47CE38\n  or:\n    match: read data from Internet @ 0x47CE38\n      and:\n        or:\n          api: InternetReadFile @ 0x47CE8D\nfunction @ 0x48135A\n  or:\n    match: receive data on socket @ 0x48135A\n      or:\n        api: recv @ 0x481403\nfunction @ 0x481B87\n  or:\n    match: receive data on socket @ 0x481B87\n      or:\n        api: recvfrom @ 0x481D08\n\nsend data (3 matches)\nnamespace    communication                                                 \nauthor       william.ballenthin@mandiant.com, joakim@intezer.com           \nscope        function                                                      \nmbc          Command and Control::C2 Communication::Send Data [B0030.001]  \ndescription  all known techniques for sending data to a potential C2 server\nfunction @ 0x47C394\n  or:\n    and:\n      os: windows\n      or:\n        match: send HTTP request @ 0x47C394\n          or:\n            and:\n              or:\n                api: HttpOpenRequest @ 0x47C40E\n                api: InternetConnect @ 0x47C3CE\n              or:\n                api: HttpSendRequest @ 0x47C472\nfunction @ 0x4814F1\n  or:\n    and:\n      os: windows\n      or:\n        match: send data on socket @ 0x4814F1\n          or:\n            api: send @ 0x481525\nfunction @ 0x481F24\n  or:\n    and:\n      os: windows\n      or:\n        match: send data on socket @ 0x481F24\n          or:\n            api: sendto @ 0x482063\n\ndownload and write a file\nnamespace              communication/c2/file-transfer                           \nmaec/malware-category  downloader                                               \nauthor                 moritz.raabe@mandiant.com                                \nscope                  function                                                 \natt&ck                 Command and Control::Ingress Tool Transfer [T1105]       \nmbc                    Command and Control::C2 Communication::Server to Client  \n                       File Transfer [B0030.003]                                \nfunction @ 0x47CD62\n  and:\n    match: receive data @ 0x47CD62\n      or:\n        match: read data from Internet @ 0x47CD62\n          and:\n            or:\n              api: InternetReadFile @ 0x47CDA7\n    match: host-interaction/file-system/write @ 0x47CD62\n      or:\n        and:\n          os: windows\n          or:\n            api: _fwrite @ 0x47CDC3\n            api: fwrite @ 0x47CDC3\n\nreceive and write data from server to client\nnamespace  communication/c2/file-transfer \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x47CD62\n  and:\n    match: receive data @ 0x47CD62\n      or:\n        match: read data from Internet @ 0x47CD62\n          and:\n            or:\n              api: InternetReadFile @ 0x47CDA7\n    match: host-interaction/file-system/write @ 0x47CD62\n      or:\n        and:\n          os: windows\n          or:\n            api: _fwrite @ 0x47CDC3\n            api: fwrite @ 0x47CDC3\n\nresolve DNS (3 matches)\nnamespace  communication/dns                                                    \nauthor     william.ballenthin@mandiant.com, johnk3r, joakim@intezer.com,        \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::DNS Communication::Resolve [C0011.001]                \nfunction @ 0x46DD45\n  or:\n    api: gethostbyname @ 0x46DD87\nfunction @ 0x480482\n  or:\n    api: gethostbyname @ 0x48054F\nfunction @ 0x481288\n  or:\n    api: gethostbyname @ 0x4812B7\n\nconnect network resource\nnamespace    communication/http               \nauthor       michael.hunhoff@mandiant.com     \nscope        function                         \ndescription  connect to disk or print resource\nfunction @ 0x4605C7\n  and:\n    or:\n      api: WNetAddConnection2 @ 0x46068B\n\nparse URL\nnamespace  communication/http          \nauthor     michael.hunhoff@mandiant.com\nscope      basic block                 \nbasic block @ 0x47D012 in function 0x47D012\n  or:\n    api: InternetCrackUrl @ 0x47D058\n\nconnect to HTTP server (2 matches)\nnamespace  communication/http/client                                       \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \nmbc        Communication::HTTP Communication::Connect to Server [C0002.009]\nfunction @ 0x47C061\n  and:\n    api: InternetConnect @ 0x47C0A0\nfunction @ 0x47C394\n  and:\n    api: InternetConnect @ 0x47C3CE\n\nconnect to URL\nnamespace  communication/http/client                              \nauthor     michael.hunhoff@mandiant.com                           \nscope      instruction                                            \nmbc        Communication::HTTP Communication::Open URL [C0002.004]\ninstruction @ 0x47C190\n  and:\n    api: InternetOpenUrl @ 0x47C190\n\ncreate HTTP request\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Create Request [C0002.012]\nfunction @ 0x47CC3C\n  and:\n    or:\n      api: InternetOpen @ 0x47CC9B\n\nread data from Internet (2 matches)\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Get Response [C0002.017]  \nfunction @ 0x47CD62\n  and:\n    or:\n      api: InternetReadFile @ 0x47CDA7\nfunction @ 0x47CE38\n  and:\n    or:\n      api: InternetReadFile @ 0x47CE8D\n\nsend HTTP request\nnamespace  communication/http/client                                  \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com    \nscope      function                                                   \nmbc        Communication::HTTP Communication::Send Request [C0002.003]\nfunction @ 0x47C394\n  or:\n    and:\n      or:\n        api: HttpOpenRequest @ 0x47C40E\n        api: InternetConnect @ 0x47C3CE\n      or:\n        api: HttpSendRequest @ 0x47C472\n\nsend ICMP echo request\nnamespace   communication/icmp                                         \nauthor      michael.hunhoff@mandiant.com                               \nscope       function                                                   \nmbc         Communication::ICMP Communication::Echo Request [C0014.002]\nreferences  https://docs.microsoft.com/en-us/windows/win32/api/icmpapi/\nfunction @ 0x480482\n  and:\n    or:\n      api: IcmpSendEcho @ 0x4805ED, 0x48060C\n    optional:\n      or:\n        api: IcmpCreateFile @ 0x48055D\n      api: IcmpCloseHandle @ 0x4806E0\n\ncreate pipe (2 matches)\nnamespace  communication/named-pipe/create                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com           \nscope      function                                                          \nmbc        Communication::Interprocess Communication::Create Pipe [C0003.001]\nfunction @ 0x4703F0\n  or:\n    api: CreatePipe @ 0x47044C\nfunction @ 0x4704C5\n  or:\n    api: CreatePipe @ 0x47051F\n\nconnect socket\nnamespace    communication/socket                                               \nauthor       moritz.raabe@mandiant.com, joakim@intezer.com,                     \n             mrhafizfarhad@gmail.com                                            \nscope        basic block                                                        \ndescription  Detects socket connection attempts using common APIs or ConnectEx  \n             setup.                                                             \nbasic block @ 0x4810AF in function 0x480FDF\n  or:\n    api: connect @ 0x4810B6\n\nget socket status\nnamespace  communication/socket                                              \nauthor     michael.hunhoff@mandiant.com                                      \nscope      function                                                          \natt&ck     Discovery::System Network Configuration Discovery [T1016]         \nmbc        Communication::Socket Communication::Get Socket Status [C0001.012]\nfunction @ 0x483070\n  or:\n    api: select @ 0x4830BC\n\ninitialize Winsock library (3 matches)\nnamespace  communication/socket                                                 \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::Socket Communication::Initialize Winsock Library      \n           [C0001.009]                                                          \nfunction @ 0x46DD45\n  or:\n    api: WSAStartup @ 0x46DD60\nfunction @ 0x480482\n  or:\n    api: WSAStartup @ 0x4804E3\nfunction @ 0x4815DA\n  or:\n    api: WSAStartup @ 0x4815F5\n\nset socket configuration (3 matches)\nnamespace  communication/socket                                              \nauthor     michael.hunhoff@mandiant.com                                      \nscope      function                                                          \nmbc        Communication::Socket Communication::Set Socket Config [C0001.001]\nfunction @ 0x480482\n  or:\n    api: ioctlsocket @ 0x480543\nfunction @ 0x4819FD\n  or:\n    api: setsockopt @ 0x481AB1\nfunction @ 0x482F75\n  or:\n    api: ioctlsocket @ 0x482FA1\n\nreceive data on socket (2 matches)\nnamespace  communication/socket/receive                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Communication::Socket Communication::Receive Data [C0001.006]        \nfunction @ 0x48135A\n  or:\n    api: recv @ 0x481403\nfunction @ 0x481B87\n  or:\n    api: recvfrom @ 0x481D08\n\nsend data on socket (2 matches)\nnamespace  communication/socket/send                                            \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Communication::Socket Communication::Send Data [C0001.007]           \nfunction @ 0x4814F1\n  or:\n    api: send @ 0x481525\nfunction @ 0x481F24\n  or:\n    api: sendto @ 0x482063\n\nconnect TCP socket\nnamespace  communication/socket/tcp                                             \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           mrhafizfarhad@gmail.com                                              \nscope      function                                                             \nmbc        Communication::Socket Communication::Connect Socket [C0001.004]      \nfunction @ 0x480FDF\n  and:\n    match: create TCP socket @ 0x481033\n      or:\n        and:\n          or:\n            number: 0x6 = IPPROTO_TCP @ 0x481033\n          number: 0x1 = SOCK_STREAM @ 0x481035\n          number: 0x2 = AF_INET @ 0x481037\n          or:\n            api: socket @ 0x481039\n    match: connect socket @ 0x4810AF\n      or:\n        api: connect @ 0x4810B6\n\ncreate TCP socket (2 matches)\nnamespace   communication/socket/tcp                                            \nauthor      william.ballenthin@mandiant.com, joakim@intezer.com,                \n            anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com       \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create TCP Socket [C0001.011]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ 0x481033 in function 0x480FDF\n  or:\n    and:\n      or:\n        number: 0x6 = IPPROTO_TCP @ 0x481033\n      number: 0x1 = SOCK_STREAM @ 0x481035\n      number: 0x2 = AF_INET @ 0x481037\n      or:\n        api: socket @ 0x481039\nbasic block @ 0x481197 in function 0x48112B\n  or:\n    and:\n      or:\n        number: 0x6 = IPPROTO_TCP @ 0x481197\n      number: 0x1 = SOCK_STREAM @ 0x481199\n      number: 0x2 = AF_INET @ 0x48119B\n      or:\n        api: socket @ 0x48119D\n\ncreate UDP socket (2 matches)\nnamespace   communication/socket/udp/send                                       \nauthor      moritz.raabe@mandiant.com, joakim@intezer.com,                      \n            michael.hunhoff@mandiant.com                                        \nscope       basic block                                                         \nmbc         Communication::Socket Communication::Create UDP Socket [C0001.010]  \nreferences  https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-win…\n            https://man7.org/linux/man-pages/man2/socket.2.html                 \nbasic block @ 0x48177E in function 0x48172D\n  or:\n    and:\n      number: 0x2 = AF_INET @ 0x481780, 0x481782\n      or:\n        number: 0x11 = IPPROTO_UDP @ 0x48177E\n      or:\n        api: socket @ 0x481784\nbasic block @ 0x4819FD in function 0x4819FD\n  or:\n    and:\n      number: 0x2 = AF_INET @ 0x481A20, 0x481A22\n      or:\n        number: 0x11 = IPPROTO_UDP @ 0x481A1E\n      or:\n        api: socket @ 0x481A24\n\nact as TCP client\nnamespace  communication/tcp/client                                     \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                                     \nmbc        Communication::Socket Communication::TCP Client [C0001.008]  \nfunction @ 0x480FDF\n  or:\n    match: connect TCP socket @ 0x480FDF\n      and:\n        match: create TCP socket @ 0x481033\n          or:\n            and:\n              or:\n                number: 0x6 = IPPROTO_TCP @ 0x481033\n              number: 0x1 = SOCK_STREAM @ 0x481035\n              number: 0x2 = AF_INET @ 0x481037\n              or:\n                api: socket @ 0x481039\n        match: connect socket @ 0x4810AF\n          or:\n            api: connect @ 0x4810B6\n\ncompiled with AutoIt\nnamespace   compiler/autoit                                                     \nauthor      william.ballenthin@mandiant.com                                     \nscope       file                                                                \natt&ck      Execution::Command and Scripting Interpreter [T1059]                \nreferences  https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malwar…\nor:\n  string: \"AutoIt Error\" @ file+0xD5910\n  string: \">>>AUTOIT NO CMDEXECUTE<<<\" @ file+0x9BF64\n  string: \"#requireadmin\" @ file+0x9EB28\n  string: \"#OnAutoItStartRegister\" @ file+0x9EAD8\n  substring: >>>AUTOIT SCRIPT<<<\n    - \">>>AUTOIT SCRIPT<<<\" @ file+0xC5640\n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32 \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \nmbc        Data::Checksum::CRC32 [C0032.001]\nfunction @ 0x4823E8\n  or:\n    bytes: 00000000963007772c610eeeba51099919c46d078ff46a7035a563e9a395649e = crc32_tab @ 0x48242B, 0x48243F, 0x48244E\n\nencode data using Base64\nnamespace  data-manipulation/encoding/base64                                    \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]         \nfunction @ 0x41BEAD\n  or:\n    and:\n      mnemonic: shl @ 0x41C098, 0x45B1BE, 0x45B245, 0x45B424, and 3 more...\n      mnemonic: shr @ 0x41BEE6, 0x41C310, 0x41C500\n      number: 0x3F = modulo 64 @ 0x41C25B, 0x41C296, 0x41C3BA, 0x41C403, and 6 more...\n      or:\n        number: 0x3D = '=' @ 0x41C5C2, 0x459581, 0x45959D, 0x459A4A, and 4 more...\n      match: contain loop @ 0x41BEAD\n        or:\n          characteristic: loop @ 0x41BEAD\n          characteristic: tight loop @ 0x41C0D3, 0x45A209, 0x45A37A, 0x45AD30, and 12 more...\n      optional:\n        number: 0x2 @ 0x41C049, 0x41C14F, 0x41C310, 0x41C32B, and 152 more...\n        number: 0x3 @ 0x41C2DC, 0x459353, 0x459429, 0x459538, and 4 more...\n        number: 0x4 @ 0x41C2BC, 0x41CC04, 0x458FD9, 0x4591CC, and 24 more...\n        number: 0x6 @ 0x41C55C, 0x41C57C, 0x41C604, 0x4590F1, and 8 more...\n        number: 0xF @ 0x41C91D, 0x41CBE2, 0x45A926, 0x45B30B, and 3 more...\n\nencode data using XOR (7 matches)\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x4695EE in function 0x46959C\n  and:\n    characteristic: tight loop @ 0x4695EE\n    characteristic: nzxor @ 0x4695EE\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471F30 in function 0x471F24\n  and:\n    characteristic: tight loop @ 0x471F30\n    characteristic: nzxor @ 0x471F3C\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471F9C in function 0x471F64\n  and:\n    characteristic: tight loop @ 0x471F9C\n    characteristic: nzxor @ 0x471FA1, 0x471FAE, 0x471FBB, 0x471FBD\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x471FD6 in function 0x471F64\n  and:\n    characteristic: tight loop @ 0x471FD6\n    characteristic: nzxor @ 0x471FDB, 0x471FE3, 0x471FF7, 0x471FFB\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x47284B in function 0x47281C\n  and:\n    characteristic: tight loop @ 0x47284B\n    characteristic: nzxor @ 0x472858\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x472ABF in function 0x472865\n  and:\n    characteristic: tight loop @ 0x472ABF\n    characteristic: nzxor @ 0x472ACC\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x47D73F in function 0x47D71C\n  and:\n    characteristic: tight loop @ 0x47D73F\n    characteristic: nzxor @ 0x47D74A\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\nhash data using djb2\nnamespace   data-manipulation/hashing/djb2                                      \nauthor      awillia2@cisco.com, still@teamt5.org                                \nscope       function                                                            \nmbc         Data::Non-Cryptographic Hash::djb2 [C0030.006]                      \nreferences  https://twitter.com/r3c0nst/status/1392405576131436546,             \n            http://www.cse.yorku.ca/~oz/hash.html                               \nfunction @ 0x408273\n  and:\n    instruction:\n      and:\n        mnemonic: mov @ 0x408284\n        number: 0x1505 @ 0x408284\n    or:\n      instruction:\n        and:\n          number: 0x21 @ 0x408291\n          or:\n            mnemonic: imul @ 0x408291\n\nauthenticate HMAC\nnamespace   data-manipulation/hmac                                              \nauthor      moritz.raabe@mandiant.com                                           \nscope       function                                                            \nmbc         Cryptography::Hashed Message Authentication Code [C0061]            \nreferences  https://tools.ietf.org/html/rfc2104,                                \n            https://tools.ietf.org/html/rfc4634, https://github.com/ogay/hmac   \nfunction @ 0x41BEAD\n  and:\n    number: 0x36 = inner padding byte value @ 0x45A89F, 0x45BF8B\n    number: 0x5C = outer padding byte value @ 0x41C20E, 0x41C5D0, 0x41C691, 0x41C6A4, and 8 more...\n    match: contain loop @ 0x41BEAD\n      or:\n        characteristic: loop @ 0x41BEAD\n        characteristic: tight loop @ 0x41C0D3, 0x45A209, 0x45A37A, 0x45AD30, and 12 more...\n    count(characteristic(nzxor)): 2 or more @ 0x41BEFA, 0x41C50E\n    optional: = block size\n      number: 0x40 = MD5, SHA-1, SHA-224, or SHA-256 @ 0x45AA0A, 0x45AC60, 0x45B980\n      number: 0x80 = SHA-384 or SHA-512 @ 0x41C089, 0x41C9F5, 0x41CA50, 0x41CAC2, and 2 more...\n\ngenerate random numbers using a Mersenne Twister (4 matches)\nnamespace  data-manipulation/prng/mersenne                      \nauthor     moritz.raabe@mandiant.com                            \nscope      function                                             \nmbc        Cryptography::Generate Pseudo-random Sequence [C0021]\nfunction @ 0x471E7A\n  or:\n    number: 0xFF3A58AD @ 0x471EA0\nfunction @ 0x471EC0\n  or:\n    number: 0xFF3A58AD @ 0x471EEB\nfunction @ 0x471F24\n  or:\n    number: 0x6C078965 @ 0x471F3E\nfunction @ 0x471F64\n  or:\n    number: 0x9908B0DF @ 0x471FB6, 0x471FF2, 0x472029\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x406122\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x4442F5\n        api: LockResource @ 0x44431D\n      optional:\n        or:\n          api: FindResourceEx @ 0x406149\n        api: SizeofResource @ 0x44430A\n\nlist drag and drop files\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x47EA26\n  and:\n    api: DragQueryFile @ 0x47EB9E, 0x47EBBB, 0x47EBF9\n    and:\n      api: GetClipboardData @ 0x47EA6A, 0x47EAF8, 0x47EB6B\n      number: 0xF = HDROP @ 0x47EB5D, 0x47EB69\n\nopen clipboard (2 matches)\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x47EA26\n  and:\n    api: OpenClipboard @ 0x47EA50\n    optional:\n      api: CloseClipboard @ 0x47EA76, 0x47EAB8, 0x47EAE9, 0x47EB58, and 2 more...\nfunction @ 0x47EC91\n  and:\n    api: OpenClipboard @ 0x47ECB8, 0x47ED76\n    optional:\n      api: CloseClipboard @ 0x47ECC4, 0x47EDCA\n\nread clipboard data\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Collection::Clipboard Data [T1115]                                  \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x47EA26\n  and:\n    optional:\n      match: open clipboard @ 0x47EA26\n        and:\n          api: OpenClipboard @ 0x47EA50\n          optional:\n            api: CloseClipboard @ 0x47EA76, 0x47EAB8, 0x47EAE9, 0x47EB58, and 2 more...\n      match: contain loop @ 0x47EA26\n        or:\n          characteristic: tight loop @ 0x47EBAF\n      api: GlobalLock @ 0x47EAAE, 0x47EB09, 0x47EB7C\n      api: GlobalUnlock @ 0x47EAE3, 0x47EB49, 0x47EC1A\n    or:\n      basic block:\n        and:\n          api: GetClipboardData @ 0x47EA6A\n          optional:\n            number: 0xD = CF_UNICODETEXT @ 0x47EA68\n        and:\n          api: GetClipboardData @ 0x47EB6B\n        and:\n          api: GetClipboardData @ 0x47EAF8\n          optional:\n            number: 0x1 = CF_TEXT @ 0x47EAF6\n\nwrite clipboard data\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \nmbc         Impact::Clipboard Modification [E1510]                              \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x47EC91\n  and:\n    optional:\n      match: open clipboard @ 0x47EC91\n        and:\n          api: OpenClipboard @ 0x47ECB8, 0x47ED76\n          optional:\n            api: CloseClipboard @ 0x47ECC4, 0x47EDCA\n      api: EmptyClipboard @ 0x47ECBE, 0x47ED7C\n    or:\n      api: SetClipboardData @ 0x47ED85\n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver  \nauthor     moritz.raabe@mandiant.com\nscope      instruction              \ninstruction @ 0x46D563\n  or:\n    api: DeviceIoControl @ 0x46D563\ninstruction @ 0x46D5DD\n  or:\n    api: DeviceIoControl @ 0x46D5DD\ninstruction @ 0x46D690\n  or:\n    api: DeviceIoControl @ 0x46D690\ninstruction @ 0x473D73\n  or:\n    api: DeviceIoControl @ 0x473D73\n\nget COMSPEC environment variable\nnamespace  host-interaction/environment-variable          \nauthor     matthew.williams@mandiant.com                  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Operating System::Environment Variable [C0034] \nfunction @ 0x41D70E\n  and:\n    match: query environment variable @ 0x41D70E\n      or:\n        api: GetEnvironmentVariable @ 0x45E05B, 0x45E06E, 0x45E0CA, 0x45E0DD, and 4 more...\n    or:\n      string: \"COMSPEC\" @ 0x45E056\n\nquery environment variable (3 matches)\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x41D70E\n  or:\n    api: GetEnvironmentVariable @ 0x45E05B, 0x45E06E, 0x45E0CA, 0x45E0DD, and 4 more...\nfunction @ 0x47EE14\n  or:\n    api: GetEnvironmentVariable @ 0x47EE51\nfunction @ 0x487559\n  or:\n    api: GetEnvironmentVariable @ 0x4875FD\n\nset environment variable (2 matches)\nnamespace  host-interaction/environment-variable                           \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \nmbc        Operating System::Environment Variable::Set Variable [C0034.001]\nfunction @ 0x43D170\n  or:\n    api: SetEnvironmentVariable @ 0x43D03C\nfunction @ 0x47EE84\n  or:\n    api: SetEnvironmentVariable @ 0x47EEC4\n\nget common file path (9 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x40445D\n  or:\n    api: GetCurrentDirectory @ 0x40448D\nfunction @ 0x41D70E\n  or:\n    api: GetTempPath @ 0x45E085\n    api: GetSystemDirectory @ 0x45DB98\n    api: GetWindowsDirectory @ 0x45DB28\n    api: GetCurrentDirectory @ 0x45DD7F\nfunction @ 0x41F962\n  or:\n    api: GetCurrentDirectory @ 0x41F97E\nfunction @ 0x46DE45\n  or:\n    api: SHGetFolderPath @ 0x46DE5E\nfunction @ 0x472F35\n  or:\n    api: GetTempPath @ 0x472F4D\n    api: GetTempFileName @ 0x472F62\nfunction @ 0x4779B4\n  or:\n    api: SHGetSpecialFolderLocation @ 0x477AAD\nfunction @ 0x477D0E\n  or:\n    api: GetCurrentDirectory @ 0x477ECB\nfunction @ 0x4780B3\n  or:\n    api: GetCurrentDirectory @ 0x47822E\nfunction @ 0x48AF20\n  or:\n    api: GetSystemDirectory @ 0x48B0D7, 0x48B0FB\n    api: GetCurrentDirectory @ 0x48B13B, 0x48B15D\n\nset current directory (7 matches)\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x40445D\n  or:\n    api: SetCurrentDirectory @ 0x404596, 0x443769\nfunction @ 0x40AD7C\n  or:\n    api: SetCurrentDirectory @ 0x40AEF0, 0x40B045\nfunction @ 0x4753D4\n  or:\n    api: SetCurrentDirectory @ 0x4753EC\nfunction @ 0x477D0E\n  or:\n    api: SetCurrentDirectory @ 0x477EDF, 0x477F35, 0x477F7E, 0x477FCE\nfunction @ 0x4780B3\n  or:\n    api: SetCurrentDirectory @ 0x478242, 0x478274, 0x4782AA, 0x4782B3\nfunction @ 0x479560\n  or:\n    api: SetCurrentDirectory @ 0x479668, 0x479686\nfunction @ 0x4796BB\n  or:\n    api: SetCurrentDirectory @ 0x4797AE, 0x4797CC\n\ncopy file (3 matches)\nnamespace  host-interaction/file-system/copy                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Copy File [C0045]                         \nfunction @ 0x46CE1E\n  or:\n    basic block:\n      and:\n        number: 0x2 = FO_COPY @ 0x46CF40\n        or:\n          api: SHFileOperation @ 0x46CF7F\nfunction @ 0x46D1BA\n  or:\n    api: CopyFileEx @ 0x46D1D0\nfunction @ 0x472865\n  or:\n    api: CopyFile @ 0x472BBB\n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ 0x46D1DF\n  or:\n    api: CreateDirectory @ 0x46D237, 0x46D294\nfunction @ 0x473C3C\n  or:\n    api: CreateDirectory @ 0x473CBB\n\ndelete directory (2 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ 0x46E77B\n  or:\n    api: RemoveDirectory @ 0x46E7B9\nfunction @ 0x473C3C\n  or:\n    api: RemoveDirectory @ 0x473CEC\n\ndelete file (6 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x46CF94\n  or:\n    api: DeleteFile @ 0x46D0FB, 0x46D12B\nfunction @ 0x46D2C7\n  or:\n    api: DeleteFile @ 0x46D38E\nfunction @ 0x46E77B\n  or:\n    basic block:\n      and:\n        number: 0x3 = FO_DELETE @ 0x46E7D0\n        or:\n          api: SHFileOperation @ 0x46E806\nfunction @ 0x472865\n  or:\n    api: DeleteFile @ 0x472B23, 0x472BA5, 0x472BCC, 0x472BDE\nfunction @ 0x4755F7\n  or:\n    api: DeleteFile @ 0x4756EC\nfunction @ 0x4778BA\n  or:\n    basic block:\n      and:\n        number: 0x3 = FO_DELETE @ 0x4778FA\n        or:\n          api: SHFileOperation @ 0x47792E\n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x46D1DF\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46D219\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46D21F\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46D21F\n    basic block:\n      and:\n        api: GetLastError @ 0x46D228\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46D230\n            number: 0x2 = ERROR_FILE_NOT_FOUND @ 0x46D230\nfunction @ 0x46DADC\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46DAFB\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46DB01\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46DB01\nfunction @ 0x46E0B7\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46E0B8\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46E0BE\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46E0BE\n\nenumerate files on Windows (6 matches)\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ 0x46CF94\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x46D040\n      or:\n        api: FindNextFile @ 0x46D155\n      optional:\n        api: FindClose @ 0x46D171, 0x46D182\n        match: contain loop @ 0x46CF94\n          or:\n            characteristic: loop @ 0x46CF94\nfunction @ 0x46D2C7\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x46D33E\n      or:\n        api: FindNextFile @ 0x46D39F\n      optional:\n        api: FindClose @ 0x46D3B6, 0x46D3BF\n        match: contain loop @ 0x46D2C7\n          or:\n            characteristic: loop @ 0x46D2C7\nfunction @ 0x475BB5\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x475BDF\n      or:\n        api: FindNextFile @ 0x475C35\n      optional:\n        api: FindClose @ 0x475C7D\n        match: contain loop @ 0x475BB5\n          or:\n            characteristic: loop @ 0x475BB5\nfunction @ 0x479560\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x479581, 0x479618\n      or:\n        api: FindNextFile @ 0x4795F1, 0x479690\n      optional:\n        api: FindClose @ 0x4795FC, 0x47969D, 0x4796AD\n        match: contain loop @ 0x479560\n          or:\n            characteristic: loop @ 0x479560\n            characteristic: recursive call @ 0x479560\nfunction @ 0x4796BB\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x4796DC, 0x47975E\n      or:\n        api: FindNextFile @ 0x479737, 0x4797D6\n      optional:\n        api: FindClose @ 0x479742, 0x4797E3, 0x4797F3\n        match: contain loop @ 0x4796BB\n          or:\n            characteristic: loop @ 0x4796BB\n            characteristic: recursive call @ 0x4796BB\nfunction @ 0x479A49\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x479A96\n      or:\n        api: FindNextFile @ 0x479B93\n      optional:\n        api: FindClose @ 0x479BA9\n        match: contain loop @ 0x479A49\n          or:\n            characteristic: loop @ 0x479A49\n            characteristic: recursive call @ 0x479A49\n\nenumerate files recursively (3 matches)\nnamespace  host-interaction/file-system/files/list        \nauthor     @_re_fox, anushka.virgaonkar@mandiant.com      \nscope      function                                       \natt&ck     Discovery::File and Directory Discovery [T1083]\nmbc        Discovery::File and Directory Discovery [E1083]\nfunction @ 0x479560\n  and:\n    characteristic: recursive call @ 0x479560\n    or:\n      match: enumerate files on Windows @ 0x479560\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x479581, 0x479618\n            or:\n              api: FindNextFile @ 0x4795F1, 0x479690\n            optional:\n              api: FindClose @ 0x4795FC, 0x47969D, 0x4796AD\n              match: contain loop @ 0x479560\n                or:\n                  characteristic: loop @ 0x479560\n                  characteristic: recursive call @ 0x479560\nfunction @ 0x4796BB\n  and:\n    characteristic: recursive call @ 0x4796BB\n    or:\n      match: enumerate files on Windows @ 0x4796BB\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x4796DC, 0x47975E\n            or:\n              api: FindNextFile @ 0x479737, 0x4797D6\n            optional:\n              api: FindClose @ 0x479742, 0x4797E3, 0x4797F3\n              match: contain loop @ 0x4796BB\n                or:\n                  characteristic: loop @ 0x4796BB\n                  characteristic: recursive call @ 0x4796BB\nfunction @ 0x479A49\n  and:\n    characteristic: recursive call @ 0x479A49\n    or:\n      match: enumerate files on Windows @ 0x479A49\n        or:\n          and:\n            or:\n              api: FindFirstFile @ 0x479A96\n            or:\n              api: FindNextFile @ 0x479B93\n            optional:\n              api: FindClose @ 0x479BA9\n              match: contain loop @ 0x479A49\n                or:\n                  characteristic: loop @ 0x479A49\n                  characteristic: recursive call @ 0x479A49\n\nget file attributes (5 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x46D1DF in function 0x46D1DF\n  or:\n    api: GetFileAttributes @ 0x46D219\nbasic block @ 0x46DAFA in function 0x46DADC\n  or:\n    api: GetFileAttributes @ 0x46DAFB\nbasic block @ 0x46E0B7 in function 0x46E0B7\n  or:\n    api: GetFileAttributes @ 0x46E0B8\nbasic block @ 0x477F04 in function 0x477D0E\n  or:\n    api: GetFileAttributes @ 0x477F09\nbasic block @ 0x4795B8 in function 0x479560\n  or:\n    api: GetFileAttributes @ 0x4795BF\n\nget file size (2 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x482A05\n  or:\n    api: GetFileSize @ 0x482C9C\nfunction @ 0x498461\n  or:\n    api: GetFileSize @ 0x498494\n\nget file version info\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x46DB2C\n  and:\n    or:\n      api: GetFileVersionInfo @ 0x46DB64\n    optional: = retrieve specified version information from the version-information resource\n      api: VerQueryValue @ 0x46DBDA, 0x46DC84\n      or:\n        api: GetFileVersionInfoSize @ 0x46DB3E\n\nset file attributes (2 matches)\nnamespace  host-interaction/file-system/meta                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \natt&ck     Defense Evasion::File and Directory Permissions Modification [T1222] \nmbc        File System::Set File Attributes [C0050]                             \nbasic block @ 0x477F04 in function 0x477D0E\n  or:\n    api: SetFileAttributes @ 0x477F23\nbasic block @ 0x4795B8 in function 0x479560\n  or:\n    api: SetFileAttributes @ 0x4795D9\n\nmove file (3 matches)\nnamespace  host-interaction/file-system/move                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Move File [C0063]                         \nfunction @ 0x46CE1E\n  or:\n    api: MoveFile @ 0x46CE9D\nfunction @ 0x46CF94\n  or:\n    api: MoveFile @ 0x46D10E\nfunction @ 0x46E319\n  or:\n    api: MoveFile @ 0x46E3CA\n    basic block:\n      and:\n        number: 0x1 = FO_MOVE @ 0x46E566\n        or:\n          api: SHFileOperation @ 0x46E56E\n\nread .ini file (4 matches)\nnamespace  host-interaction/file-system/read     \nauthor     @_re_fox, michael.hunhoff@mandiant.com\nscope      function                              \nmbc        File System::Read File [C0051]        \nfunction @ 0x4783FD\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x478482\nfunction @ 0x4784BF\n  and:\n    or:\n      api: GetPrivateProfileSection @ 0x47852A\nfunction @ 0x4787FC\n  and:\n    or:\n      api: GetPrivateProfileSectionNames @ 0x478858\nfunction @ 0x478A19\n  and:\n    or:\n      api: GetPrivateProfileSection @ 0x478ACC, 0x478AF8\n\nread file on Windows (9 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x406A95\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x406AB3\nfunction @ 0x40B230\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x40B35C\nfunction @ 0x40B3B0\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x40B40C\nfunction @ 0x43921B\n  or:\n    and:\n      os: windows\n      or:\n        api: _read @ 0x439134\nfunction @ 0x47070D\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x470765, 0x470811\nfunction @ 0x472475\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x4724A5\nfunction @ 0x4725B1\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x4725D3\nfunction @ 0x482A05\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x482C82\n          match: create or open file @ 0x482C89\n            or:\n              api: CreateFile @ 0x482C89\n      or:\n        api: ReadFile @ 0x482CBF\nfunction @ 0x498461\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x49847E\n          match: create or open file @ 0x498484\n            or:\n              api: CreateFile @ 0x498484\n      or:\n        api: ReadFile @ 0x4984C9\n\nclear file content\nnamespace  host-interaction/file-system/write\nauthor     jakeperalta7                      \nscope      function                          \nmbc        File System::Writes File [C0052]  \nfunction @ 0x477FD5\n  and:\n    api: SetEndOfFile @ 0x478019\n    not:\n      api: SetFilePointer\n\nwrite file on Windows (7 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x41F5B3\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x45F3C6\n        api: fwrite @ 0x45F3C6\nfunction @ 0x46CC1D\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x46CC44\nfunction @ 0x470633\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x470664\nfunction @ 0x4725F5\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47262D\n        api: fwrite @ 0x47262D\nfunction @ 0x472642\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47265B\n        api: fwrite @ 0x47265B\nfunction @ 0x472865\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x472AF5\n        api: fwrite @ 0x472AF5\nfunction @ 0x47CD62\n  or:\n    and:\n      os: windows\n      or:\n        api: _fwrite @ 0x47CDC3\n        api: fwrite @ 0x47CDC3\n\nenumerate gui resources\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ 0x464144\n  or:\n    api: EnumWindows @ 0x464832\n\nfind taskbar (3 matches)\nnamespace  host-interaction/gui/taskbar/find   \nauthor     moritz.raabe@mandiant.com           \nscope      basic block                         \nmbc        Discovery::Taskbar Discovery [B0043]\nbasic block @ 0x41EFCE in function 0x41EFAD\n  and:\n    string: \"Shell_TrayWnd\" @ 0x41EFCF\n    match: find graphical window @ 0x41EFD4\n      or:\n        api: FindWindow @ 0x41EFD4\nbasic block @ 0x492255 in function 0x492255\n  and:\n    string: \"Shell_TrayWnd\" @ 0x492258\n    match: find graphical window @ 0x49225F\n      or:\n        api: FindWindow @ 0x49225F\nbasic block @ 0x492289 in function 0x492289\n  and:\n    string: \"Shell_TrayWnd\" @ 0x492298\n    match: find graphical window @ 0x49229F\n      or:\n        api: FindWindow @ 0x49229F\n\nfind graphical window (4 matches)\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ 0x41EFD4\n  or:\n    api: FindWindow @ 0x41EFD4\ninstruction @ 0x46E645\n  or:\n    api: FindWindowEx @ 0x46E645\ninstruction @ 0x49225F\n  or:\n    api: FindWindow @ 0x49225F\ninstruction @ 0x49229F\n  or:\n    api: FindWindow @ 0x49229F\n\nget graphical window text (11 matches)\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ 0x461A70\n  or:\n    and:\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x461AD9\n            api: SendMessage @ 0x461ADD\nfunction @ 0x46359E\n  or:\n    and:\n      api: GetWindowText @ 0x4638A5\nfunction @ 0x463B0C\n  or:\n    and:\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x463B66\n            api: SendMessage @ 0x463B6B\nfunction @ 0x46489C\n  or:\n    and:\n      api: GetWindowText @ 0x464922, 0x4649E9\nfunction @ 0x464BD3\n  or:\n    and:\n      optional:\n        api: IsWindowVisible @ 0x464BEB\n      or:\n        basic block:\n          and:\n            number: 0xD = WM_GETTEXT @ 0x464C3B\n            api: SendMessage @ 0x464C40\nfunction @ 0x465B9A\n  or:\n    and:\n      api: GetWindowText @ 0x465BC5\nfunction @ 0x47E8F7\n  or:\n    and:\n      api: GetWindowText @ 0x47E91E\nfunction @ 0x491E0D\n  or:\n    and:\n      api: GetWindowText @ 0x491F76\nfunction @ 0x4947A8\n  or:\n    and:\n      api: GetWindowText @ 0x494C26, 0x494C8F\nfunction @ 0x496FA4\n  or:\n    and:\n      api: GetWindowText @ 0x4971C3\nfunction @ 0x4972B7\n  or:\n    and:\n      api: GetWindowText @ 0x497423\n\nhide graphical window (8 matches)\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ 0x45F0F9 in function 0x41EEF7\n  and:\n    number: 0x0 = SW_HIDE @ 0x45F101\n    api: ShowWindow @ 0x45F0FB\nbasic block @ 0x4827C2 in function 0x482638\n  and:\n    number: 0x0 = SW_HIDE @ 0x48294B, 0x48295A\n    api: ShowWindow @ 0x4829BE\nbasic block @ 0x49015D in function 0x490135\n  and:\n    number: 0x0 = SW_HIDE @ 0x490163\n    api: ShowWindow @ 0x490167\nbasic block @ 0x4950F2 in function 0x495009\n  and:\n    number: 0x0 = SW_HIDE @ 0x4950F8\n    api: ShowWindow @ 0x4950FC, 0x495102\nbasic block @ 0x496B61 in function 0x496A44\n  and:\n    number: 0x0 = SW_HIDE @ 0x496B61\n    api: ShowWindow @ 0x496B66\nbasic block @ 0x49813A in function 0x4980CD\n  and:\n    number: 0x0 = SW_HIDE @ 0x49813A\n    api: ShowWindow @ 0x49813E\nbasic block @ 0x4981BF in function 0x4980CD\n  and:\n    number: 0x0 = SW_HIDE @ 0x4981BF\n    api: ShowWindow @ 0x4981C3, 0x4981D7\nbasic block @ 0x49A198 in function 0x499E78\n  and:\n    number: 0x0 = SW_HIDE @ 0x49A198\n    api: ShowWindow @ 0x49A19C\n\nget keyboard layout\nnamespace  host-interaction/hardware/keyboard                                   \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \natt&ck     Discovery::System Location Discovery::System Language Discovery      \n           [T1614.001]                                                          \nfunction @ 0x41D70E\n  and:\n    or:\n      api: GetKeyboardLayoutName @ 0x45DF94\n\nget memory capacity\nnamespace  host-interaction/hardware/memory               \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x41F370\n  or:\n    api: GlobalMemoryStatusEx @ 0x41F39A\n\nget disk information (6 matches)\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ 0x473D97\n  or:\n    api: GetDriveType @ 0x473EF4\nfunction @ 0x4743DE\n  or:\n    api: GetDriveType @ 0x474661\nfunction @ 0x474776\n  or:\n    api: GetVolumeInformation @ 0x4747DB\nfunction @ 0x474844\n  or:\n    api: GetVolumeInformation @ 0x4748A9\nfunction @ 0x474912\n  or:\n    api: GetVolumeInformation @ 0x47497A\nfunction @ 0x4749FD\n  or:\n    api: GetDriveType @ 0x474AE8\n\nget disk size (3 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ 0x4750EB\n  or:\n    api: GetDiskFreeSpaceEx @ 0x475156\nfunction @ 0x4751CE\n  or:\n    api: GetDiskFreeSpaceEx @ 0x475239\nfunction @ 0x4752B1\n  or:\n    api: GetDiskFreeSpace @ 0x475334\n\nget storage device properties (2 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com                                        \nscope       function                                                            \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-wini…\nfunction @ 0x46D509\n  and:\n    number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY @ 0x46D55D\n    or:\n      match: interact with driver via IOCTL @ 0x46D563\n        or:\n          api: DeviceIoControl @ 0x46D563\nfunction @ 0x46D588\n  and:\n    number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY @ 0x46D5D7\n    or:\n      match: interact with driver via IOCTL @ 0x46D5DD\n        or:\n          api: DeviceIoControl @ 0x46D5DD\n\nprint debug messages\nnamespace  host-interaction/log/debug/write-event\nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \nfunction @ 0x41F5B3\n  or:\n    api: OutputDebugString @ 0x45F3E1\n\nshutdown system\nnamespace  host-interaction/os                   \nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \natt&ck     Impact::System Shutdown/Reboot [T1529]\nfunction @ 0x46E814\n  or:\n    api: ExitWindowsEx @ 0x46E850\n    api: InitiateSystemShutdownEx @ 0x46E870\n\nget hostname (2 matches)\nnamespace  host-interaction/os/hostname                                         \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com,                       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Information Discovery [T1082]                      \nmbc        Discovery::System Information Discovery [E1082]                      \nfunction @ 0x41D70E\n  or:\n    api: GetComputerName @ 0x45DB11\nfunction @ 0x46DD45\n  or:\n    api: gethostname @ 0x46DD7A\n\nget system information on Windows\nnamespace  host-interaction/os/info                       \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x40615E\n  and:\n    os: windows\n    or:\n      api: GetSystemInfo @ 0x406320, 0x44455F\n\ncreate process on Windows (6 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x4437E0 in function 0x40445D\n  or:\n    api: ShellExecute @ 0x4437F9\nbasic block @ 0x46134A in function 0x461145\n  or:\n    api: CreateProcessAsUser @ 0x46136D\nbasic block @ 0x461472 in function 0x461412\n  or:\n    api: CreateProcessWithLogon @ 0x461493\nbasic block @ 0x48AD7A in function 0x48AC8B\n  or:\n    api: ShellExecuteEx @ 0x48ADCA\nbasic block @ 0x48B2C1 in function 0x48AF20\n  or:\n    api: CreateProcess @ 0x48B2DD\nbasic block @ 0x498064 in function 0x498064\n  or:\n    api: CreateProcess @ 0x4980B1\n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nauthor     @mr-tz, mehunhoff@google.com   \nscope      basic block                    \nmbc        Memory::Allocate Memory [C0007]\nbasic block @ 0x489881 in function 0x4895BB\n  or:\n    basic block:\n      and:\n        or:\n          match: allocate memory @ 0x489881\n            or:\n              api: VirtualAlloc @ 0x489895\n        or:\n          number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x489881\n\nenumerate processes (2 matches)\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ 0x46D3FA\n  or:\n    and:\n      api: Process32First @ 0x46D42D\n      api: Process32Next @ 0x46D44D\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x46D41F\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x46D411\nfunction @ 0x48A5A3\n  or:\n    and:\n      api: Process32First @ 0x48A5E1\n      api: Process32Next @ 0x48A6C3\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x48A5D3\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x48A5BD\n\nacquire debug privileges\nnamespace  host-interaction/process/modify                        \nauthor     william.ballenthin@mandiant.com                        \nscope      basic block                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\nbasic block @ 0x48A0B6 in function 0x48A009\n  and:\n    string: \"SeDebugPrivilege\" @ 0x48A0B6\n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ 0x461018\n  and:\n    api: AdjustTokenPrivileges @ 0x461018\ninstruction @ 0x46167E\n  and:\n    api: AdjustTokenPrivileges @ 0x46167E\n\nterminate process (3 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x46EA3E\n  or:\n    and:\n      optional:\n        match: open process @ 0x46EA6E\n          or:\n            api: OpenProcess @ 0x46EA82\n      or:\n        api: TerminateProcess @ 0x46EA8C\nfunction @ 0x487E80\n  or:\n    and:\n      or:\n        api: TerminateProcess @ 0x488223\nfunction @ 0x48A009\n  or:\n    and:\n      optional:\n        match: open process @ 0x48A08D, 0x48A0D2\n          or:\n            api: OpenProcess @ 0x48A0DA\n          or:\n            api: OpenProcess @ 0x48A094\n      or:\n        api: TerminateProcess @ 0x48A18F\n\nempty the recycle bin\nnamespace  host-interaction/recycle-bin\nauthor     moritz.raabe@mandiant.com   \nscope      function                    \nfunction @ 0x477953\n  or:\n    api: SHEmptyRecycleBin @ 0x477977\n\nquery or enumerate registry key (2 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ 0x48B8F0\n  and:\n    optional:\n      match: create or open registry key @ 0x48BA11\n        or:\n          api: RegOpenKeyEx @ 0x48BA27\n    or:\n      api: RegEnumKeyEx @ 0x48BA8A\nfunction @ 0x48CB5B\n  and:\n    optional:\n      match: create or open registry key @ 0x48CBA6\n        or:\n          api: RegOpenKeyEx @ 0x48CBB4\n    or:\n      api: RegEnumKeyEx @ 0x48CB8B, 0x48CC4F\n\nquery or enumerate registry value (5 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x40533E\n  and:\n    optional:\n      match: create or open registry key @ 0x40533E\n        or:\n          api: RegOpenKeyEx @ 0x40545B\n    or:\n      api: RegQueryValueEx @ 0x443EEC, 0x443F2D\nfunction @ 0x4059A7\n  and:\n    optional:\n      match: create or open registry key @ 0x4059BB\n        or:\n          api: RegOpenKeyEx @ 0x4059CB\n    or:\n      api: RegQueryValueEx @ 0x4059EC\nfunction @ 0x4605C7\n  and:\n    optional:\n      match: create or open registry key @ 0x4606B3\n        or:\n          api: RegOpenKeyEx @ 0x4606C3\n    or:\n      api: RegQueryValueEx @ 0x4606ED\nfunction @ 0x48BB02\n  and:\n    optional:\n      match: create or open registry key @ 0x48BC36\n        or:\n          api: RegOpenKeyEx @ 0x48BC4C\n    or:\n      api: RegEnumValue @ 0x48BCC0\nfunction @ 0x48BD6B\n  and:\n    optional:\n      match: create or open registry key @ 0x48BEB9\n        or:\n          api: RegOpenKeyEx @ 0x48BED0\n    or:\n      api: RegQueryValueEx @ 0x48BF53, 0x48C00E, 0x48C07B, 0x48C110, and 2 more...\n\nset registry value\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ 0x48C2DE\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x48C448\n          or:\n            api: RegCreateKeyEx @ 0x48C46B\n      or:\n        api: RegSetValueEx @ 0x48C5D9, 0x48C6E8, 0x48C774, 0x48C887\n\ndelete registry key (2 matches)\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ 0x48B535\n  and:\n    optional:\n      match: create or open registry key @ 0x48B683\n        or:\n          api: RegOpenKeyEx @ 0x48B699\n    or:\n      api: RegDeleteKey @ 0x48B849\nfunction @ 0x48CB5B\n  and:\n    optional:\n      match: create or open registry key @ 0x48CBA6\n        or:\n          api: RegOpenKeyEx @ 0x48CBB4\n    or:\n      api: RegDeleteKey @ 0x48CC1A\n\ndelete registry value\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ 0x48B535\n  and:\n    optional:\n      match: create or open registry key @ 0x48B683\n        or:\n          api: RegOpenKeyEx @ 0x48B699\n    or:\n      api: RegDeleteValue @ 0x48B731\n\nget session user name\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ 0x41D70E\n  or:\n    api: GetUserName @ 0x45DA28\n\nget token membership\nnamespace  host-interaction/session                      \nauthor     michael.hunhoff@mandiant.com                  \nscope      function                                      \natt&ck     Discovery::System Owner/User Discovery [T1033]\nfunction @ 0x4615A7\n  and:\n    api: CheckTokenMembership @ 0x4615E5\n    optional:\n      api: AllocateAndInitializeSid @ 0x4615D0\n      api: FreeSid @ 0x4615F5\n\nget token privileges\nnamespace  host-interaction/session    \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x460F58\n  and:\n    or:\n      basic block:\n        and:\n          api: GetTokenInformation @ 0x460F6E\n          number: 0x3 = TokenPrivileges @ 0x460F6B\n        and:\n          api: GetTokenInformation @ 0x460FA6\n          number: 0x3 = TokenPrivileges @ 0x460FA3\n\ncreate thread (5 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x461747 in function 0x461747\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x4617AC\nbasic block @ 0x46E114 in function 0x46E0F4\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthreadex @ 0x46E139\nbasic block @ 0x470870 in function 0x4708F7\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x47087D\nbasic block @ 0x470870 in function 0x4708F7\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x47087D\nbasic block @ 0x47D13B in function 0x47D126\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthread @ 0x47D151\n\nterminate thread\nnamespace  host-interaction/thread/terminate                                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      basic block                                                          \nmbc        Process::Terminate Thread [C0039]                                    \nbasic block @ 0x4708A6 in function 0x470889\n  or:\n    api: TerminateThread @ 0x4708B9\n\nimpersonate user\nnamespace  host-interaction/user                                                \nauthor     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com                 \nscope      function                                                             \natt&ck     Privilege Escalation::Access Token Manipulation::Token               \n           Impersonation/Theft [T1134.001]                                      \nfunction @ 0x461145\n  or:\n    api: LogonUser @ 0x4611CA\n    and:\n      api: LoadUserProfile @ 0x461327\n\n(internal) autoit file limitation\nnamespace    internal/limitation/static                                         \nauthor       william.ballenthin@mandiant.com                                    \nscope        file                                                               \ndescription  This sample appears to be compiled with AutoIt.                    \n                                                                                \n             AutoIt is a freeware BASIC-like scripting language designed for    \n             automating the Windows GUI.                                        \n             capa cannot handle AutoIt scripts. This means that the results will\n             be misleading or incomplete.                                       \n             You may have to analyze the file manually, using a tool like the   \n             AutoIt decompiler MyAut2Exe.                                       \n                                                                                \nor:\n  match: compiler/autoit @ global\n    or:\n      string: \"AutoIt Error\" @ file+0xD5910\n      string: \">>>AUTOIT NO CMDEXECUTE<<<\" @ file+0x9BF64\n      string: \"#requireadmin\" @ file+0x9EB28\n      string: \"#OnAutoItStartRegister\" @ file+0x9EAD8\n      substring: >>>AUTOIT SCRIPT<<<\n        - \">>>AUTOIT SCRIPT<<<\" @ file+0xC5640\n\nlink function at runtime on Windows (13 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x4062E6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4062E6\ninstruction @ 0x406816\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x406816\ninstruction @ 0x406850\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x406850\ninstruction @ 0x432FC7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x432FC7\ninstruction @ 0x432FC7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x432FC7\ninstruction @ 0x45DB5B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x45DB5B\ninstruction @ 0x4671A3\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4671A3\ninstruction @ 0x483FF4\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x483FF4\ninstruction @ 0x488EF7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488EF7\ninstruction @ 0x488F13\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488F13\ninstruction @ 0x488F59\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x488F59\ninstruction @ 0x48B82B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48B82B\ninstruction @ 0x48CBF6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48CBF6\n\nparse PE header\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x40B7E0\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x40B810, 0x40B824, 0x40B82D, 0x40B84F, and 43 more...\n      or:\n        and:\n          number: 0x50 @ 0x450313\n          number: 0x45 @ 0x40BC73\n      or:\n        and:\n          number: 0x4D @ 0x40BB79\n          number: 0x5A @ 0x40B92F, 0x40B973, 0x40BCA4\n\nresolve function by parsing PE exports (15 matches)\nnamespace  load-code/pe\nauthor     sara-rn     \nscope      function    \nfunction @ 0x401641\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x401641\n      mnemonic: movzx @ 0x401B19, 0x401B67, 0x401BA4, 0x401BEE, and 2 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x401AB7, 0x401AF7, 0x442A22\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x401760\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x401B05, 0x401B29, 0x401B5B, 0x401B63, and 11 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40165B, 0x401679, 0x401A7C, 0x401BB7, and 8 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x401A6C, 0x401A9E, 0x401ADE, 0x401B15, and 8 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x401AB3, 0x401AC0, 0x401AF0, 0x401B25, and 12 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x401AA2, 0x401AD4, 0x401BD5, 0x4425C7, and 11 more...\nfunction @ 0x408BAA\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x408BAA\n      mnemonic: movzx @ 0x445922, 0x445B7A\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x408D85, 0x408DDB\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x445A85, 0x445B3F\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x408C7B, 0x408CD7, 0x408D0F, 0x408D4C, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x408BB8, 0x408CBE, 0x408DC2, 0x408DD1, and 7 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x408BF6, 0x408C12, 0x408C87, 0x408D89\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x408D20, 0x445980, 0x445A4F, 0x445AB4, and 2 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x408CA5, 0x408CD3, 0x408DAF, 0x408E24, and 2 more...\nfunction @ 0x4095C0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4095C0\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4096AC, 0x409887, 0x4098DD, 0x4099C7\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4463CA, 0x446461, 0x4465C9, 0x44661E, and 1 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x409653, 0x409864, 0x446280, 0x4462A5, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4096B0, 0x4098EC, 0x4465C1\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4096BC, 0x40988B, 0x40989D, 0x4098AE, and 6 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4096A4, 0x409963, 0x40996D, 0x409971, and 7 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4096B8, 0x4097D8, 0x409909, 0x409931, and 6 more...\nfunction @ 0x40A180\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40A180\n      mnemonic: movzx @ 0x40A1DD, 0x40A1FF, 0x40A20D, 0x40A21F, and 490 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x40A558, 0x449751, 0x44976C\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40A670, 0x40A8C8, 0x44738C, 0x447398, and 18 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40A647, 0x40A887, 0x447695, 0x447A2F, and 1 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4474A1, 0x4474D4, 0x447577, 0x4475AA, and 2 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40A7ED, 0x447F8A, 0x448031, 0x44806F, and 14 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40A7FB, 0x447F9C, 0x447FBA, 0x44803B, and 23 more...\nfunction @ 0x40AD7C\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40AD7C\n      mnemonic: movzx @ 0x40AF89, 0x44FB38\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x44FAEE, 0x44FAFC, 0x44FB1F, 0x44FCE1\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40ADD7, 0x40B08A\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40AD92, 0x40AF43, 0x40B0D0, 0x44FAA7, and 6 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40ADBC, 0x40AE73, 0x44FBCB, 0x44FC8B, and 1 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x40AFA8, 0x40B019, 0x40B02B, 0x44FBCF, and 2 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40ADB8, 0x40AF21, 0x40AF49, 0x40B0CC, and 6 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40AF4D, 0x40AFCD, 0x40B011, 0x44FC5F, and 2 more...\nfunction @ 0x40D840\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40D840\n      mnemonic: movzx @ 0x40DD22, 0x40DEE0, 0x40DEE7, 0x40DEF0, and 4 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x40D863, 0x40D996, 0x40DD88, 0x40DE6E, and 8 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40D8C7\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40D92B, 0x40D989, 0x40D9C0, 0x40DA03, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40D8E3, 0x40DC92, 0x40DCC7, 0x40DFCA, and 8 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x40D8CB, 0x40D927, 0x40DAB6, 0x40DBBC, and 14 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40D9B7, 0x40DA33, 0x40DAC0, 0x40DB79, and 20 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40D85D, 0x40D922, 0x40D98E, 0x40DE85, and 11 more...\nfunction @ 0x410540\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x410540\n      mnemonic: movzx @ 0x410600, 0x41062B, 0x41066B, 0x4107F2, and 29 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x410592\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x410876, 0x410AAA, 0x410BFC, 0x410C2C, and 7 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x41059A, 0x4105D1, 0x410652, 0x4106C4, and 22 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x410A1F, 0x411150, 0x411166, 0x4112C1, and 9 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x41058A, 0x4105B5, 0x41065A, 0x410A26, and 14 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x410552, 0x4108D8, 0x41092E, 0x410938, and 23 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x410691, 0x410842, 0x4108BB, 0x4108C4, and 27 more...\nfunction @ 0x41BEAD\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x41BEAD\n      mnemonic: movzx @ 0x41C06A, 0x41C091, 0x41C0A0, 0x41C0A8, and 128 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x41C16F, 0x45A1E8, 0x45A34E, 0x45B07F\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x459C84, 0x45B005\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x459F7A, 0x45B03F, 0x45B060, 0x45B07C, and 2 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45933F, 0x45AF58, 0x45B1CB, 0x45B252\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x41C052, 0x41C302, 0x41C338, 0x41C408, and 23 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x458F91, 0x458FCD, 0x459172, 0x4591C1, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x459046, 0x459E17\nfunction @ 0x466502\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x466502\n      mnemonic: movzx @ 0x4666E8, 0x4667E7, 0x4669E6, 0x4669EC\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x46656E, 0x46659F, 0x466602, 0x46674E, and 7 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46661E\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x466641, 0x466652, 0x466662, 0x466686, and 11 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x466554, 0x466571, 0x46657B, 0x46682E, and 7 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x466596, 0x4665CF, 0x466616, 0x4667A9, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4665C4, 0x46665B, 0x4667AD, 0x46683F, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x46671D, 0x466769, 0x4667B1, 0x4667CC, and 2 more...\nfunction @ 0x4681EE\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4681EE\n      mnemonic: movzx @ 0x468256, 0x46826B, 0x4682A7, 0x4682F8, and 8 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4684CE\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46852F\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4683DF, 0x4686B0\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x468378, 0x468407, 0x468439\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x468401\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4683E5, 0x468612\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4683FB, 0x4687AF\nfunction @ 0x4763AC\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4763AC\n      mnemonic: movzx @ 0x47645E, 0x476474, 0x476480, 0x476489\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x476405, 0x476580, 0x476597, 0x4767DE\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x476707\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x47652F, 0x4765A3, 0x4765EC, 0x476638, and 4 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4763D3, 0x47642F, 0x4764C2, 0x4764C7, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x476626\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x476542, 0x4765C2, 0x4765F9, 0x476645, and 9 more...\nfunction @ 0x476E0F\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x476E0F\n      mnemonic: movzx @ 0x476EA3, 0x476EA6\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x476E8F\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x477044, 0x4770D8, 0x4771A4\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x476E7D, 0x476E9B, 0x476EAA, 0x476FA1, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x476E26, 0x476EE6, 0x476EFE, 0x476F13, and 4 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x476F24, 0x476F3C, 0x47706B, 0x4770B0\nfunction @ 0x47902A\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x47902A\n      mnemonic: movzx @ 0x47912D, 0x47913D, 0x47916B, 0x479184\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4790E8, 0x479508\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x479080\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x479131, 0x479174, 0x479266, 0x47929D, and 3 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4791BC, 0x4791CA, 0x4791F4, 0x479225, and 4 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x479051, 0x4790B8, 0x479202, 0x47930A, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x47916F, 0x47927E, 0x4792D5, 0x4794E8, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x47926E, 0x4794FC\nfunction @ 0x487E80\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x487E80\n      mnemonic: movzx @ 0x487E8C\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x487FF3, 0x48829E\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x487F41, 0x4881C4, 0x488201\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x487EF1, 0x487F23, 0x487F9A, 0x487FDB, and 7 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x488092, 0x488118, 0x488136\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x487FBF, 0x488192, 0x488197, 0x4881DA, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x487F38, 0x487FAF, 0x487FEA, 0x488018, and 7 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x487FE6, 0x487FF8, 0x488004, 0x48808E, and 2 more...\nfunction @ 0x490F26\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x49110E, 0x4912C4, 0x4912CA\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x491140, 0x491288\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x491028\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x490FB0, 0x490FC8, 0x490FDA, 0x490FED, and 6 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x490F4B, 0x490FD6, 0x4910C5\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x490F43, 0x49107D, 0x4912B0\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x49106A, 0x4910BB, 0x491298, 0x4912A6, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x490F57, 0x490FC4, 0x4910E2, 0x491184, and 2 more...\n\nexecute shellcode via indirect call\nnamespace  load-code/shellcode            \nauthor     ronnie.salomonsen@mandiant.com \nscope      function                       \nmbc        Memory::Allocate Memory [C0007]\nfunction @ 0x4895BB\n  and:\n    match: allocate or change RWX memory @ 0x489881\n      or:\n        basic block:\n          and:\n            or:\n              match: allocate memory @ 0x489881\n                or:\n                  api: VirtualAlloc @ 0x489895\n            or:\n              number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x489881\n    or:\n      characteristic: indirect call @ 0x48963F, 0x489682\n\ncreate shortcut via IShellLink (2 matches)\nnamespace   persistence                                                         \nauthor      matthew.williams@mandiant.com                                       \nscope       function                                                            \natt&ck      Persistence::Boot or Logon Autostart Execution::Shortcut            \n            Modification [T1547.009]                                            \nreferences  https://docs.microsoft.com/en-us/windows/win32/shell/links#creating…\nfunction @ 0x47573C\n  and:\n    offset: 0x50 = psl->SetPath @ 0x475910, 0x4759CE, 0x4759FC\n    offset: 0x18 = ppf->Save @ 0x475790, 0x4757C8, 0x47585F, 0x475864, and 4 more...\n    api: CoCreateInstance @ 0x4758CC\n    bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x4758C7\n    bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x475AB3\n    or:\n      bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x4758BE\nfunction @ 0x4763AC\n  and:\n    offset: 0x50 = psl->SetPath @ 0x4763F4, 0x476610, 0x47665C, 0x4766A8, and 2 more...\n    offset: 0x18 = ppf->Save @ 0x476542, 0x4765C2, 0x4765F9, 0x476645, and 9 more...\n    api: CoCreateInstance @ 0x47656E\n    bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x476569\n    bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x476585\n    or:\n      bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x476562\n\n\n\n"},"hashes":{"md5":"9743b958d41813a0a3f62920f90a25c8","sha1":"fec4f7eea0ac8e7935081d865a2f8fee6839641b","sha256":"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe9c795002e"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 2043</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 119213</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"5.exe\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"9743b958d41813a0a3f62920f90a25c8\",\n        \"sha256\": \"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"allocate memory (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46B26C\",\n      \"label\": \"Block 0x46B26C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46B26C\"\n    },\n    {\n      \"id\": \"api_VirtualAllocEx\",\n      \"label\": \"VirtualAllocEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_library_rule_\",\n      \"label\": \"library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Modulo [C0058]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (489 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x401202\",\n      \"label\": \"Function 0x401202\",\n      \"type\": \"function\",\n      \"address\": \"0x401202\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__13_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (13 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40533E\",\n      \"label\": \"Block 0x40533E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40533E\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (37 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40F4AF\",\n      \"label\": \"Block 0x40F4AF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40F4AF\"\n    },\n    {\n      \"id\": \"api_Sleep\",\n      \"label\": \"Sleep\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"open process (7 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Open Process [C0065]\"\n      ]\n    },\n    {\n      \"id\": \"api_OpenProcess\",\n      \"label\": \"OpenProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"label\": \"check for time delay via QueryPerformanceCounter (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"QueryPerformanceCounter [B0001.033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x469B7E\",\n      \"label\": \"Function 0x469B7E\",\n      \"type\": \"function\",\n      \"address\": \"0x469B7E\"\n    },\n    {\n      \"id\": \"func_0x469B67\",\n      \"label\": \"Function 0x469B67\",\n      \"type\": \"function\",\n      \"address\": \"0x469B67\"\n    },\n    {\n      \"id\": \"func_0x46E899\",\n      \"label\": \"Function 0x46E899\",\n      \"type\": \"function\",\n      \"address\": \"0x46E899\"\n    },\n    {\n      \"id\": \"func_0x46AFC6\",\n      \"label\": \"Function 0x46AFC6\",\n      \"type\": \"function\",\n      \"address\": \"0x46AFC6\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"QueryPerformanceCounter [B0001.033]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"label\": \"check for unmoving mouse cursor (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection::Human User\",\n        \"Check [B0009.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x498EBB\",\n      \"label\": \"Function 0x498EBB\",\n      \"type\": \"function\",\n      \"address\": \"0x498EBB\"\n    },\n    {\n      \"id\": \"func_0x499468\",\n      \"label\": \"Function 0x499468\",\n      \"type\": \"function\",\n      \"address\": \"0x499468\"\n    },\n    {\n      \"id\": \"cap_author______bitsofbinary\",\n      \"label\": \"author      BitsOfBinary\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection::Human User\",\n        \"Check [B0009.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes__9_matches_\",\n      \"label\": \"log keystrokes (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46B04D\",\n      \"label\": \"Function 0x46B04D\",\n      \"type\": \"function\",\n      \"address\": \"0x46B04D\"\n    },\n    {\n      \"id\": \"func_0x46B198\",\n      \"label\": \"Function 0x46B198\",\n      \"type\": \"function\",\n      \"address\": \"0x46B198\"\n    },\n    {\n      \"id\": \"func_0x463985\",\n      \"label\": \"Function 0x463985\",\n      \"type\": \"function\",\n      \"address\": \"0x463985\"\n    },\n    {\n      \"id\": \"func_0x46B1FD\",\n      \"label\": \"Function 0x46B1FD\",\n      \"type\": \"function\",\n      \"address\": \"0x46B1FD\"\n    },\n    {\n      \"id\": \"func_0x4034CE\",\n      \"label\": \"Function 0x4034CE\",\n      \"type\": \"function\",\n      \"address\": \"0x4034CE\"\n    },\n    {\n      \"id\": \"func_0x4624E6\",\n      \"label\": \"Function 0x4624E6\",\n      \"type\": \"function\",\n      \"address\": \"0x4624E6\"\n    },\n    {\n      \"id\": \"func_0x41EFAD\",\n      \"label\": \"Function 0x41EFAD\",\n      \"type\": \"function\",\n      \"address\": \"0x41EFAD\"\n    },\n    {\n      \"id\": \"func_0x46A90B\",\n      \"label\": \"Function 0x46A90B\",\n      \"type\": \"function\",\n      \"address\": \"0x46A90B\"\n    },\n    {\n      \"id\": \"func_0x462CEB\",\n      \"label\": \"Function 0x462CEB\",\n      \"type\": \"function\",\n      \"address\": \"0x462CEB\"\n    },\n    {\n      \"id\": \"api_MapVirtualKey\",\n      \"label\": \"MapVirtualKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_AttachThreadInput\",\n      \"label\": \"AttachThreadInput\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Input Capture::Keylogging [T1056.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"label\": \"log keystrokes via polling (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46AABA\",\n      \"label\": \"Function 0x46AABA\",\n      \"type\": \"function\",\n      \"address\": \"0x46AABA\"\n    },\n    {\n      \"id\": \"func_0x46ADD8\",\n      \"label\": \"Function 0x46ADD8\",\n      \"type\": \"function\",\n      \"address\": \"0x46ADD8\"\n    },\n    {\n      \"id\": \"func_0x46ABF8\",\n      \"label\": \"Function 0x46ABF8\",\n      \"type\": \"function\",\n      \"address\": \"0x46ABF8\"\n    },\n    {\n      \"id\": \"func_0x469EAF\",\n      \"label\": \"Function 0x469EAF\",\n      \"type\": \"function\",\n      \"address\": \"0x469EAF\"\n    },\n    {\n      \"id\": \"func_0x46A975\",\n      \"label\": \"Function 0x46A975\",\n      \"type\": \"function\",\n      \"address\": \"0x46A975\"\n    },\n    {\n      \"id\": \"func_0x4028C0\",\n      \"label\": \"Function 0x4028C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4028C0\"\n    },\n    {\n      \"id\": \"func_0x41EA9A\",\n      \"label\": \"Function 0x41EA9A\",\n      \"type\": \"function\",\n      \"address\": \"0x41EA9A\"\n    },\n    {\n      \"id\": \"func_0x469B97\",\n      \"label\": \"Function 0x469B97\",\n      \"type\": \"function\",\n      \"address\": \"0x469B97\"\n    },\n    {\n      \"id\": \"api_VkKeyScan\",\n      \"label\": \"VkKeyScan\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetAsyncKeyState\",\n      \"label\": \"GetAsyncKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyboardState\",\n      \"label\": \"GetKeyboardState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_capture_screenshot\",\n      \"label\": \"capture screenshot\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x482483\",\n      \"label\": \"Function 0x482483\",\n      \"type\": \"function\",\n      \"address\": \"0x482483\"\n    },\n    {\n      \"id\": \"api_GetDIBits\",\n      \"label\": \"GetDIBits\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateCompatibleBitmap\",\n      \"label\": \"CreateCompatibleBitmap\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDC\",\n      \"label\": \"GetDC\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateCompatibleDC\",\n      \"label\": \"CreateCompatibleDC\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Screen Capture::WinAPI [E1113.m01]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_remote_server_for_available_data\",\n      \"label\": \"query remote server for available data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x47CE38\",\n      \"label\": \"Block 0x47CE38\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47CE38\"\n    },\n    {\n      \"id\": \"api_InternetQueryDataAvailable\",\n      \"label\": \"InternetQueryDataAvailable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_receive_data__4_matches_\",\n      \"label\": \"receive data (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x481B87\",\n      \"label\": \"Function 0x481B87\",\n      \"type\": \"function\",\n      \"address\": \"0x481B87\"\n    },\n    {\n      \"id\": \"func_0x48135A\",\n      \"label\": \"Function 0x48135A\",\n      \"type\": \"function\",\n      \"address\": \"0x48135A\"\n    },\n    {\n      \"id\": \"func_0x47CD62\",\n      \"label\": \"Function 0x47CD62\",\n      \"type\": \"function\",\n      \"address\": \"0x47CD62\"\n    },\n    {\n      \"id\": \"func_0x47CE38\",\n      \"label\": \"Function 0x47CE38\",\n      \"type\": \"function\",\n      \"address\": \"0x47CE38\"\n    },\n    {\n      \"id\": \"api_recvfrom\",\n      \"label\": \"recvfrom\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_recv\",\n      \"label\": \"recv\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_InternetReadFile\",\n      \"label\": \"InternetReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Receive Data [B0030.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data__3_matches_\",\n      \"label\": \"send data (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x481F24\",\n      \"label\": \"Function 0x481F24\",\n      \"type\": \"function\",\n      \"address\": \"0x481F24\"\n    },\n    {\n      \"id\": \"func_0x47C394\",\n      \"label\": \"Function 0x47C394\",\n      \"type\": \"function\",\n      \"address\": \"0x47C394\"\n    },\n    {\n      \"id\": \"func_0x4814F1\",\n      \"label\": \"Function 0x4814F1\",\n      \"type\": \"function\",\n      \"address\": \"0x4814F1\"\n    },\n    {\n      \"id\": \"api_HttpOpenRequest\",\n      \"label\": \"HttpOpenRequest\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_InternetConnect\",\n      \"label\": \"InternetConnect\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_sendto\",\n      \"label\": \"sendto\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_HttpSendRequest\",\n      \"label\": \"HttpSendRequest\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"api_send\",\n      \"label\": \"send\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Send Data [B0030.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_download_and_write_a_file\",\n      \"label\": \"download and write a file\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"downloader\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Server to Client\",\n        \"File Transfer [B0030.003]\"\n      ]\n    },\n    {\n      \"id\": \"api_fwrite\",\n      \"label\": \"fwrite\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api__fwrite\",\n      \"label\": \"_fwrite\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_maec_malware_category__downloader\",\n      \"label\": \"maec/malware-category  downloader\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"downloader\",\n      \"mitre\": [\n        \"Command and Control::C2 Communication::Server to Client\",\n        \"File Transfer [B0030.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"label\": \"receive and write data from server to client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_resolve_dns__3_matches_\",\n      \"label\": \"resolve DNS (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DD45\",\n      \"label\": \"Function 0x46DD45\",\n      \"type\": \"function\",\n      \"address\": \"0x46DD45\"\n    },\n    {\n      \"id\": \"func_0x480482\",\n      \"label\": \"Function 0x480482\",\n      \"type\": \"function\",\n      \"address\": \"0x480482\"\n    },\n    {\n      \"id\": \"func_0x481288\",\n      \"label\": \"Function 0x481288\",\n      \"type\": \"function\",\n      \"address\": \"0x481288\"\n    },\n    {\n      \"id\": \"api_gethostbyname\",\n      \"label\": \"gethostbyname\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_michael_hunhoff_mandiant_com\",\n      \"label\": \"michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::DNS Communication::Resolve [C0011.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_connect_network_resource\",\n      \"label\": \"connect network resource\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4605C7\",\n      \"label\": \"Function 0x4605C7\",\n      \"type\": \"function\",\n      \"address\": \"0x4605C7\"\n    },\n    {\n      \"id\": \"api_WNetAddConnection2\",\n      \"label\": \"WNetAddConnection2\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"label\": \"author       michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_parse_url\",\n      \"label\": \"parse URL\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x47D012\",\n      \"label\": \"Block 0x47D012\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47D012\"\n    },\n    {\n      \"id\": \"api_InternetCrackUrl\",\n      \"label\": \"InternetCrackUrl\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_connect_to_http_server__2_matches_\",\n      \"label\": \"connect to HTTP server (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Connect to Server [C0002.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47C061\",\n      \"label\": \"Function 0x47C061\",\n      \"type\": \"function\",\n      \"address\": \"0x47C061\"\n    },\n    {\n      \"id\": \"cap_connect_to_url\",\n      \"label\": \"connect to URL\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Open URL [C0002.004]\"\n      ]\n    },\n    {\n      \"id\": \"api_InternetOpenUrl\",\n      \"label\": \"InternetOpenUrl\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_create_http_request\",\n      \"label\": \"create HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47CC3C\",\n      \"label\": \"Function 0x47CC3C\",\n      \"type\": \"function\",\n      \"address\": \"0x47CC3C\"\n    },\n    {\n      \"id\": \"api_InternetOpen\",\n      \"label\": \"InternetOpen\",\n      \"type\": \"api\",\n      \"category\": \"network\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_data_from_internet__2_matches_\",\n      \"label\": \"read data from Internet (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_http_request\",\n      \"label\": \"send HTTP request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Send Request [C0002.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_icmp_echo_request\",\n      \"label\": \"send ICMP echo request\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::ICMP Communication::Echo Request [C0014.002]\"\n      ]\n    },\n    {\n      \"id\": \"api_IcmpCloseHandle\",\n      \"label\": \"IcmpCloseHandle\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IcmpSendEcho\",\n      \"label\": \"IcmpSendEcho\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IcmpCreateFile\",\n      \"label\": \"IcmpCreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::ICMP Communication::Echo Request [C0014.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_pipe__2_matches_\",\n      \"label\": \"create pipe (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Create Pipe [C0003.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4703F0\",\n      \"label\": \"Function 0x4703F0\",\n      \"type\": \"function\",\n      \"address\": \"0x4703F0\"\n    },\n    {\n      \"id\": \"func_0x4704C5\",\n      \"label\": \"Function 0x4704C5\",\n      \"type\": \"function\",\n      \"address\": \"0x4704C5\"\n    },\n    {\n      \"id\": \"api_CreatePipe\",\n      \"label\": \"CreatePipe\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_connect_socket\",\n      \"label\": \"connect socket\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"bb_0x4810AF\",\n      \"label\": \"Block 0x4810AF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4810AF\"\n    },\n    {\n      \"id\": \"api_connect\",\n      \"label\": \"connect\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_mrhafizfarhad_gmail_com\",\n      \"label\": \"mrhafizfarhad@gmail.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_get_socket_status\",\n      \"label\": \"get socket status\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Get Socket Status [C0001.012]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x483070\",\n      \"label\": \"Function 0x483070\",\n      \"type\": \"function\",\n      \"address\": \"0x483070\"\n    },\n    {\n      \"id\": \"api_select\",\n      \"label\": \"select\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_initialize_winsock_library__3_matches_\",\n      \"label\": \"initialize Winsock library (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Initialize Winsock Library\",\n        \"[C0001.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4815DA\",\n      \"label\": \"Function 0x4815DA\",\n      \"type\": \"function\",\n      \"address\": \"0x4815DA\"\n    },\n    {\n      \"id\": \"api_WSAStartup\",\n      \"label\": \"WSAStartup\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_socket_configuration__3_matches_\",\n      \"label\": \"set socket configuration (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Set Socket Config [C0001.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x482F75\",\n      \"label\": \"Function 0x482F75\",\n      \"type\": \"function\",\n      \"address\": \"0x482F75\"\n    },\n    {\n      \"id\": \"func_0x4819FD\",\n      \"label\": \"Function 0x4819FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4819FD\"\n    },\n    {\n      \"id\": \"api_setsockopt\",\n      \"label\": \"setsockopt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_ioctlsocket\",\n      \"label\": \"ioctlsocket\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_receive_data_on_socket__2_matches_\",\n      \"label\": \"receive data on socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Receive Data [C0001.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_send_data_on_socket__2_matches_\",\n      \"label\": \"send data on socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Send Data [C0001.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Send Data [C0001.007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_connect_tcp_socket\",\n      \"label\": \"connect TCP socket\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Connect Socket [C0001.004]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x480FDF\",\n      \"label\": \"Function 0x480FDF\",\n      \"type\": \"function\",\n      \"address\": \"0x480FDF\"\n    },\n    {\n      \"id\": \"api_socket\",\n      \"label\": \"socket\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_tcp_socket__2_matches_\",\n      \"label\": \"create TCP socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x481033\",\n      \"label\": \"Block 0x481033\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x481033\"\n    },\n    {\n      \"id\": \"bb_0x481197\",\n      \"label\": \"Block 0x481197\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x481197\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create TCP Socket [C0001.011]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_udp_socket__2_matches_\",\n      \"label\": \"create UDP socket (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::Create UDP Socket [C0001.010]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x48177E\",\n      \"label\": \"Block 0x48177E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48177E\"\n    },\n    {\n      \"id\": \"bb_0x4819FD\",\n      \"label\": \"Block 0x4819FD\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4819FD\"\n    },\n    {\n      \"id\": \"cap_act_as_tcp_client\",\n      \"label\": \"act as TCP client\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Socket Communication::TCP Client [C0001.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compiled_with_autoit\",\n      \"label\": \"compiled with AutoIt\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [T1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [T1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_with_crc32\",\n      \"label\": \"hash data with CRC32\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Checksum::CRC32 [C0032.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4823E8\",\n      \"label\": \"Function 0x4823E8\",\n      \"type\": \"function\",\n      \"address\": \"0x4823E8\"\n    },\n    {\n      \"id\": \"cap_encode_data_using_base64\",\n      \"label\": \"encode data using Base64\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or Information::Encoding-Standard\",\n        \"Algorithm [E1027.m02]\",\n        \"Data::Encode Data::Base64 [C0026.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41BEAD\",\n      \"label\": \"Function 0x41BEAD\",\n      \"type\": \"function\",\n      \"address\": \"0x41BEAD\"\n    },\n    {\n      \"id\": \"cap_hash_data_using_djb2\",\n      \"label\": \"hash data using djb2\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Non-Cryptographic Hash::djb2 [C0030.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408273\",\n      \"label\": \"Function 0x408273\",\n      \"type\": \"function\",\n      \"address\": \"0x408273\"\n    },\n    {\n      \"id\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"label\": \"author      awillia2@cisco.com, still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Non-Cryptographic Hash::djb2 [C0030.006]\"\n      ]\n    },\n    {\n      \"id\": \"cap_authenticate_hmac\",\n      \"label\": \"authenticate HMAC\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Hashed Message Authentication Code [C0061]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Hashed Message Authentication Code [C0061]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"label\": \"generate random numbers using a Mersenne Twister (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence [C0021]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x471EC0\",\n      \"label\": \"Function 0x471EC0\",\n      \"type\": \"function\",\n      \"address\": \"0x471EC0\"\n    },\n    {\n      \"id\": \"func_0x471F64\",\n      \"label\": \"Function 0x471F64\",\n      \"type\": \"function\",\n      \"address\": \"0x471F64\"\n    },\n    {\n      \"id\": \"func_0x471E7A\",\n      \"label\": \"Function 0x471E7A\",\n      \"type\": \"function\",\n      \"address\": \"0x471E7A\"\n    },\n    {\n      \"id\": \"func_0x471F24\",\n      \"label\": \"Function 0x471F24\",\n      \"type\": \"function\",\n      \"address\": \"0x471F24\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x406122\",\n      \"label\": \"Function 0x406122\",\n      \"type\": \"function\",\n      \"address\": \"0x406122\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResourceEx\",\n      \"label\": \"FindResourceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_list_drag_and_drop_files\",\n      \"label\": \"list drag and drop files\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EA26\",\n      \"label\": \"Function 0x47EA26\",\n      \"type\": \"function\",\n      \"address\": \"0x47EA26\"\n    },\n    {\n      \"id\": \"api_GetClipboardData\",\n      \"label\": \"GetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_DragQueryFile\",\n      \"label\": \"DragQueryFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_clipboard__2_matches_\",\n      \"label\": \"open clipboard (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EC91\",\n      \"label\": \"Function 0x47EC91\",\n      \"type\": \"function\",\n      \"address\": \"0x47EC91\"\n    },\n    {\n      \"id\": \"api_OpenClipboard\",\n      \"label\": \"OpenClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CloseClipboard\",\n      \"label\": \"CloseClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read_clipboard_data\",\n      \"label\": \"read clipboard data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"api_GlobalUnlock\",\n      \"label\": \"GlobalUnlock\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GlobalLock\",\n      \"label\": \"GlobalLock\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_clipboard_data\",\n      \"label\": \"write clipboard data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"api_SetClipboardData\",\n      \"label\": \"SetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_EmptyClipboard\",\n      \"label\": \"EmptyClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"label\": \"interact with driver via IOCTL (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_DeviceIoControl\",\n      \"label\": \"DeviceIoControl\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_comspec_environment_variable\",\n      \"label\": \"get COMSPEC environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable [C0034]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41D70E\",\n      \"label\": \"Function 0x41D70E\",\n      \"type\": \"function\",\n      \"address\": \"0x41D70E\"\n    },\n    {\n      \"id\": \"api_GetEnvironmentVariable\",\n      \"label\": \"GetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"label\": \"author     matthew.williams@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable [C0034]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable__3_matches_\",\n      \"label\": \"query environment variable (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x487559\",\n      \"label\": \"Function 0x487559\",\n      \"type\": \"function\",\n      \"address\": \"0x487559\"\n    },\n    {\n      \"id\": \"func_0x47EE14\",\n      \"label\": \"Function 0x47EE14\",\n      \"type\": \"function\",\n      \"address\": \"0x47EE14\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_environment_variable__2_matches_\",\n      \"label\": \"set environment variable (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable::Set Variable [C0034.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47EE84\",\n      \"label\": \"Function 0x47EE84\",\n      \"type\": \"function\",\n      \"address\": \"0x47EE84\"\n    },\n    {\n      \"id\": \"func_0x43D170\",\n      \"label\": \"Function 0x43D170\",\n      \"type\": \"function\",\n      \"address\": \"0x43D170\"\n    },\n    {\n      \"id\": \"api_SetEnvironmentVariable\",\n      \"label\": \"SetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__9_matches_\",\n      \"label\": \"get common file path (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48AF20\",\n      \"label\": \"Function 0x48AF20\",\n      \"type\": \"function\",\n      \"address\": \"0x48AF20\"\n    },\n    {\n      \"id\": \"func_0x477D0E\",\n      \"label\": \"Function 0x477D0E\",\n      \"type\": \"function\",\n      \"address\": \"0x477D0E\"\n    },\n    {\n      \"id\": \"func_0x46DE45\",\n      \"label\": \"Function 0x46DE45\",\n      \"type\": \"function\",\n      \"address\": \"0x46DE45\"\n    },\n    {\n      \"id\": \"func_0x4780B3\",\n      \"label\": \"Function 0x4780B3\",\n      \"type\": \"function\",\n      \"address\": \"0x4780B3\"\n    },\n    {\n      \"id\": \"func_0x472F35\",\n      \"label\": \"Function 0x472F35\",\n      \"type\": \"function\",\n      \"address\": \"0x472F35\"\n    },\n    {\n      \"id\": \"func_0x4779B4\",\n      \"label\": \"Function 0x4779B4\",\n      \"type\": \"function\",\n      \"address\": \"0x4779B4\"\n    },\n    {\n      \"id\": \"func_0x41F962\",\n      \"label\": \"Function 0x41F962\",\n      \"type\": \"function\",\n      \"address\": \"0x41F962\"\n    },\n    {\n      \"id\": \"func_0x40445D\",\n      \"label\": \"Function 0x40445D\",\n      \"type\": \"function\",\n      \"address\": \"0x40445D\"\n    },\n    {\n      \"id\": \"api_SHGetFolderPath\",\n      \"label\": \"SHGetFolderPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempFileName\",\n      \"label\": \"GetTempFileName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetCurrentDirectory\",\n      \"label\": \"GetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SHGetSpecialFolderLocation\",\n      \"label\": \"SHGetSpecialFolderLocation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_current_directory__7_matches_\",\n      \"label\": \"set current directory (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4753D4\",\n      \"label\": \"Function 0x4753D4\",\n      \"type\": \"function\",\n      \"address\": \"0x4753D4\"\n    },\n    {\n      \"id\": \"func_0x4796BB\",\n      \"label\": \"Function 0x4796BB\",\n      \"type\": \"function\",\n      \"address\": \"0x4796BB\"\n    },\n    {\n      \"id\": \"func_0x40AD7C\",\n      \"label\": \"Function 0x40AD7C\",\n      \"type\": \"function\",\n      \"address\": \"0x40AD7C\"\n    },\n    {\n      \"id\": \"func_0x479560\",\n      \"label\": \"Function 0x479560\",\n      \"type\": \"function\",\n      \"address\": \"0x479560\"\n    },\n    {\n      \"id\": \"api_SetCurrentDirectory\",\n      \"label\": \"SetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_copy_file__3_matches_\",\n      \"label\": \"copy file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46CE1E\",\n      \"label\": \"Function 0x46CE1E\",\n      \"type\": \"function\",\n      \"address\": \"0x46CE1E\"\n    },\n    {\n      \"id\": \"func_0x472865\",\n      \"label\": \"Function 0x472865\",\n      \"type\": \"function\",\n      \"address\": \"0x472865\"\n    },\n    {\n      \"id\": \"func_0x46D1BA\",\n      \"label\": \"Function 0x46D1BA\",\n      \"type\": \"function\",\n      \"address\": \"0x46D1BA\"\n    },\n    {\n      \"id\": \"api_CopyFile\",\n      \"label\": \"CopyFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SHFileOperation\",\n      \"label\": \"SHFileOperation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CopyFileEx\",\n      \"label\": \"CopyFileEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_directory__2_matches_\",\n      \"label\": \"create directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x473C3C\",\n      \"label\": \"Function 0x473C3C\",\n      \"type\": \"function\",\n      \"address\": \"0x473C3C\"\n    },\n    {\n      \"id\": \"func_0x46D1DF\",\n      \"label\": \"Function 0x46D1DF\",\n      \"type\": \"function\",\n      \"address\": \"0x46D1DF\"\n    },\n    {\n      \"id\": \"api_CreateDirectory\",\n      \"label\": \"CreateDirectory\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_delete_directory__2_matches_\",\n      \"label\": \"delete directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E77B\",\n      \"label\": \"Function 0x46E77B\",\n      \"type\": \"function\",\n      \"address\": \"0x46E77B\"\n    },\n    {\n      \"id\": \"api_RemoveDirectory\",\n      \"label\": \"RemoveDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_file__6_matches_\",\n      \"label\": \"delete file (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46D2C7\",\n      \"label\": \"Function 0x46D2C7\",\n      \"type\": \"function\",\n      \"address\": \"0x46D2C7\"\n    },\n    {\n      \"id\": \"func_0x4778BA\",\n      \"label\": \"Function 0x4778BA\",\n      \"type\": \"function\",\n      \"address\": \"0x4778BA\"\n    },\n    {\n      \"id\": \"func_0x4755F7\",\n      \"label\": \"Function 0x4755F7\",\n      \"type\": \"function\",\n      \"address\": \"0x4755F7\"\n    },\n    {\n      \"id\": \"func_0x46CF94\",\n      \"label\": \"Function 0x46CF94\",\n      \"type\": \"function\",\n      \"address\": \"0x46CF94\"\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__3_matches_\",\n      \"label\": \"check if file exists (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DADC\",\n      \"label\": \"Function 0x46DADC\",\n      \"type\": \"function\",\n      \"address\": \"0x46DADC\"\n    },\n    {\n      \"id\": \"func_0x46E0B7\",\n      \"label\": \"Function 0x46E0B7\",\n      \"type\": \"function\",\n      \"address\": \"0x46E0B7\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api_GetLastError\",\n      \"label\": \"GetLastError\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"label\": \"enumerate files on Windows (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x475BB5\",\n      \"label\": \"Function 0x475BB5\",\n      \"type\": \"function\",\n      \"address\": \"0x475BB5\"\n    },\n    {\n      \"id\": \"func_0x479A49\",\n      \"label\": \"Function 0x479A49\",\n      \"type\": \"function\",\n      \"address\": \"0x479A49\"\n    },\n    {\n      \"id\": \"api_FindFirstFile\",\n      \"label\": \"FindFirstFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextFile\",\n      \"label\": \"FindNextFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindClose\",\n      \"label\": \"FindClose\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"label\": \"enumerate files recursively (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     @_re_fox, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes__5_matches_\",\n      \"label\": \"get file attributes (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46E0B7\",\n      \"label\": \"Block 0x46E0B7\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E0B7\"\n    },\n    {\n      \"id\": \"bb_0x46D1DF\",\n      \"label\": \"Block 0x46D1DF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46D1DF\"\n    },\n    {\n      \"id\": \"bb_0x4795B8\",\n      \"label\": \"Block 0x4795B8\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4795B8\"\n    },\n    {\n      \"id\": \"bb_0x477F04\",\n      \"label\": \"Block 0x477F04\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x477F04\"\n    },\n    {\n      \"id\": \"bb_0x46DAFA\",\n      \"label\": \"Block 0x46DAFA\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46DAFA\"\n    },\n    {\n      \"id\": \"cap_get_file_size__2_matches_\",\n      \"label\": \"get file size (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x498461\",\n      \"label\": \"Function 0x498461\",\n      \"type\": \"function\",\n      \"address\": \"0x498461\"\n    },\n    {\n      \"id\": \"func_0x482A05\",\n      \"label\": \"Function 0x482A05\",\n      \"type\": \"function\",\n      \"address\": \"0x482A05\"\n    },\n    {\n      \"id\": \"api_GetFileSize\",\n      \"label\": \"GetFileSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_file_version_info\",\n      \"label\": \"get file version info\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46DB2C\",\n      \"label\": \"Function 0x46DB2C\",\n      \"type\": \"function\",\n      \"address\": \"0x46DB2C\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfo\",\n      \"label\": \"GetFileVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfoSize\",\n      \"label\": \"GetFileVersionInfoSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_VerQueryValue\",\n      \"label\": \"VerQueryValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_file_attributes__2_matches_\",\n      \"label\": \"set file attributes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Set File Attributes [C0050]\"\n      ]\n    },\n    {\n      \"id\": \"api_SetFileAttributes\",\n      \"label\": \"SetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_move_file__3_matches_\",\n      \"label\": \"move file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Move File [C0063]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E319\",\n      \"label\": \"Function 0x46E319\",\n      \"type\": \"function\",\n      \"address\": \"0x46E319\"\n    },\n    {\n      \"id\": \"api_MoveFile\",\n      \"label\": \"MoveFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read__ini_file__4_matches_\",\n      \"label\": \"read .ini file (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4783FD\",\n      \"label\": \"Function 0x4783FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4783FD\"\n    },\n    {\n      \"id\": \"func_0x4787FC\",\n      \"label\": \"Function 0x4787FC\",\n      \"type\": \"function\",\n      \"address\": \"0x4787FC\"\n    },\n    {\n      \"id\": \"func_0x478A19\",\n      \"label\": \"Function 0x478A19\",\n      \"type\": \"function\",\n      \"address\": \"0x478A19\"\n    },\n    {\n      \"id\": \"func_0x4784BF\",\n      \"label\": \"Function 0x4784BF\",\n      \"type\": \"function\",\n      \"address\": \"0x4784BF\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileSection\",\n      \"label\": \"GetPrivateProfileSection\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileString\",\n      \"label\": \"GetPrivateProfileString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileSectionNames\",\n      \"label\": \"GetPrivateProfileSectionNames\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__9_matches_\",\n      \"label\": \"read file on Windows (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x472475\",\n      \"label\": \"Function 0x472475\",\n      \"type\": \"function\",\n      \"address\": \"0x472475\"\n    },\n    {\n      \"id\": \"func_0x47070D\",\n      \"label\": \"Function 0x47070D\",\n      \"type\": \"function\",\n      \"address\": \"0x47070D\"\n    },\n    {\n      \"id\": \"func_0x43921B\",\n      \"label\": \"Function 0x43921B\",\n      \"type\": \"function\",\n      \"address\": \"0x43921B\"\n    },\n    {\n      \"id\": \"func_0x40B3B0\",\n      \"label\": \"Function 0x40B3B0\",\n      \"type\": \"function\",\n      \"address\": \"0x40B3B0\"\n    },\n    {\n      \"id\": \"func_0x4725B1\",\n      \"label\": \"Function 0x4725B1\",\n      \"type\": \"function\",\n      \"address\": \"0x4725B1\"\n    },\n    {\n      \"id\": \"func_0x40B230\",\n      \"label\": \"Function 0x40B230\",\n      \"type\": \"function\",\n      \"address\": \"0x40B230\"\n    },\n    {\n      \"id\": \"func_0x406A95\",\n      \"label\": \"Function 0x406A95\",\n      \"type\": \"function\",\n      \"address\": \"0x406A95\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api__read\",\n      \"label\": \"_read\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_fread\",\n      \"label\": \"fread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_clear_file_content\",\n      \"label\": \"clear file content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x477FD5\",\n      \"label\": \"Function 0x477FD5\",\n      \"type\": \"function\",\n      \"address\": \"0x477FD5\"\n    },\n    {\n      \"id\": \"api_SetFilePointer\",\n      \"label\": \"SetFilePointer\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetEndOfFile\",\n      \"label\": \"SetEndOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____jakeperalta7\",\n      \"label\": \"author     jakeperalta7\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__7_matches_\",\n      \"label\": \"write file on Windows (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x472642\",\n      \"label\": \"Function 0x472642\",\n      \"type\": \"function\",\n      \"address\": \"0x472642\"\n    },\n    {\n      \"id\": \"func_0x4725F5\",\n      \"label\": \"Function 0x4725F5\",\n      \"type\": \"function\",\n      \"address\": \"0x4725F5\"\n    },\n    {\n      \"id\": \"func_0x46CC1D\",\n      \"label\": \"Function 0x46CC1D\",\n      \"type\": \"function\",\n      \"address\": \"0x46CC1D\"\n    },\n    {\n      \"id\": \"func_0x470633\",\n      \"label\": \"Function 0x470633\",\n      \"type\": \"function\",\n      \"address\": \"0x470633\"\n    },\n    {\n      \"id\": \"func_0x41F5B3\",\n      \"label\": \"Function 0x41F5B3\",\n      \"type\": \"function\",\n      \"address\": \"0x41F5B3\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources\",\n      \"label\": \"enumerate gui resources\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x464144\",\n      \"label\": \"Function 0x464144\",\n      \"type\": \"function\",\n      \"address\": \"0x464144\"\n    },\n    {\n      \"id\": \"api_EnumWindows\",\n      \"label\": \"EnumWindows\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_taskbar__3_matches_\",\n      \"label\": \"find taskbar (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Taskbar Discovery [B0043]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x492255\",\n      \"label\": \"Block 0x492255\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x492255\"\n    },\n    {\n      \"id\": \"bb_0x492289\",\n      \"label\": \"Block 0x492289\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x492289\"\n    },\n    {\n      \"id\": \"bb_0x41EFCE\",\n      \"label\": \"Block 0x41EFCE\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41EFCE\"\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_find_graphical_window__4_matches_\",\n      \"label\": \"find graphical window (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindowEx\",\n      \"label\": \"FindWindowEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text__11_matches_\",\n      \"label\": \"get graphical window text (11 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x465B9A\",\n      \"label\": \"Function 0x465B9A\",\n      \"type\": \"function\",\n      \"address\": \"0x465B9A\"\n    },\n    {\n      \"id\": \"func_0x461A70\",\n      \"label\": \"Function 0x461A70\",\n      \"type\": \"function\",\n      \"address\": \"0x461A70\"\n    },\n    {\n      \"id\": \"func_0x491E0D\",\n      \"label\": \"Function 0x491E0D\",\n      \"type\": \"function\",\n      \"address\": \"0x491E0D\"\n    },\n    {\n      \"id\": \"func_0x47E8F7\",\n      \"label\": \"Function 0x47E8F7\",\n      \"type\": \"function\",\n      \"address\": \"0x47E8F7\"\n    },\n    {\n      \"id\": \"func_0x4972B7\",\n      \"label\": \"Function 0x4972B7\",\n      \"type\": \"function\",\n      \"address\": \"0x4972B7\"\n    },\n    {\n      \"id\": \"func_0x46489C\",\n      \"label\": \"Function 0x46489C\",\n      \"type\": \"function\",\n      \"address\": \"0x46489C\"\n    },\n    {\n      \"id\": \"func_0x496FA4\",\n      \"label\": \"Function 0x496FA4\",\n      \"type\": \"function\",\n      \"address\": \"0x496FA4\"\n    },\n    {\n      \"id\": \"func_0x463B0C\",\n      \"label\": \"Function 0x463B0C\",\n      \"type\": \"function\",\n      \"address\": \"0x463B0C\"\n    },\n    {\n      \"id\": \"func_0x46359E\",\n      \"label\": \"Function 0x46359E\",\n      \"type\": \"function\",\n      \"address\": \"0x46359E\"\n    },\n    {\n      \"id\": \"func_0x464BD3\",\n      \"label\": \"Function 0x464BD3\",\n      \"type\": \"function\",\n      \"address\": \"0x464BD3\"\n    },\n    {\n      \"id\": \"func_0x4947A8\",\n      \"label\": \"Function 0x4947A8\",\n      \"type\": \"function\",\n      \"address\": \"0x4947A8\"\n    },\n    {\n      \"id\": \"api_SendMessage\",\n      \"label\": \"SendMessage\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_IsWindowVisible\",\n      \"label\": \"IsWindowVisible\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_graphical_window__8_matches_\",\n      \"label\": \"hide graphical window (8 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x49A198\",\n      \"label\": \"Block 0x49A198\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49A198\"\n    },\n    {\n      \"id\": \"bb_0x4981BF\",\n      \"label\": \"Block 0x4981BF\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4981BF\"\n    },\n    {\n      \"id\": \"bb_0x4827C2\",\n      \"label\": \"Block 0x4827C2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4827C2\"\n    },\n    {\n      \"id\": \"bb_0x45F0F9\",\n      \"label\": \"Block 0x45F0F9\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x45F0F9\"\n    },\n    {\n      \"id\": \"bb_0x49015D\",\n      \"label\": \"Block 0x49015D\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49015D\"\n    },\n    {\n      \"id\": \"bb_0x4950F2\",\n      \"label\": \"Block 0x4950F2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4950F2\"\n    },\n    {\n      \"id\": \"bb_0x49813A\",\n      \"label\": \"Block 0x49813A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x49813A\"\n    },\n    {\n      \"id\": \"bb_0x496B61\",\n      \"label\": \"Block 0x496B61\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x496B61\"\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_keyboard_layout\",\n      \"label\": \"get keyboard layout\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery::System Language Discovery\",\n        \"[T1614.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetKeyboardLayoutName\",\n      \"label\": \"GetKeyboardLayoutName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_memory_capacity\",\n      \"label\": \"get memory capacity\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41F370\",\n      \"label\": \"Function 0x41F370\",\n      \"type\": \"function\",\n      \"address\": \"0x41F370\"\n    },\n    {\n      \"id\": \"api_GlobalMemoryStatusEx\",\n      \"label\": \"GlobalMemoryStatusEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_information__6_matches_\",\n      \"label\": \"get disk information (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x474912\",\n      \"label\": \"Function 0x474912\",\n      \"type\": \"function\",\n      \"address\": \"0x474912\"\n    },\n    {\n      \"id\": \"func_0x4743DE\",\n      \"label\": \"Function 0x4743DE\",\n      \"type\": \"function\",\n      \"address\": \"0x4743DE\"\n    },\n    {\n      \"id\": \"func_0x473D97\",\n      \"label\": \"Function 0x473D97\",\n      \"type\": \"function\",\n      \"address\": \"0x473D97\"\n    },\n    {\n      \"id\": \"func_0x4749FD\",\n      \"label\": \"Function 0x4749FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4749FD\"\n    },\n    {\n      \"id\": \"func_0x474844\",\n      \"label\": \"Function 0x474844\",\n      \"type\": \"function\",\n      \"address\": \"0x474844\"\n    },\n    {\n      \"id\": \"func_0x474776\",\n      \"label\": \"Function 0x474776\",\n      \"type\": \"function\",\n      \"address\": \"0x474776\"\n    },\n    {\n      \"id\": \"api_GetVolumeInformation\",\n      \"label\": \"GetVolumeInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDriveType\",\n      \"label\": \"GetDriveType\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_size__3_matches_\",\n      \"label\": \"get disk size (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4750EB\",\n      \"label\": \"Function 0x4750EB\",\n      \"type\": \"function\",\n      \"address\": \"0x4750EB\"\n    },\n    {\n      \"id\": \"func_0x4751CE\",\n      \"label\": \"Function 0x4751CE\",\n      \"type\": \"function\",\n      \"address\": \"0x4751CE\"\n    },\n    {\n      \"id\": \"func_0x4752B1\",\n      \"label\": \"Function 0x4752B1\",\n      \"type\": \"function\",\n      \"address\": \"0x4752B1\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpaceEx\",\n      \"label\": \"GetDiskFreeSpaceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpace\",\n      \"label\": \"GetDiskFreeSpace\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_storage_device_properties__2_matches_\",\n      \"label\": \"get storage device properties (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x46D509\",\n      \"label\": \"Function 0x46D509\",\n      \"type\": \"function\",\n      \"address\": \"0x46D509\"\n    },\n    {\n      \"id\": \"func_0x46D588\",\n      \"label\": \"Function 0x46D588\",\n      \"type\": \"function\",\n      \"address\": \"0x46D588\"\n    },\n    {\n      \"id\": \"cap_print_debug_messages\",\n      \"label\": \"print debug messages\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_OutputDebugString\",\n      \"label\": \"OutputDebugString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_shutdown_system\",\n      \"label\": \"shutdown system\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::System Shutdown/Reboot [T1529]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E814\",\n      \"label\": \"Function 0x46E814\",\n      \"type\": \"function\",\n      \"address\": \"0x46E814\"\n    },\n    {\n      \"id\": \"api_ExitWindowsEx\",\n      \"label\": \"ExitWindowsEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_InitiateSystemShutdownEx\",\n      \"label\": \"InitiateSystemShutdownEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_hostname__2_matches_\",\n      \"label\": \"get hostname (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetComputerName\",\n      \"label\": \"GetComputerName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_gethostname\",\n      \"label\": \"gethostname\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_system_information_on_windows\",\n      \"label\": \"get system information on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40615E\",\n      \"label\": \"Function 0x40615E\",\n      \"type\": \"function\",\n      \"address\": \"0x40615E\"\n    },\n    {\n      \"id\": \"api_GetSystemInfo\",\n      \"label\": \"GetSystemInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__6_matches_\",\n      \"label\": \"create process on Windows (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x461472\",\n      \"label\": \"Block 0x461472\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x461472\"\n    },\n    {\n      \"id\": \"bb_0x48B2C1\",\n      \"label\": \"Block 0x48B2C1\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48B2C1\"\n    },\n    {\n      \"id\": \"bb_0x4437E0\",\n      \"label\": \"Block 0x4437E0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4437E0\"\n    },\n    {\n      \"id\": \"bb_0x48AD7A\",\n      \"label\": \"Block 0x48AD7A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48AD7A\"\n    },\n    {\n      \"id\": \"bb_0x46134A\",\n      \"label\": \"Block 0x46134A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46134A\"\n    },\n    {\n      \"id\": \"bb_0x498064\",\n      \"label\": \"Block 0x498064\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x498064\"\n    },\n    {\n      \"id\": \"api_CreateProcess\",\n      \"label\": \"CreateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcessWithLogon\",\n      \"label\": \"CreateProcessWithLogon\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_ShellExecute\",\n      \"label\": \"ShellExecute\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcessAsUser\",\n      \"label\": \"CreateProcessAsUser\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_ShellExecuteEx\",\n      \"label\": \"ShellExecuteEx\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_allocate_or_change_rwx_memory\",\n      \"label\": \"allocate or change RWX memory\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x489881\",\n      \"label\": \"Block 0x489881\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x489881\"\n    },\n    {\n      \"id\": \"api_VirtualAlloc\",\n      \"label\": \"VirtualAlloc\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"label\": \"author     @mr-tz, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes__2_matches_\",\n      \"label\": \"enumerate processes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48A5A3\",\n      \"label\": \"Function 0x48A5A3\",\n      \"type\": \"function\",\n      \"address\": \"0x48A5A3\"\n    },\n    {\n      \"id\": \"func_0x46D3FA\",\n      \"label\": \"Function 0x46D3FA\",\n      \"type\": \"function\",\n      \"address\": \"0x46D3FA\"\n    },\n    {\n      \"id\": \"api_CreateToolhelp32Snapshot\",\n      \"label\": \"CreateToolhelp32Snapshot\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32First\",\n      \"label\": \"Process32First\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32Next\",\n      \"label\": \"Process32Next\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_acquire_debug_privileges\",\n      \"label\": \"acquire debug privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x48A0B6\",\n      \"label\": \"Block 0x48A0B6\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48A0B6\"\n    },\n    {\n      \"id\": \"cap_modify_access_privileges__2_matches_\",\n      \"label\": \"modify access privileges (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_terminate_process__3_matches_\",\n      \"label\": \"terminate process (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x487E80\",\n      \"label\": \"Function 0x487E80\",\n      \"type\": \"function\",\n      \"address\": \"0x487E80\"\n    },\n    {\n      \"id\": \"func_0x46EA3E\",\n      \"label\": \"Function 0x46EA3E\",\n      \"type\": \"function\",\n      \"address\": \"0x46EA3E\"\n    },\n    {\n      \"id\": \"func_0x48A009\",\n      \"label\": \"Function 0x48A009\",\n      \"type\": \"function\",\n      \"address\": \"0x48A009\"\n    },\n    {\n      \"id\": \"api_TerminateProcess\",\n      \"label\": \"TerminateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_empty_the_recycle_bin\",\n      \"label\": \"empty the recycle bin\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x477953\",\n      \"label\": \"Function 0x477953\",\n      \"type\": \"function\",\n      \"address\": \"0x477953\"\n    },\n    {\n      \"id\": \"api_SHEmptyRecycleBin\",\n      \"label\": \"SHEmptyRecycleBin\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"label\": \"query or enumerate registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48CB5B\",\n      \"label\": \"Function 0x48CB5B\",\n      \"type\": \"function\",\n      \"address\": \"0x48CB5B\"\n    },\n    {\n      \"id\": \"func_0x48B8F0\",\n      \"label\": \"Function 0x48B8F0\",\n      \"type\": \"function\",\n      \"address\": \"0x48B8F0\"\n    },\n    {\n      \"id\": \"api_RegEnumKeyEx\",\n      \"label\": \"RegEnumKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"label\": \"query or enumerate registry value (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48BB02\",\n      \"label\": \"Function 0x48BB02\",\n      \"type\": \"function\",\n      \"address\": \"0x48BB02\"\n    },\n    {\n      \"id\": \"func_0x4059A7\",\n      \"label\": \"Function 0x4059A7\",\n      \"type\": \"function\",\n      \"address\": \"0x4059A7\"\n    },\n    {\n      \"id\": \"func_0x48BD6B\",\n      \"label\": \"Function 0x48BD6B\",\n      \"type\": \"function\",\n      \"address\": \"0x48BD6B\"\n    },\n    {\n      \"id\": \"func_0x40533E\",\n      \"label\": \"Function 0x40533E\",\n      \"type\": \"function\",\n      \"address\": \"0x40533E\"\n    },\n    {\n      \"id\": \"api_RegEnumValue\",\n      \"label\": \"RegEnumValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_registry_value\",\n      \"label\": \"set registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48C2DE\",\n      \"label\": \"Function 0x48C2DE\",\n      \"type\": \"function\",\n      \"address\": \"0x48C2DE\"\n    },\n    {\n      \"id\": \"api_RegSetValueEx\",\n      \"label\": \"RegSetValueEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"api_RegCreateKeyEx\",\n      \"label\": \"RegCreateKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delete_registry_key__2_matches_\",\n      \"label\": \"delete registry key (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x48B535\",\n      \"label\": \"Function 0x48B535\",\n      \"type\": \"function\",\n      \"address\": \"0x48B535\"\n    },\n    {\n      \"id\": \"api_RegDeleteKey\",\n      \"label\": \"RegDeleteKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value\",\n      \"label\": \"delete registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegDeleteValue\",\n      \"label\": \"RegDeleteValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_session_user_name\",\n      \"label\": \"get session user name\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetUserName\",\n      \"label\": \"GetUserName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_token_membership\",\n      \"label\": \"get token membership\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4615A7\",\n      \"label\": \"Function 0x4615A7\",\n      \"type\": \"function\",\n      \"address\": \"0x4615A7\"\n    },\n    {\n      \"id\": \"api_FreeSid\",\n      \"label\": \"FreeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_AllocateAndInitializeSid\",\n      \"label\": \"AllocateAndInitializeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CheckTokenMembership\",\n      \"label\": \"CheckTokenMembership\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_token_privileges\",\n      \"label\": \"get token privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x460F58\",\n      \"label\": \"Function 0x460F58\",\n      \"type\": \"function\",\n      \"address\": \"0x460F58\"\n    },\n    {\n      \"id\": \"api_GetTokenInformation\",\n      \"label\": \"GetTokenInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_thread__5_matches_\",\n      \"label\": \"create thread (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x470870\",\n      \"label\": \"Block 0x470870\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x470870\"\n    },\n    {\n      \"id\": \"bb_0x46E114\",\n      \"label\": \"Block 0x46E114\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E114\"\n    },\n    {\n      \"id\": \"bb_0x47D13B\",\n      \"label\": \"Block 0x47D13B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47D13B\"\n    },\n    {\n      \"id\": \"bb_0x461747\",\n      \"label\": \"Block 0x461747\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x461747\"\n    },\n    {\n      \"id\": \"api_CreateThread\",\n      \"label\": \"CreateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api__beginthread\",\n      \"label\": \"_beginthread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api__beginthreadex\",\n      \"label\": \"_beginthreadex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_terminate_thread\",\n      \"label\": \"terminate thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Thread [C0039]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4708A6\",\n      \"label\": \"Block 0x4708A6\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4708A6\"\n    },\n    {\n      \"id\": \"api_TerminateThread\",\n      \"label\": \"TerminateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_impersonate_user\",\n      \"label\": \"impersonate user\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x461145\",\n      \"label\": \"Function 0x461145\",\n      \"type\": \"function\",\n      \"address\": \"0x461145\"\n    },\n    {\n      \"id\": \"api_LoadUserProfile\",\n      \"label\": \"LoadUserProfile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LogonUser\",\n      \"label\": \"LogonUser\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap__internal__autoit_file_limitation\",\n      \"label\": \"(internal) autoit file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__13_matches_\",\n      \"label\": \"link function at runtime on Windows (13 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_pe_header\",\n      \"label\": \"parse PE header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B7E0\",\n      \"label\": \"Function 0x40B7E0\",\n      \"type\": \"function\",\n      \"address\": \"0x40B7E0\"\n    },\n    {\n      \"id\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"label\": \"resolve function by parsing PE exports (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x466502\",\n      \"label\": \"Function 0x466502\",\n      \"type\": \"function\",\n      \"address\": \"0x466502\"\n    },\n    {\n      \"id\": \"func_0x4681EE\",\n      \"label\": \"Function 0x4681EE\",\n      \"type\": \"function\",\n      \"address\": \"0x4681EE\"\n    },\n    {\n      \"id\": \"func_0x4763AC\",\n      \"label\": \"Function 0x4763AC\",\n      \"type\": \"function\",\n      \"address\": \"0x4763AC\"\n    },\n    {\n      \"id\": \"func_0x40D840\",\n      \"label\": \"Function 0x40D840\",\n      \"type\": \"function\",\n      \"address\": \"0x40D840\"\n    },\n    {\n      \"id\": \"func_0x408BAA\",\n      \"label\": \"Function 0x408BAA\",\n      \"type\": \"function\",\n      \"address\": \"0x408BAA\"\n    },\n    {\n      \"id\": \"func_0x476E0F\",\n      \"label\": \"Function 0x476E0F\",\n      \"type\": \"function\",\n      \"address\": \"0x476E0F\"\n    },\n    {\n      \"id\": \"func_0x4095C0\",\n      \"label\": \"Function 0x4095C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4095C0\"\n    },\n    {\n      \"id\": \"func_0x401641\",\n      \"label\": \"Function 0x401641\",\n      \"type\": \"function\",\n      \"address\": \"0x401641\"\n    },\n    {\n      \"id\": \"func_0x47902A\",\n      \"label\": \"Function 0x47902A\",\n      \"type\": \"function\",\n      \"address\": \"0x47902A\"\n    },\n    {\n      \"id\": \"func_0x40A180\",\n      \"label\": \"Function 0x40A180\",\n      \"type\": \"function\",\n      \"address\": \"0x40A180\"\n    },\n    {\n      \"id\": \"func_0x410540\",\n      \"label\": \"Function 0x410540\",\n      \"type\": \"function\",\n      \"address\": \"0x410540\"\n    },\n    {\n      \"id\": \"func_0x490F26\",\n      \"label\": \"Function 0x490F26\",\n      \"type\": \"function\",\n      \"address\": \"0x490F26\"\n    },\n    {\n      \"id\": \"cap_author_____sara_rn\",\n      \"label\": \"author     sara-rn\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_execute_shellcode_via_indirect_call\",\n      \"label\": \"execute shellcode via indirect call\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4895BB\",\n      \"label\": \"Function 0x4895BB\",\n      \"type\": \"function\",\n      \"address\": \"0x4895BB\"\n    },\n    {\n      \"id\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"label\": \"author     ronnie.salomonsen@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"label\": \"create shortcut via IShellLink (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Boot or Logon Autostart Execution::Shortcut\",\n        \"Modification [T1547.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47573C\",\n      \"label\": \"Function 0x47573C\",\n      \"type\": \"function\",\n      \"address\": \"0x47573C\"\n    },\n    {\n      \"id\": \"api_CoCreateInstance\",\n      \"label\": \"CoCreateInstance\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______matthew_williams_mandiant_com\",\n      \"label\": \"author      matthew.williams@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Boot or Logon Autostart Execution::Shortcut\",\n        \"Modification [T1547.009]\"\n      ]\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_memory__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x46B26C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__489_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x401202\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__13_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__37_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x40F4AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_process__7_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x46B26C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x469B7E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x469B67\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x46E899\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_queryperformancecounter__4_matches_\",\n      \"target\": \"func_0x46AFC6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B7E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B67\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E899\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46AFC6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"target\": \"func_0x498EBB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_for_unmoving_mouse_cursor__2_matches_\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______bitsofbinary\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______bitsofbinary\",\n      \"target\": \"func_0x498EBB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______bitsofbinary\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B04D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x463985\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46B1FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x4034CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x4624E6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x41EFAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes__9_matches_\",\n      \"target\": \"func_0x462CEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B04D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x463985\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46B1FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4034CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4624E6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41EFAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x462CEB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_MapVirtualKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B04D\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463985\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B1FD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4034CE\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4624E6\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EFAD\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x462CEB\",\n      \"target\": \"api_AttachThreadInput\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46AABA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46ADD8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46ABF8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x469EAF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46A975\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x4028C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x41EA9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__11_matches_\",\n      \"target\": \"func_0x469B97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x499468\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46AABA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ADD8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ABF8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469EAF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46A975\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4028C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46A90B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41EA9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469B97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_VkKeyScan\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetAsyncKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyboardState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x499468\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46AABA\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ADD8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ABF8\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469EAF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A975\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4028C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B198\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A90B\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41EA9A\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x469B97\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_capture_screenshot\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_capture_screenshot\",\n      \"target\": \"func_0x482483\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDIBits\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleBitmap\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com____re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x482483\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDIBits\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleBitmap\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_GetDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482483\",\n      \"target\": \"api_CreateCompatibleDC\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_remote_server_for_available_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_remote_server_for_available_data\",\n      \"target\": \"bb_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data__4_matches_\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data__3_matches_\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______william_ballenthin_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_download_and_write_a_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_download_and_write_a_file\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_maec_malware_category__downloader\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_maec_malware_category__downloader\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_and_write_data_from_server_to_client\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_dns__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_dns__3_matches_\",\n      \"target\": \"func_0x481288\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481288\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481288\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481288\",\n      \"target\": \"api_gethostbyname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_network_resource\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_network_resource\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_WNetAddConnection2\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_WNetAddConnection2\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_url\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_url\",\n      \"target\": \"bb_0x47D012\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x47D012\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_to_http_server__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_to_http_server__2_matches_\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_http_server__2_matches_\",\n      \"target\": \"func_0x47C061\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C061\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C061\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C061\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_to_url\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_http_request\",\n      \"target\": \"func_0x47CC3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CC3C\",\n      \"target\": \"api_InternetOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CC3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CC3C\",\n      \"target\": \"api_InternetOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_data_from_internet__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_data_from_internet__2_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_data_from_internet__2_matches_\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CE38\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CE38\",\n      \"target\": \"api_InternetReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_http_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_http_request\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47C394\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_HttpSendRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C394\",\n      \"target\": \"api_InternetConnect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_icmp_echo_request\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_icmp_echo_request\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCloseHandle\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpSendEcho\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCloseHandle\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpSendEcho\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_IcmpCreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_pipe__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_pipe__2_matches_\",\n      \"target\": \"func_0x4703F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_pipe__2_matches_\",\n      \"target\": \"func_0x4704C5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4703F0\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4704C5\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4703F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4704C5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4703F0\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4704C5\",\n      \"target\": \"api_CreatePipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_socket\",\n      \"target\": \"bb_0x4810AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mrhafizfarhad_gmail_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_mrhafizfarhad_gmail_com\",\n      \"target\": \"bb_0x4810AF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_socket_status\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_socket_status\",\n      \"target\": \"func_0x483070\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x483070\",\n      \"target\": \"api_select\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x483070\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x483070\",\n      \"target\": \"api_select\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_initialize_winsock_library__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x4815DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_initialize_winsock_library__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4815DA\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4815DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4815DA\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_WSAStartup\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_socket_configuration__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x482F75\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_socket_configuration__3_matches_\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x482F75\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480482\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_setsockopt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482F75\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4819FD\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480482\",\n      \"target\": \"api_ioctlsocket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_data_on_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_data_on_socket__2_matches_\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_data_on_socket__2_matches_\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481B87\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48135A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recvfrom\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481B87\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48135A\",\n      \"target\": \"api_recv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_send_data_on_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_send_data_on_socket__2_matches_\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_send_data_on_socket__2_matches_\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x481F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4814F1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_send\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F24\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4814F1\",\n      \"target\": \"api_sendto\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_tcp_socket\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_tcp_socket\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_mrhafizfarhad_gmail_com\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_tcp_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_tcp_socket__2_matches_\",\n      \"target\": \"bb_0x481033\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_tcp_socket__2_matches_\",\n      \"target\": \"bb_0x481197\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x481033\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x481197\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_udp_socket__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_udp_socket__2_matches_\",\n      \"target\": \"bb_0x48177E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_udp_socket__2_matches_\",\n      \"target\": \"bb_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x48177E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4819FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_act_as_tcp_client\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_act_as_tcp_client\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x480FDF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_connect\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x480FDF\",\n      \"target\": \"api_socket\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_with_autoit\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_with_crc32\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_with_crc32\",\n      \"target\": \"func_0x4823E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4823E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encode_data_using_base64\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_encode_data_using_base64\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_using_djb2\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_using_djb2\",\n      \"target\": \"func_0x408273\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______awillia2_cisco_com__still_teamt5_org\",\n      \"target\": \"func_0x408273\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_authenticate_hmac\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_authenticate_hmac\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471EC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471F64\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471E7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_a_mersenne_twister__4_matches_\",\n      \"target\": \"func_0x471F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471EC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471F64\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471E7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x471F24\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions\",\n      \"target\": \"func_0x406122\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x406122\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406122\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_list_drag_and_drop_files\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_list_drag_and_drop_files\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_DragQueryFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_DragQueryFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_clipboard__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__2_matches_\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__2_matches_\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_clipboard_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_clipboard_data\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalUnlock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalLock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47EA26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalUnlock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_GlobalLock\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EA26\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_clipboard_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47EC91\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EC91\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_comspec_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_comspec_environment_variable\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____matthew_williams_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x487559\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__3_matches_\",\n      \"target\": \"func_0x47EE14\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487559\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EE14\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x487559\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x47EE14\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487559\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47EE14\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_environment_variable__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_environment_variable__2_matches_\",\n      \"target\": \"func_0x47EE84\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_environment_variable__2_matches_\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EE84\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43D170\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47EE84\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47EE84\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43D170\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x48AF20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46DE45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x472F35\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x4779B4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x41F962\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48AF20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DE45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472F35\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4779B4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41F962\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SHGetSpecialFolderLocation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48AF20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DE45\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472F35\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4779B4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F962\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_current_directory__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4753D4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_current_directory__7_matches_\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4753D4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40AD7C\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x477D0E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4753D4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4780B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40445D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477D0E\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4753D4\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4780B3\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40AD7C\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40445D\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_copy_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_copy_file__3_matches_\",\n      \"target\": \"func_0x46D1BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1BA\",\n      \"target\": \"api_CopyFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_directory__2_matches_\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_directory__2_matches_\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x473C3C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473C3C\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x4778BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x4755F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__6_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4778BA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E77B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4755F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4778BA\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E77B\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4755F7\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46DADC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46DADC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DADC\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B7\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D1DF\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x475BB5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__6_matches_\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46D2C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x475BB5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D2C7\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475BB5\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_recursively__3_matches_\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4796BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479A49\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479560\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4796BB\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479A49\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__5_matches_\",\n      \"target\": \"bb_0x46DAFA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46E0B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46D1DF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46DAFA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_size__2_matches_\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__2_matches_\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_version_info\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_version_info\",\n      \"target\": \"func_0x46DB2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DB2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DB2C\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_file_attributes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__2_matches_\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_file_attributes__2_matches_\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4795B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x477F04\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_move_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46E319\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_move_file__3_matches_\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E319\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CE1E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46CF94\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_SHFileOperation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E319\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CE1E\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CF94\",\n      \"target\": \"api_MoveFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read__ini_file__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4783FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4787FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x478A19\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__4_matches_\",\n      \"target\": \"func_0x4784BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4783FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4787FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x478A19\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4784BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSection\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4783FD\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4787FC\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A19\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4784BF\",\n      \"target\": \"api_GetPrivateProfileSectionNames\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x472475\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x47070D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x43921B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x40B3B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x4725B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x40B230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__9_matches_\",\n      \"target\": \"func_0x406A95\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472475\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47070D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x43921B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B3B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4725B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x498461\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x482A05\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x406A95\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api__read\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472475\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47070D\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43921B\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B3B0\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725B1\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B230\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x498461\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482A05\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406A95\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_clear_file_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_clear_file_content\",\n      \"target\": \"func_0x477FD5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____jakeperalta7\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____jakeperalta7\",\n      \"target\": \"func_0x477FD5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477FD5\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x472642\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x4725F5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x46CC1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x470633\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__7_matches_\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472642\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4725F5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472865\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46CC1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x470633\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CD62\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472642\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4725F5\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472865\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46CC1D\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470633\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CD62\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api__fwrite\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_gui_resources\",\n      \"target\": \"func_0x464144\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464144\",\n      \"target\": \"api_EnumWindows\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x464144\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x464144\",\n      \"target\": \"api_EnumWindows\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_taskbar__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x492255\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x492289\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_find_taskbar__3_matches_\",\n      \"target\": \"bb_0x41EFCE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x492255\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x492289\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x41EFCE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text__11_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x465B9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x461A70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x491E0D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x47E8F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x4972B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x46489C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x496FA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x463B0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x46359E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x464BD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__11_matches_\",\n      \"target\": \"func_0x4947A8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x465B9A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x461A70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x491E0D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x47E8F7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4972B7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46489C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x496FA4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x463B0C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x46359E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x464BD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4947A8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_SendMessage\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_IsWindowVisible\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465B9A\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461A70\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x491E0D\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E8F7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4972B7\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46489C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x496FA4\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x463B0C\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46359E\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x464BD3\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4947A8\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window__8_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49A198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4981BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4827C2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x45F0F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49015D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x4950F2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x49813A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__8_matches_\",\n      \"target\": \"bb_0x496B61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49A198\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4981BF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4827C2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x45F0F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49015D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4950F2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x49813A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x496B61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_keyboard_layout\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_keyboard_layout\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetKeyboardLayoutName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetKeyboardLayoutName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_memory_capacity\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_memory_capacity\",\n      \"target\": \"func_0x41F370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F370\",\n      \"target\": \"api_GlobalMemoryStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41F370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F370\",\n      \"target\": \"api_GlobalMemoryStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474912\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x4743DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x473D97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x4749FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474844\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information__6_matches_\",\n      \"target\": \"func_0x474776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474912\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4743DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x473D97\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4749FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474844\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetVolumeInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474912\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4743DE\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473D97\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4749FD\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474844\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474776\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4750EB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4751CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_size__3_matches_\",\n      \"target\": \"func_0x4752B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4750EB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4751CE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4752B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4750EB\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4751CE\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4752B1\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_storage_device_properties__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_storage_device_properties__2_matches_\",\n      \"target\": \"func_0x46D509\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_storage_device_properties__2_matches_\",\n      \"target\": \"func_0x46D588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D509\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D588\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D509\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46D509\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D588\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_print_debug_messages\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_print_debug_messages\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_OutputDebugString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41F5B3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41F5B3\",\n      \"target\": \"api_OutputDebugString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_shutdown_system\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_shutdown_system\",\n      \"target\": \"func_0x46E814\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E814\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E814\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_hostname__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_hostname__2_matches_\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_hostname__2_matches_\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46DD45\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetComputerName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46DD45\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_gethostname\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_system_information_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_system_information_on_windows\",\n      \"target\": \"func_0x40615E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40615E\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40615E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40615E\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x461472\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x48B2C1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x4437E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x48AD7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x46134A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__6_matches_\",\n      \"target\": \"bb_0x498064\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x461472\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x48B2C1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4437E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x48AD7A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x46134A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x498064\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_or_change_rwx_memory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_or_change_rwx_memory\",\n      \"target\": \"bb_0x489881\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"target\": \"bb_0x489881\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes__2_matches_\",\n      \"target\": \"func_0x48A5A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes__2_matches_\",\n      \"target\": \"func_0x46D3FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48A5A3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D3FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A5A3\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D3FA\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_acquire_debug_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_acquire_debug_privileges\",\n      \"target\": \"bb_0x48A0B6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"bb_0x48A0B6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x46EA3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_terminate_process__3_matches_\",\n      \"target\": \"func_0x48A009\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46EA3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48A009\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x487E80\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA3E\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48A009\",\n      \"target\": \"api_OpenProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_empty_the_recycle_bin\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_empty_the_recycle_bin\",\n      \"target\": \"func_0x477953\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477953\",\n      \"target\": \"api_SHEmptyRecycleBin\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x477953\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477953\",\n      \"target\": \"api_SHEmptyRecycleBin\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__2_matches_\",\n      \"target\": \"func_0x48B8F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48B8F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B8F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x48BB02\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x4059A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x48BD6B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__5_matches_\",\n      \"target\": \"func_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4605C7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48BB02\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4059A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48BD6B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40533E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4605C7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BB02\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4059A7\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48BD6B\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40533E\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_registry_value\",\n      \"target\": \"func_0x48C2DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x48C2DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48C2DE\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__2_matches_\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__2_matches_\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x48CB5B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48CB5B\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_value\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48B535\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48B535\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_session_user_name\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41D70E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x41D70E\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_token_membership\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_token_membership\",\n      \"target\": \"func_0x4615A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4615A7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4615A7\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_token_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_token_privileges\",\n      \"target\": \"func_0x460F58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x460F58\",\n      \"target\": \"api_GetTokenInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x460F58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x460F58\",\n      \"target\": \"api_GetTokenInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x470870\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x46E114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x47D13B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__5_matches_\",\n      \"target\": \"bb_0x461747\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x470870\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46E114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x47D13B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x461747\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_thread\",\n      \"target\": \"bb_0x4708A6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4708A6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_impersonate_user\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_impersonate_user\",\n      \"target\": \"func_0x461145\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LoadUserProfile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LogonUser\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"target\": \"func_0x461145\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LoadUserProfile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x461145\",\n      \"target\": \"api_LogonUser\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal__autoit_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__13_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header\",\n      \"target\": \"func_0x40B7E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40B7E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x466502\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4681EE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40D840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x408BAA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x476E0F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x4095C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x401641\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x47902A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x40A180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x410540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__15_matches_\",\n      \"target\": \"func_0x490F26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____sara_rn\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x466502\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4681EE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40D840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x487E80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x408BAA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x41BEAD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x476E0F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40AD7C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4095C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x401641\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x47902A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40A180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x410540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x490F26\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_execute_shellcode_via_indirect_call\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_execute_shellcode_via_indirect_call\",\n      \"target\": \"func_0x4895BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4895BB\",\n      \"target\": \"api_VirtualAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____ronnie_salomonsen_mandiant_com\",\n      \"target\": \"func_0x4895BB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4895BB\",\n      \"target\": \"api_VirtualAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"target\": \"func_0x47573C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_shortcut_via_ishelllink__2_matches_\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47573C\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4763AC\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______matthew_williams_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______matthew_williams_mandiant_com\",\n      \"target\": \"func_0x47573C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______matthew_williams_mandiant_com\",\n      \"target\": \"func_0x4763AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x47573C\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4763AC\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-04-28 23:57:35.514184\",\n    \"total_functions\": \"2043\",\n    \"total_features\": \"119213\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-04-28 23:57:40"}
{"_id":{"$oid":"69f1fd5959a6632dae07de7d"},"sha256":"778c2e260d8d3982c7b93c1ecc8201fb16bd62f085004c2886d3c69ef45cec27","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"verbose":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"very_verbose":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"}},"outputs":{"normal":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n","verbose":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n","very_verbose":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"hashes":{"md5":"699461a646277a0a293277ff03365895","sha1":"1d98d127deb12475e785c4a2f6ce10fdb2c488f5","sha256":"778c2e260d8d3982c7b93c1ecc8201fb16bd62f085004c2886d3c69ef45cec27"}},"timestamp":"2026-04-29 18:15:13"}
{"_id":{"$oid":"69f251d159a6632dae07de83"},"sha256":"4792cd702b952d39c1cd215f842223b96e2c17ce9981629cce63014bf095329e","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"Analysis timeout (>10 minutes)"},"verbose":{"success":false,"error":"Analysis timeout (>10 minutes)"},"very_verbose":{"success":false,"error":"Analysis timeout (>10 minutes)"}},"outputs":{"normal":"ERROR:\nAnalysis timeout (>10 minutes)\n\nSTDOUT:\n\n\nSTDERR:\nAnalysis timeout (>10 minutes)","verbose":"ERROR:\nAnalysis timeout (>10 minutes)\n\nSTDOUT:\n\n\nSTDERR:\nAnalysis timeout (>10 minutes)","very_verbose":"ERROR:\nAnalysis timeout (>10 minutes)\n\nSTDOUT:\n\n\nSTDERR:\nAnalysis timeout (>10 minutes)"},"hashes":{"md5":"98962365bde2372a233172635a3de014","sha1":"efdc566207112ca269771024f1ce1bdfec660f9e","sha256":"4792cd702b952d39c1cd215f842223b96e2c17ce9981629cce63014bf095329e"}},"timestamp":"2026-04-30 00:15:37"}
{"_id":{"$oid":"6a04982e204ca8b07f91707c"},"sha256":"0d6e72e20edd52cf3f8cb41446a5eff46c59fb2b79700fb791a85661a5a8f5b4","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"verbose":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"very_verbose":{"success":false,"error":"ERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"}},"outputs":{"normal":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n","verbose":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n","very_verbose":"ERROR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n\n\nSTDOUT:\n\n\nSTDERR:\nERROR    capa:                                                    helpers.py:278\n         --------------------------------------------------------               \n         ------------------------                                               \nERROR    capa:  Input file does not appear to be a supported      helpers.py:279\n         file.                                                                  \nERROR    capa:                                                    helpers.py:280\nERROR    capa:  See all supported file formats via capa's help    helpers.py:281\n         output (-h).                                                           \nERROR    capa:  If you don't know the input file type,            helpers.py:282\nERROR    capa:  you can try using the `file` utility to guess it. helpers.py:283\nERROR    capa:                                                    helpers.py:284\n         --------------------------------------------------------               \n         ------------------------                                               \n"},"hashes":{"md5":"e92f74f5a79b217fb87006d6a729a3eb","sha1":"77173ae144c4791ed62deef3e476493d0d29cb6c","sha256":"0d6e72e20edd52cf3f8cb41446a5eff46c59fb2b79700fb791a85661a5a8f5b4"}},"timestamp":"2026-05-13 20:56:38"}
{"_id":{"$oid":"6a071088204ca8b07f91707e"},"sha256":"f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559c3c1100f9","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_djt9jsz3/MBSetup-3.3-019e2b88-d6a1-74d0-8824-310d46fb50a0.exe_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_djt9jsz3/MBSetup-3.3-019e2b88-d6a1-74d0-8824-310d46fb50a0.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_djt9jsz3/MBSetup-3.3-019e2b88-d6a1-74d0-8824-310d46fb50a0.exe_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 306d298f4ffd7cd8a40031876906ee4e                                  │\n│ sha1     │ 446bc7b8d09e39215ed60f87c10e785c6083e836                          │\n│ sha256   │ f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559c3c1100f9  │\n│ analysis │ static                                                            │\n│ os       │ windows                                                           │\n│ format   │ pe                                                                │\n│ arch     │ i386                                                              │\n│ path     │ /home/apogean/projects/malware/windows/all_runs/MBSetup-3.3-019e… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic        ┃ ATT&CK Technique                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Data from Information Repositories [T1213]            │\n│ DEFENSE EVASION      │ Hide Artifacts::Hidden Window [T1564.003]             │\n│                      │ Impair Defenses::Safe Mode Boot [T1562.009]           │\n│                      │ Modify Registry [T1112]                               │\n│                      │ Obfuscated Files or Information::Indicator Removal    │\n│                      │ from Tools [T1027.005]                                │\n│                      │ Virtualization/Sandbox Evasion::System Checks         │\n│                      │ [T1497.001]                                           │\n│ DISCOVERY            │ Account Discovery [T1087]                             │\n│                      │ Application Window Discovery [T1010]                  │\n│                      │ File and Directory Discovery [T1083]                  │\n│                      │ Process Discovery [T1057]                             │\n│                      │ Query Registry [T1012]                                │\n│                      │ Software Discovery [T1518]                            │\n│                      │ System Information Discovery [T1082]                  │\n│                      │ System Location Discovery [T1614]                     │\n│                      │ System Network Configuration Discovery [T1016]        │\n│                      │ System Owner/User Discovery [T1033]                   │\n│                      │ System Service Discovery [T1007]                      │\n│ EXECUTION            │ Command and Scripting Interpreter [T1059]             │\n│                      │ Shared Modules [T1129]                                │\n│                      │ System Services::Service Execution [T1569.002]        │\n│                      │ Windows Management Instrumentation [T1047]            │\n│ IMPACT               │ Service Stop [T1489]                                  │\n│                      │ System Shutdown/Reboot [T1529]                        │\n│ PERSISTENCE          │ Create or Modify System Process::Windows Service      │\n│                      │ [T1543.003]                                           │\n│ PRIVILEGE ESCALATION │ Access Token Manipulation [T1134]                     │\n│                      │ Access Token Manipulation::Token Impersonation/Theft  │\n│                      │ [T1134.001]                                           │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective            ┃ MBC Behavior                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ ANTI-BEHAVIORAL ANALYSIS │ Virtual Machine Detection [B0009]                 │\n│ ANTI-STATIC ANALYSIS     │ Executable Code Obfuscation::Argument Obfuscation │\n│                          │ [B0032.020]                                       │\n│                          │ Executable Code Obfuscation::Stack Strings        │\n│                          │ [B0032.017]                                       │\n│ COMMUNICATION            │ HTTP Communication::Create Request [C0002.012]    │\n│                          │ HTTP Communication::Get Response [C0002.017]      │\n│                          │ HTTP Communication::Read Header [C0002.014]       │\n│                          │ HTTP Communication::Set Header [C0002.013]        │\n│                          │ HTTP Communication::WinHTTP [C0002.008]           │\n│                          │ Interprocess Communication::Connect Pipe          │\n│                          │ [C0003.002]                                       │\n│                          │ Interprocess Communication::Read Pipe [C0003.003] │\n│                          │ Interprocess Communication::Write Pipe            │\n│                          │ [C0003.004]                                       │\n│ CRYPTOGRAPHY             │ Cryptographic Hash [C0029]                        │\n│                          │ Cryptographic Hash::SHA1 [C0029.002]              │\n│ DISCOVERY                │ Analysis Tool Discovery::Process detection        │\n│                          │ [B0013.001]                                       │\n│                          │ Application Window Discovery [E1010]              │\n│                          │ File and Directory Discovery [E1083]              │\n│                          │ System Information Discovery [E1082]              │\n│ EXECUTION                │ Command and Scripting Interpreter [E1059]         │\n│ FILE SYSTEM              │ Create Directory [C0046]                          │\n│                          │ Delete File [C0047]                               │\n│                          │ Get File Attributes [C0049]                       │\n│                          │ Read File [C0051]                                 │\n│                          │ Writes File [C0052]                               │\n│ OPERATING SYSTEM         │ Environment Variable::Set Variable [C0034.001]    │\n│                          │ Registry::Delete Registry Key [C0036.002]         │\n│                          │ Registry::Delete Registry Value [C0036.007]       │\n│                          │ Registry::Query Registry Key [C0036.005]          │\n│                          │ Registry::Query Registry Value [C0036.006]        │\n│                          │ Registry::Set Registry Key [C0036.001]            │\n│ PROCESS                  │ Allocate Thread Local Storage [C0040]             │\n│                          │ Create Mutex [C0042]                              │\n│                          │ Create Process [C0017]                            │\n│                          │ Create Process::Create Suspended Process          │\n│                          │ [C0017.003]                                       │\n│                          │ Create Thread [C0038]                             │\n│                          │ Set Thread Local Storage Value [C0041]            │\n│                          │ Terminate Process [C0018]                         │\n└──────────────────────────┴───────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                           ┃ Namespace                             ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ reference analysis tools strings     │ anti-analysis                         │\n│ reference anti-VM strings            │ anti-analysis/anti-vm/vm-detection    │\n│ reference anti-VM strings targeting  │ anti-analysis/anti-vm/vm-detection    │\n│ Parallels                            │                                       │\n│ reference anti-VM strings targeting  │ anti-analysis/anti-vm/vm-detection    │\n│ VMWare                               │                                       │\n│ reference anti-VM strings targeting  │ anti-analysis/anti-vm/vm-detection    │\n│ VirtualBox                           │                                       │\n│ reference anti-VM strings targeting  │ anti-analysis/anti-vm/vm-detection    │\n│ Xen                                  │                                       │\n│ contain obfuscated stackstrings      │ anti-analysis/obfuscation/string/sta… │\n│ get geographical location (3         │ collection                            │\n│ matches)                             │                                       │\n│ reference SQL statements (2 matches) │ collection/database/sql               │\n│ initialize WinHTTP library           │ communication/http                    │\n│ read HTTP header (3 matches)         │ communication/http                    │\n│ set HTTP header                      │ communication/http                    │\n│ check HTTP status code (5 matches)   │ communication/http/client             │\n│ prepare HTTP request (3 matches)     │ communication/http/client             │\n│ receive HTTP response (3 matches)    │ communication/http/client             │\n│ connect pipe                         │ communication/named-pipe/connect      │\n│ read pipe                            │ communication/named-pipe/read         │\n│ write pipe                           │ communication/named-pipe/write        │\n│ hash data via WinCrypt               │ data-manipulation/hashing             │\n│ hash data using SHA1                 │ data-manipulation/hashing/sha1        │\n│ hash data using SHA1 via WinCrypt    │ data-manipulation/hashing/sha1        │\n│ contains PDB path                    │ executable/pe/pdb                     │\n│ extract resource via kernel32        │ executable/resource                   │\n│ functions (5 matches)                │                                       │\n│ manipulate safe mode programs        │ host-interaction/bootloader           │\n│ accept command line arguments        │ host-interaction/cli                  │\n│ query environment variable           │ host-interaction/environment-variable │\n│ set environment variable             │ host-interaction/environment-variable │\n│ get common file path (16 matches)    │ host-interaction/file-system          │\n│ set current directory                │ host-interaction/file-system          │\n│ create directory (2 matches)         │ host-interaction/file-system/create   │\n│ delete file (3 matches)              │ host-interaction/file-system/delete   │\n│ check if file exists (3 matches)     │ host-interaction/file-system/exists   │\n│ enumerate files on Windows (2        │ host-interaction/file-system/files/l… │\n│ matches)                             │                                       │\n│ get file attributes (2 matches)      │ host-interaction/file-system/meta     │\n│ get file version info                │ host-interaction/file-system/meta     │\n│ read file on Windows (5 matches)     │ host-interaction/file-system/read     │\n│ clear file content                   │ host-interaction/file-system/write    │\n│ write file on Windows (2 matches)    │ host-interaction/file-system/write    │\n│ find graphical window                │ host-interaction/gui/window/find      │\n│ get graphical window text            │ host-interaction/gui/window/get-text  │\n│ hide graphical window (15 matches)   │ host-interaction/gui/window/hide      │\n│ get disk information                 │ host-interaction/hardware/storage     │\n│ get disk information via IOCTL (2    │ host-interaction/hardware/storage     │\n│ matches)                             │                                       │\n│ get disk size                        │ host-interaction/hardware/storage     │\n│ get storage device properties        │ host-interaction/hardware/storage     │\n│ create or open mutex on Windows      │ host-interaction/mutex                │\n│ get proxy (2 matches)                │ host-interaction/network/proxy        │\n│ shutdown system                      │ host-interaction/os                   │\n│ get system information on Windows    │ host-interaction/os/info              │\n│ get thread local storage value       │ host-interaction/process              │\n│ create process on Windows (12        │ host-interaction/process/create       │\n│ matches)                             │                                       │\n│ create process suspended             │ host-interaction/process/create       │\n│ enumerate processes                  │ host-interaction/process/list         │\n│ modify access privileges (2 matches) │ host-interaction/process/modify       │\n│ terminate process                    │ host-interaction/process/terminate    │\n│ query or enumerate registry key (4   │ host-interaction/registry             │\n│ matches)                             │                                       │\n│ query or enumerate registry value    │ host-interaction/registry             │\n│ (15 matches)                         │                                       │\n│ delete registry key (4 matches)      │ host-interaction/registry/delete      │\n│ delete registry value                │ host-interaction/registry/delete      │\n│ query service status (4 matches)     │ host-interaction/service              │\n│ create service                       │ host-interaction/service/create       │\n│ delete service (2 matches)           │ host-interaction/service/delete       │\n│ start service (2 matches)            │ host-interaction/service/start        │\n│ stop service                         │ host-interaction/service/stop         │\n│ get session information              │ host-interaction/session              │\n│ get session user name                │ host-interaction/session              │\n│ get token membership                 │ host-interaction/session              │\n│ get installed programs (3 matches)   │ host-interaction/software             │\n│ create thread (2 matches)            │ host-interaction/thread/create        │\n│ allocate thread local storage        │ host-interaction/thread/tls           │\n│ set thread local storage value       │ host-interaction/thread/tls           │\n│ impersonate user                     │ host-interaction/user                 │\n│ connect to WMI namespace via         │ host-interaction/wmi                  │\n│ WbemLocator (6 matches)              │                                       │\n│ get kernel32 base address (2         │ linking/runtime-linking               │\n│ matches)                             │                                       │\n│ get ntdll base address               │ linking/runtime-linking               │\n│ link function at runtime on Windows  │ linking/runtime-linking               │\n│ (16 matches)                         │                                       │\n│ parse PE header (2 matches)          │ load-code/pe                          │\n│ resolve function by parsing PE       │ load-code/pe                          │\n│ exports                              │                                       │\n│ persist via Windows service (2       │ persistence/service                   │\n│ matches)                             │                                       │\n└──────────────────────────────────────┴───────────────────────────────────────┘\n\n","verbose":"md5                     306d298f4ffd7cd8a40031876906ee4e                        \nsha1                    446bc7b8d09e39215ed60f87c10e785c6083e836                \nsha256                  f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559…\npath                    /home/apogean/projects/malware/windows/all_runs/MBSetup…\ntimestamp               2026-05-15 17:53:03.829538                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIduyp4j/rules                                   \nfunction count          4017                                                    \nlibrary function count  878                                                     \ntotal feature count     224537                                                  \n\nreference analysis tools strings\nnamespace  anti-analysis\nscope      file         \n\nreference anti-VM strings\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreference anti-VM strings targeting Parallels\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreference anti-VM strings targeting VMWare\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreference anti-VM strings targeting VirtualBox\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\nreference anti-VM strings targeting Xen\nnamespace  anti-analysis/anti-vm/vm-detection\nscope      file                              \n\ncontain obfuscated stackstrings\nnamespace  anti-analysis/obfuscation/string/stackstring\nscope      basic block                                 \nmatches    0x4647F0                                    \n\nget geographical location (3 matches)\nnamespace  collection\nscope      function  \nmatches    0x49216E  \n           0x4B8CB0  \n           0x4B8D86  \n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql\nscope      function               \nmatches    0x40CBA0               \n           0x40D560               \n\ninitialize WinHTTP library\nnamespace  communication/http\nscope      function          \nmatches    0x469560          \n\nread HTTP header (3 matches)\nnamespace  communication/http\nscope      function          \nmatches    0x46B430          \n           0x46D980          \n           0x478DD0          \n\nset HTTP header\nnamespace  communication/http\nscope      function          \nmatches    0x478DD0          \n\ncheck HTTP status code (5 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x405050                 \n           0x452990                 \n           0x46B430                 \n           0x46D980                 \n           0x478DD0                 \n\nprepare HTTP request (3 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x46B430                 \n           0x46D980                 \n           0x478DD0                 \n\nreceive HTTP response (3 matches)\nnamespace  communication/http/client\nscope      function                 \nmatches    0x46B430                 \n           0x46D980                 \n           0x478DD0                 \n\nconnect pipe\nnamespace  communication/named-pipe/connect\nscope      function                        \nmatches    0x420990                        \n\nread pipe\nnamespace    communication/named-pipe/read                                      \ndescription  PeekNamedPipe isn't required to read from a pipe; however, pipes   \n             are often utilized to capture the output of a cmd.exe process. In a\n             multi-thread instance, a new thread is created that calls          \n             PeekNamedPipe and ReadFile to obtain the command output.           \nscope        function                                                           \nmatches      0x420990                                                           \n\nwrite pipe\nnamespace  communication/named-pipe/write\nscope      function                      \nmatches    0x420990                      \n\nhash data via WinCrypt\nnamespace  data-manipulation/hashing\nscope      function                 \nmatches    0x40A610                 \n\ninitialize hashing via WinCrypt\nnamespace  data-manipulation/hashing\nscope      function                 \nmatches    0x40A610                 \n\nhash data using SHA1\nnamespace  data-manipulation/hashing/sha1\nscope      function                      \nmatches    0x40A610                      \n\nhash data using SHA1 via WinCrypt\nnamespace  data-manipulation/hashing/sha1\nscope      function                      \nmatches    0x40A610                      \n\ncontains PDB path\nnamespace  executable/pe/pdb\nscope      file             \n\nextract resource via kernel32 functions (5 matches)\nnamespace  executable/resource\nscope      function           \nmatches    0x409790           \n           0x413370           \n           0x447330           \n           0x452880           \n           0x490180           \n\nmanipulate safe mode programs\nnamespace  host-interaction/bootloader\nscope      function                   \nmatches    0x4354B0                   \n\naccept command line arguments\nnamespace  host-interaction/cli\nscope      function            \nmatches    0x4268E0            \n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver\nscope      instruction            \nmatches    0x40CCA8               \n           0x40D661               \n           0x40DCDC               \n           0x40DD29               \n\nquery environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x4B63EF                             \n\nset environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x4B67F8                             \n\nget common file path (16 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40CBA0                    \n           0x40D560                    \n           0x40DBA0                    \n           0x4268E0                    \n           0x429DB0                    \n           0x42BC20                    \n           0x42CAF0                    \n           0x434AA0                    \n           0x436F10                    \n           0x448B30                    \n           0x449490                    \n           0x4499B0                    \n           0x449B90                    \n           0x44BBB0                    \n           0x455440                    \n           0x492328                    \n\nset current directory\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x4268E0                    \n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    0x449490                           \n           0x44D830                           \n\ndelete file (3 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x415480                           \n           0x43BFF0                           \n           0x44DB40                           \n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x42BC20                           \n           0x449490                           \n           0x46EAC0                           \n\nenumerate files on Windows (2 matches)\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x436F10                               \n           0x4B598B                               \n\nget file attributes (2 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x46EFC7                         \n           0x492987                         \n\nget file version info\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x454FC0                         \n\nread file on Windows (5 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x43EC60                         \n           0x4B1575                         \n           0x4B2933                         \n           0x4B2A80                         \n           0x4B2F28                         \n\nclear file content\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x4BD065                          \n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x4B03D0                          \n           0x4B0CBA                          \n\nfind graphical window\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    0x427628                        \n\nget graphical window text\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    0x404AC0                            \n\nhide graphical window (15 matches)\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    0x40F39F                        \n           0x40F39F                        \n           0x40F39F                        \n           0x40F39F                        \n           0x40F39F                        \n           0x40F39F                        \n           0x410105                        \n           0x41EF4A                        \n           0x41F805                        \n           0x4255D9                        \n           0x42568A                        \n           0x42761E                        \n           0x464151                        \n           0x4644D8                        \n           0x4683FC                        \n\nget disk information\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x449490                         \n\nget disk information via IOCTL (2 matches)\nnamespace  host-interaction/hardware/storage\nscope      basic block                      \nmatches    0x40CC8C                         \n           0x40D5F0                         \n\nget disk size\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x42A3C0                         \n\nget storage device properties\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x40DBA0                         \n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex\nscope      instruction           \nmatches    0x427500              \n\nget proxy (2 matches)\nnamespace  host-interaction/network/proxy\nscope      function                      \nmatches    0x4178D0                      \n           0x4183B0                      \n\nshutdown system\nnamespace  host-interaction/os\nscope      function           \nmatches    0x434E20           \n\nget system information on Windows\nnamespace  host-interaction/os/info\nscope      function                \nmatches    0x4268E0                \n\nget thread local storage value\nnamespace  host-interaction/process\nscope      function                \nmatches    0x4B24AB                \n\ncreate process on Windows (12 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x4242F9                       \n           0x42E03A                       \n           0x42FE3E                       \n           0x439E34                       \n           0x43A802                       \n           0x43B4FB                       \n           0x446756                       \n           0x44678A                       \n           0x44D0E2                       \n           0x4543E8                       \n           0x45B05B                       \n           0x46873C                       \n\ncreate process suspended\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x4543E8                       \n\nenumerate processes\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    0x455350                     \n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    0x434F4F                       \n           0x454341                       \n\nterminate process\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x49F080                          \n\nquery or enumerate registry key (4 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x4089A0                 \n           0x4368C0                 \n           0x438810                 \n           0x46EAC0                 \n\nquery or enumerate registry value (15 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x40A800                 \n           0x40E630                 \n           0x4178D0                 \n           0x41B350                 \n           0x41B6A0                 \n           0x41B9F0                 \n           0x4268E0                 \n           0x42B480                 \n           0x42BC20                 \n           0x4368C0                 \n           0x438810                 \n           0x4486E0                 \n           0x45A370                 \n           0x45B790                 \n           0x46EAC0                 \n\nset registry value (10 matches)\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    0x408250                        \n           0x4083F6                        \n           0x408613                        \n           0x4183B0                        \n           0x4354B0                        \n           0x448F90                        \n           0x450470                        \n           0x4506E0                        \n           0x45B120                        \n           0x45B790                        \n\ndelete registry key (4 matches)\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x408B30                        \n           0x408E10                        \n           0x42A9F0                        \n           0x435840                        \n\ndelete registry value\nnamespace  host-interaction/registry/delete\nscope      function                        \nmatches    0x408E10                        \n\nquery service status (4 matches)\nnamespace  host-interaction/service\nscope      function                \nmatches    0x416C40                \n           0x41AEF0                \n           0x4202E0                \n           0x42B480                \n\ncreate service\nnamespace  host-interaction/service/create\nscope      function                       \nmatches    0x417480                       \n\ndelete service (2 matches)\nnamespace  host-interaction/service/delete\nscope      function                       \nmatches    0x416C40                       \n           0x41BD80                       \n\nstart service (2 matches)\nnamespace  host-interaction/service/start\nscope      function                      \nmatches    0x41AB30                      \n           0x4202E0                      \n\nstop service\nnamespace  host-interaction/service/stop\nscope      function                     \nmatches    0x416C40                     \n\nget session information\nnamespace  host-interaction/session\nscope      function                \nmatches    0x45C2D0                \n\nget session user name\nnamespace  host-interaction/session\nscope      function                \nmatches    0x4183B0                \n\nget token membership\nnamespace  host-interaction/session\nscope      function                \nmatches    0x45C540                \n\nget installed programs (3 matches)\nnamespace  host-interaction/software\nscope      function                 \nmatches    0x4368C0                 \n           0x438810                 \n           0x46EAC0                 \n\ncreate thread (2 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x44C393                      \n           0x44E7DE                      \n\nallocate thread local storage\nnamespace  host-interaction/thread/tls\nscope      function                   \nmatches    0x4B242D                   \n\nset thread local storage value\nnamespace  host-interaction/thread/tls\nscope      function                   \nmatches    0x4B24EA                   \n\nimpersonate user\nnamespace  host-interaction/user\nscope      function             \nmatches    0x454270             \n\nconnect to WMI namespace via WbemLocator (6 matches)\nnamespace  host-interaction/wmi\nscope      function            \nmatches    0x40C030            \n           0x40C400            \n           0x40C7D0            \n           0x40CBA0            \n           0x40D100            \n           0x40D560            \n\naccess PEB ldr_data (5 matches)\nnamespace  linking/runtime-linking\nscope      basic block            \nmatches    0x440910               \n           0x440CD0               \n           0x4412A0               \n           0x4516F0               \n           0x47DDE0               \n\nget kernel32 base address (2 matches)\nnamespace  linking/runtime-linking\nscope      basic block            \nmatches    0x440CD0               \n           0x4412A0               \n\nget ntdll base address\nnamespace  linking/runtime-linking\nscope      basic block            \nmatches    0x47DDE0               \n\nlink function at runtime on Windows (16 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x40817B               \n           0x40891B               \n           0x408B79               \n           0x408BE9               \n           0x409502               \n           0x435BFA               \n           0x448D22               \n           0x451187               \n           0x45BEB8               \n           0x491106               \n           0x49111B               \n           0x49233D               \n           0x49933F               \n           0x49F111               \n           0x4B22A6               \n           0x453947               \n\nparse PE header (2 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x495147    \n           0x4BE290    \n\nresolve function by parsing PE exports\nnamespace  load-code/pe\nscope      function    \nmatches    0x424690    \n\npersist via Windows service (2 matches)\nnamespace  persistence/service\nscope      function           \nmatches    0x417480           \n           0x4183B0           \n\n\n\n","very_verbose":"md5                     306d298f4ffd7cd8a40031876906ee4e                        \nsha1                    446bc7b8d09e39215ed60f87c10e785c6083e836                \nsha256                  f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559…\npath                    /home/apogean/projects/malware/windows/all_runs/MBSetup…\ntimestamp               2026-05-15 17:54:36.222753                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEINiJZZz/rules                                   \nfunction count          4017                                                    \nlibrary function count  878                                                     \ntotal feature count     224537                                                  \n\nPEB access (27 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com                                        \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Debugger Detection::Process Environment   \n            Block [B0001.019]                                                   \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nbasic block @ 0x411DE0 in function 0x411DE0\n  or:\n    and:\n      arch: i386\n      characteristic: fs access @ 0x411DEA, 0x411E01\n      or:\n        offset: 0x30 @ 0x411E0F, 0x411E37\n\ncontain loop (543 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x402730\n  or:\n    characteristic: tight loop @ 0x402A80\n\ncreate or open file (8 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x40CC7F\n  or:\n    api: CreateFile @ 0x40CC7F\n\ncreate or open registry key (35 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x4081B1 in function 0x408110\n  or:\n    api: RegCreateKeyEx @ 0x4081C4\n\ndelay execution (18 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x41706E in function 0x416C40\n  or:\n    and:\n      os: windows\n      or:\n        api: Sleep @ 0x417073\n\nget OS version (4 matches, only showing first match of library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x40E180\n  or:\n    api: VerifyVersionInfo @ 0x40E217\n    api: VerSetConditionMask @ 0x40E1E9, 0x40E1ED, 0x40E1F1\n\nget service handle (8 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x416C40\n  or:\n    api: OpenService @ 0x416D64\n\nopen process (2 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ 0x453BE3 in function 0x453B90\n  or:\n    api: OpenProcess @ 0x453BE7\n\nreference analysis tools strings\nnamespace   anti-analysis                                                       \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \nmbc         Discovery::Analysis Tool Discovery::Process detection [B0013.001]   \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /(?<!\\w)ida?(\\.exe)?$/i\n    - \"!\\\\IDAT\" @ file+0x1ED3AC\n  regex: /decompile(\\.exe)?/i\n    - \"\\t<p class='text-content'>Except as specifically permitted under Section 2(g) \nbelow, You must have a license to the Software for every Device on which you \noperate the Software. You may run the Software on a network, provided that you \nhave a license to the Software for each: (1) Device that the Software is \nExecuted on; and (2) Device or user instance that can access the Software over \nthat network that is not included in (1). You may not use on behalf of, or make \nthe functionality of the Software available to, third parties for any purpose, \nsuch as for providing any computer repair, help desk or troubleshooting service.\nExcept as expressly specified or permitted in this Agreement, you may not: (i) \ncopy (except in the course of loading or installing) or modify the Software, \nincluding but not limited to adding new features or otherwise making adaptations\nthat alter the functioning of the Software; (ii) transfer, sublicense, lease, \nlend, rent or otherwise distribute the Software to any third party; (iii) make \nthe functionality of the Software available to any third party through any \nmeans, including but not limited to by uploading the Software to a network or \nfile-sharing service or through any hosting, application services provider, \nservice bureau, SaaS or any other type of services; or (iv) use the Software for\nany illegal purpose or conduct. You acknowledge and agree that portions of the \nSoftware, including but not limited to the source code and the specific design \nand structure of individual modules or programs, constitute or contain trade \nsecrets of Malwarebytes and its licensors. Accordingly, you agree not to \ndisassemble, decompile or reverse engineer the Software or Database (defined \nbelow), in whole or in part, or permit or authorize a third party to do so, \nexcept to the extent such activities are expressly permitted by law \nnotwithstanding this prohibition. You will comply with any additional \nrestrictions contained in your Purchase Receipt or other purchasing \ndocumentation.</p>\" @ file+0x246A9E\n\nreference anti-VM strings\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      moritz.raabe@mandiant.com                                           \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm…\n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /KVMKVMKVM/i\n    - \"KVMKVMKVM\" @ file+0xEE310\n\nreference anti-VM strings targeting Parallels\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /Parallels/i\n    - \"Parallels Hv\" @ file+0xEE31C\n\nreference anti-VM strings targeting VMWare\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com, @johnk3r                              \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /VMWare/i\n    - \"VMware\" @ file+0xEE350\n    - \"VMwareVMware\" @ file+0xEE2E0\n  regex: /VMwareVMware/i\n    - \"VMwareVMware\" @ file+0xEE2E0\n\nreference anti-VM strings targeting VirtualBox\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /VBOX/i\n    - \"VBoxVBoxVBox\" @ file+0xEE2F0\n  regex: /VBoxVBoxVBox/i\n    - \"VBoxVBoxVBox\" @ file+0xEE2F0\n\nreference anti-VM strings targeting Xen\nnamespace   anti-analysis/anti-vm/vm-detection                                  \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \natt&ck      Defense Evasion::Virtualization/Sandbox Evasion::System Checks      \n            [T1497.001]                                                         \nmbc         Anti-Behavioral Analysis::Virtual Machine Detection [B0009]         \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /^Xen/i\n    - \"XenVMMXenVMM\" @ file+0xEE300\n  regex: /XenVMMXenVMM/i\n    - \"XenVMMXenVMM\" @ file+0xEE300\n\ncontain obfuscated stackstrings\nnamespace  anti-analysis/obfuscation/string/stackstring                         \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information::Indicator Removal  \n           from Tools [T1027.005]                                               \nmbc        Anti-Static Analysis::Executable Code Obfuscation::Argument          \n           Obfuscation [B0032.020], Anti-Static Analysis::Executable Code       \n           Obfuscation::Stack Strings [B0032.017]                               \nbasic block @ 0x4647F0 in function 0x4647F0\n  characteristic: stack string @ 0x4647F0\n\nget geographical location (3 matches)\nnamespace  collection                                  \nauthor     moritz.raabe, michael.hunhoff@mandiant.com  \nscope      function                                    \natt&ck     Discovery::System Location Discovery [T1614]\nfunction @ 0x49216E\n  or:\n    api: GetLocaleInfoEx @ 0x492182\nfunction @ 0x4B8CB0\n  or:\n    api: GetLocaleInfo @ 0x4B8CDC\nfunction @ 0x4B8D86\n  or:\n    api: GetLocaleInfo @ 0x4B8F27, 0x4B8F42\n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql                               \nauthor     william.ballenthin@mandiant.com                       \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ 0x40CBA0\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"SELECT Signature FROM Win32_DiskDrive WHERE Index=%u\" @ 0x40CCE5\nfunction @ 0x40D560\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"SELECT SerialNumber FROM Win32_DiskDrive WHERE Index=%u\" @ 0x40D67B\n\ninitialize WinHTTP library\nnamespace  communication/http                                    \nauthor     michael.hunhoff@mandiant.com                          \nscope      function                                              \nmbc        Communication::HTTP Communication::WinHTTP [C0002.008]\nfunction @ 0x469560\n  and:\n    api: WinHttpOpen @ 0x46959B\n\nread HTTP header (3 matches)\nnamespace  communication/http                                           \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Read Header [C0002.014]   \nfunction @ 0x46B430\n  or:\n    api: WinHttpQueryHeaders @ 0x46C0D3, 0x46C214, 0x46C519, 0x46C774, and 1 more...\nfunction @ 0x46D980\n  or:\n    api: WinHttpQueryHeaders @ 0x46E3ED\nfunction @ 0x478DD0\n  or:\n    api: WinHttpQueryHeaders @ 0x4797C8\n\nset HTTP header\nnamespace  communication/http                                           \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \nmbc        Communication::HTTP Communication::Set Header [C0002.013]    \nfunction @ 0x478DD0\n  or:\n    api: WinHttpAddRequestHeaders @ 0x4793D3\n\ncheck HTTP status code (5 matches)\nnamespace  communication/http/client                                 \nauthor     @mr-tz                                                    \nscope      function                                                  \nmbc        Communication::HTTP Communication::Read Header [C0002.014]\nfunction @ 0x405050\n  and:\n    os: windows\n    instruction:\n      and:\n        or:\n          mnemonic: cmp @ 0x4054D2\n        or:\n          number: 0xC8 = OK @ 0x4054D2\n      and:\n        or:\n          mnemonic: cmp @ 0x405673\n        or:\n          number: 0xC8 = OK @ 0x405673\n      and:\n        or:\n          mnemonic: cmp @ 0x4055E7\n        or:\n          number: 0xC8 = OK @ 0x4055E7\n      and:\n        or:\n          mnemonic: cmp @ 0x40545E\n        or:\n          number: 0xC8 = OK @ 0x40545E\n      and:\n        or:\n          mnemonic: cmp @ 0x40555E\n        or:\n          number: 0xC8 = OK @ 0x40555E\n    or:\n      number: 0x13 = HTTP_QUERY_STATUS_CODE @ 0x4051A8, 0x4051BC\nfunction @ 0x452990\n  and:\n    os: windows\n    instruction:\n      and:\n        or:\n          mnemonic: cmp @ 0x4534F9\n        or:\n          number: 0xC8 = OK @ 0x4534F9\n      and:\n        or:\n          mnemonic: cmp @ 0x4534D2\n        or:\n          number: 0xC8 = OK @ 0x4534D2\n      and:\n        or:\n          mnemonic: cmp @ 0x45348D\n        or:\n          number: 0xC8 = OK @ 0x45348D\n      and:\n        or:\n          mnemonic: cmp @ 0x453466\n        or:\n          number: 0xC8 = OK @ 0x453466\n    or:\n      number: 0x13 = HTTP_QUERY_STATUS_CODE @ 0x452ABF\nfunction @ 0x46B430\n  and:\n    os: windows\n    instruction:\n      and:\n        or:\n          mnemonic: cmp @ 0x46C73C\n        or:\n          number: 0xC8 = OK @ 0x46C73C\n    or:\n      number: 0x20000013 = HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE @ 0x46C0C3, 0x46C513\n      number: 0x13 = HTTP_QUERY_STATUS_CODE @ 0x46C427\nfunction @ 0x46D980\n  and:\n    os: windows\n    instruction:\n      and:\n        or:\n          mnemonic: cmp @ 0x46E577\n        or:\n          number: 0xC8 = OK @ 0x46E577\n    or:\n      number: 0x20000013 = HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE @ 0x46E3E7\nfunction @ 0x478DD0\n  and:\n    os: windows\n    instruction:\n      and:\n        or:\n          mnemonic: cmp @ 0x479A70\n        or:\n          number: 0xC8 = OK @ 0x479A70\n    or:\n      number: 0x20000013 = HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_STATUS_CODE @ 0x4797C2\n\nprepare HTTP request (3 matches)\nnamespace  communication/http/client                                    \nauthor     michael.hunhoff@mandiant.com                                 \nscope      function                                                     \nmbc        Communication::HTTP Communication::Create Request [C0002.012]\nfunction @ 0x46B430\n  or:\n    api: WinHttpOpenRequest @ 0x46B85E\nfunction @ 0x46D980\n  or:\n    api: WinHttpOpenRequest @ 0x46DE06\nfunction @ 0x478DD0\n  or:\n    api: WinHttpOpenRequest @ 0x4791F5\n\nreceive HTTP response (3 matches)\nnamespace  communication/http/client                                  \nauthor     michael.hunhoff@mandiant.com                               \nscope      function                                                   \nmbc        Communication::HTTP Communication::Get Response [C0002.017]\nfunction @ 0x46B430\n  or:\n    api: WinHttpReceiveResponse @ 0x46C033, 0x46C486\n    and:\n      api: WinHttpReadData @ 0x46CBE1, 0x46CF86, 0x46D18C\n      optional:\n        api: WinHttpQueryDataAvailable @ 0x46CBB2\nfunction @ 0x46D980\n  or:\n    api: WinHttpReceiveResponse @ 0x46E2F5\nfunction @ 0x478DD0\n  or:\n    api: WinHttpReceiveResponse @ 0x479691\n    and:\n      api: WinHttpReadData @ 0x4799E2\n      optional:\n        api: WinHttpQueryDataAvailable @ 0x4799AC\n\nconnect pipe\nnamespace  communication/named-pipe/connect                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com            \nscope      function                                                           \nmbc        Communication::Interprocess Communication::Connect Pipe [C0003.002]\nfunction @ 0x420990\n  or:\n    api: CallNamedPipe = connect, read, write from pipe in single operation @ 0x420BF4\n\nread pipe\nnamespace    communication/named-pipe/read                                      \nauthor       moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com            \nscope        function                                                           \nmbc          Communication::Interprocess Communication::Read Pipe [C0003.003]   \ndescription  PeekNamedPipe isn't required to read from a pipe; however, pipes   \n             are often utilized to capture the output of a cmd.exe process. In a\n             multi-thread instance, a new thread is created that calls          \n             PeekNamedPipe and ReadFile to obtain the command output.           \nfunction @ 0x420990\n  or:\n    api: CallNamedPipe = connects, writes, and reads pipe in single operation @ 0x420BF4\n\nwrite pipe\nnamespace  communication/named-pipe/write                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com          \nscope      function                                                         \nmbc        Communication::Interprocess Communication::Write Pipe [C0003.004]\nfunction @ 0x420990\n  or:\n    api: CallNamedPipe = connects, writes, and reads pipe in single operation @ 0x420BF4\n\nhash data via WinCrypt\nnamespace  data-manipulation/hashing               \nauthor     michael.hunhoff@mandiant.com            \nscope      function                                \nmbc        Cryptography::Cryptographic Hash [C0029]\nfunction @ 0x40A610\n  and:\n    api: CryptHashData @ 0x40A6C3\n    optional:\n      basic block:\n        and:\n          api: CryptGetHashParam @ 0x40A6ED\n          or:\n            number: 0x2 = HP_HASHVAL @ 0x40A6E8\n\ninitialize hashing via WinCrypt\nnamespace  data-manipulation/hashing   \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x40A610\n  and:\n    api: CryptCreateHash @ 0x40A694\n    optional:\n      api: CryptDestroyHash @ 0x40A74E, 0x40A792\n\nhash data using SHA1\nnamespace  data-manipulation/hashing/sha1                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           william.ballenthin@mandiant.com                                      \nscope      function                                                             \nmbc        Cryptography::Cryptographic Hash::SHA1 [C0029.002]                   \nfunction @ 0x40A610\n  or:\n    basic block:\n      and:\n        number: 0x8004 = CALG_SHA1 @ 0x40A68C\n        api: CryptCreateHash @ 0x40A694\n\nhash data using SHA1 via WinCrypt\nnamespace  data-manipulation/hashing/sha1\nauthor     michael.hunhoff@mandiant.com  \nscope      function                      \nfunction @ 0x40A610\n  or:\n    and:\n      match: initialize hashing via WinCrypt @ 0x40A610\n        and:\n          api: CryptCreateHash @ 0x40A694\n          optional:\n            api: CryptDestroyHash @ 0x40A74E, 0x40A792\n      number: 0x8004 = CALG_SHA1 @ 0x40A68C\n      api: CryptHashData @ 0x40A6C3\n\ncontains PDB path\nnamespace  executable/pe/pdb        \nauthor     moritz.raabe@mandiant.com\nscope      file                     \nregex: /:\\\\.*\\.pdb/\n  - \"C:\\\\Jenkins\\\\workspace\\\\MBAM-Windows\\\\A_MB5_MBSetup\\\\bin\\\\Win32\\\\Release\\\\MBSet\nup.pdb\" @ file+0x102908\n\nextract resource via kernel32 functions (5 matches)\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x409790\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x40986E\n      optional:\n        or:\n          api: FindResource @ 0x409856\n        api: SizeofResource @ 0x40988C\nfunction @ 0x413370\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x41337C\n        api: LockResource @ 0x413387\n      optional:\n        api: SizeofResource @ 0x413395\nfunction @ 0x447330\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x44737F\n        api: LockResource @ 0x44738A\n      optional:\n        or:\n          api: FindResource @ 0x447356\n        api: SizeofResource @ 0x447369\nfunction @ 0x452880\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x4528C8\n        api: LockResource @ 0x4528D7\n      optional:\n        or:\n          api: FindResource @ 0x4528A2\n        api: SizeofResource @ 0x4528B5\nfunction @ 0x490180\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x490301\n        api: LockResource @ 0x4903C1\n      optional:\n        or:\n          api: FindResourceEx @ 0x4901D4\n        api: SizeofResource @ 0x4901E7\n\nmanipulate safe mode programs\nnamespace  host-interaction/bootloader                                 \nauthor     william.ballenthin@mandiant.com                             \nscope      function                                                    \natt&ck     Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009]\nfunction @ 0x4354B0\n  and:\n    os: windows\n    or:\n      substring: Control\\SafeBoot\\Minimal\\\n        - \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\MBAMInstallerService\" @ 0x4354F3\n      substring: Control\\SafeBoot\\Network\\\n        - \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\MBAMInstallerService\" @ 0x4356C3\n\naccept command line arguments\nnamespace  host-interaction/cli                                      \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Execution::Command and Scripting Interpreter [T1059]      \nmbc        Execution::Command and Scripting Interpreter [E1059]      \nfunction @ 0x4268E0\n  or:\n    api: GetCommandLine @ 0x426E6A\n    api: CommandLineToArgv @ 0x426E71\n\ninteract with driver via IOCTL (4 matches)\nnamespace  host-interaction/driver  \nauthor     moritz.raabe@mandiant.com\nscope      instruction              \ninstruction @ 0x40CCA8\n  or:\n    api: DeviceIoControl @ 0x40CCA8\ninstruction @ 0x40D661\n  or:\n    api: DeviceIoControl @ 0x40D661\ninstruction @ 0x40DCDC\n  or:\n    api: DeviceIoControl @ 0x40DCDC\ninstruction @ 0x40DD29\n  or:\n    api: DeviceIoControl @ 0x40DD29\n\nquery environment variable\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x4B63EF\n  or:\n    api: GetEnvironmentStrings @ 0x4B63F2\n\nset environment variable\nnamespace  host-interaction/environment-variable                           \nauthor     michael.hunhoff@mandiant.com                                    \nscope      function                                                        \nmbc        Operating System::Environment Variable::Set Variable [C0034.001]\nfunction @ 0x4B67F8\n  or:\n    api: SetEnvironmentVariable @ 0x4B6669\n\nget common file path (16 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x40CBA0\n  or:\n    api: GetSystemDirectory @ 0x40CBF9\nfunction @ 0x40D560\n  or:\n    api: GetSystemDirectory @ 0x40D5B9\nfunction @ 0x40DBA0\n  or:\n    api: GetSystemDirectory @ 0x40DBFF\nfunction @ 0x4268E0\n  or:\n    api: GetWindowsDirectory @ 0x426BC2\nfunction @ 0x429DB0\n  or:\n    api: SHGetKnownFolderPath @ 0x429F06, 0x42A25B\nfunction @ 0x42BC20\n  or:\n    api: GetWindowsDirectory @ 0x42C195\nfunction @ 0x42CAF0\n  or:\n    api: GetSystemDirectory @ 0x42CD1D\nfunction @ 0x434AA0\n  or:\n    api: GetSystemDirectory @ 0x434B44\nfunction @ 0x436F10\n  or:\n    api: SHGetKnownFolderPath @ 0x436FA5, 0x437FBB\nfunction @ 0x448B30\n  or:\n    api: GetSystemDirectory @ 0x448C83\nfunction @ 0x449490\n  or:\n    api: GetTempPath @ 0x449794\n    api: SHGetKnownFolderPath @ 0x44961C\nfunction @ 0x4499B0\n  or:\n    api: GetWindowsDirectory @ 0x449A0C\nfunction @ 0x449B90\n  or:\n    api: SHGetKnownFolderPath @ 0x449C00\nfunction @ 0x44BBB0\n  or:\n    api: SHGetKnownFolderPath @ 0x44BC19\nfunction @ 0x455440\n  or:\n    api: GetCurrentDirectory @ 0x455619\nfunction @ 0x492328\n  or:\n    api: GetTempPath @ 0x49235D\n\nset current directory\nnamespace  host-interaction/file-system\nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x4268E0\n  or:\n    api: SetCurrentDirectory @ 0x426BEF\n\ncreate directory (2 matches)\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ 0x449490\n  or:\n    api: CreateDirectory @ 0x4498D1\nfunction @ 0x44D830\n  or:\n    api: CreateDirectory @ 0x44DA4A\n\ndelete file (3 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x415480\n  or:\n    api: DeleteFile @ 0x41634F\nfunction @ 0x43BFF0\n  or:\n    api: DeleteFile @ 0x43C266\nfunction @ 0x44DB40\n  or:\n    api: DeleteFile @ 0x44E452\n\ncheck if file exists (3 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x42BC20\n  or:\n    basic block:\n      and:\n        api: GetLastError @ 0x42C423\n        instruction:\n          and:\n            mnemonic: cmp @ 0x42C42B\n            number: 0x2 = ERROR_FILE_NOT_FOUND @ 0x42C42B\nfunction @ 0x449490\n  or:\n    api: PathFileExists @ 0x449885\nfunction @ 0x46EAC0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46EFDC\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46EFE2\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46EFE2\n\nenumerate files on Windows (2 matches)\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ 0x436F10\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x4380E1\n      or:\n        api: FindNextFile @ 0x438407\n      optional:\n        api: FindClose @ 0x43845D\n        match: contain loop @ 0x436F10\n          or:\n            characteristic: loop @ 0x436F10\n            characteristic: tight loop @ 0x436FE0, 0x437FF3\nfunction @ 0x4B598B\n  or:\n    and:\n      or:\n        api: FindFirstFileEx @ 0x4B5A26\n      or:\n        api: FindNextFile @ 0x4B5AA1\n      optional:\n        api: FindClose @ 0x4B5AC3, 0x4B5AE6\n        match: contain loop @ 0x4B598B\n          or:\n            characteristic: loop @ 0x4B598B\n\nget file attributes (2 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x46EFC7 in function 0x46EAC0\n  or:\n    api: GetFileAttributes @ 0x46EFDC\nbasic block @ 0x492987 in function 0x492960\n  or:\n    api: GetFileAttributes @ 0x49298B\n\nget file version info\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x454FC0\n  and:\n    or:\n      api: GetFileVersionInfo @ 0x45512E\n    optional: = retrieve specified version information from the version-information resource\n      api: VerQueryValue @ 0x455204\n      or:\n        api: GetFileVersionInfoSize @ 0x455018\n\nread file on Windows (5 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x43EC60\n  or:\n    and:\n      os: windows\n      or:\n        api: fread @ 0x43EDCD, 0x43EDEF\nfunction @ 0x4B1575\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4B164B\nfunction @ 0x4B2933\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4B29E7\nfunction @ 0x4B2A80\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4B2B5F\nfunction @ 0x4B2F28\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4B31F6\n\nclear file content\nnamespace  host-interaction/file-system/write\nauthor     jakeperalta7                      \nscope      function                          \nmbc        File System::Writes File [C0052]  \nfunction @ 0x4BD065\n  and:\n    api: SetEndOfFile @ 0x4BD1B1\n    not:\n      api: SetFilePointer\n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x4B03D0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4B0616\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4B05EB\n      or:\n        api: WriteFile @ 0x4B0685, 0x4B06CB\nfunction @ 0x4B0CBA\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4B0D31\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4B0D55\n      or:\n        api: WriteFile @ 0x4B0E3F\n\nfind graphical window\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ 0x427628\n  or:\n    api: FindWindow @ 0x427628\n\nget graphical window text\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ 0x404AC0\n  or:\n    and:\n      api: GetWindowText @ 0x404AFA\n\nhide graphical window (15 matches)\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x40F39F in function 0x40F4B2\n  and:\n    number: 0x0 = SW_HIDE @ 0x40F39F, 0x40F3BA\n    api: ShowWindow @ 0x40F3A9, 0x40F3AF\nbasic block @ 0x410105 in function 0x4100B0\n  and:\n    number: 0x0 = SW_HIDE @ 0x410105, 0x410120\n    api: ShowWindow @ 0x41010F, 0x410115\nbasic block @ 0x41EF4A in function 0x41E490\n  and:\n    number: 0x0 = SW_HIDE @ 0x41EF4A, 0x41EF60, 0x41EF7B, 0x41EF85, and 4 more...\n    api: ShowWindow @ 0x41EF83, 0x41EF9B\nbasic block @ 0x41F805 in function 0x41F270\n  and:\n    number: 0x0 = SW_HIDE @ 0x41F80E, 0x41F810, 0x41F825\n    api: ShowWindow @ 0x41F82D, 0x41F837, 0x41F847\nbasic block @ 0x4255D9 in function 0x424970\n  and:\n    number: 0x0 = SW_HIDE @ 0x4255E5, 0x425609, 0x42562B\n    api: ShowWindow @ 0x4255E9\nbasic block @ 0x42568A in function 0x424970\n  and:\n    number: 0x0 = SW_HIDE @ 0x425696, 0x4256A6, 0x4256B6, 0x4256DA\n    api: ShowWindow @ 0x42569A, 0x4256BA\nbasic block @ 0x42761E in function 0x4268E0\n  and:\n    number: 0x0 = SW_HIDE @ 0x427641, 0x427643, 0x427645, 0x427647, and 4 more...\n    api: ShowWindow @ 0x427639\nbasic block @ 0x464151 in function 0x463840\n  and:\n    number: 0x0 = SW_HIDE @ 0x464151, 0x464167, 0x464182, 0x464189, and 2 more...\n    api: ShowWindow @ 0x464187, 0x46419F\nbasic block @ 0x4644D8 in function 0x4641F0\n  and:\n    number: 0x0 = SW_HIDE @ 0x4644E3, 0x46450C, 0x46450E, 0x464523\n    api: ShowWindow @ 0x464528, 0x46452F, 0x464547\nbasic block @ 0x4683FC in function 0x467950\n  and:\n    number: 0x0 = SW_HIDE @ 0x4683FC\n    api: ShowWindow @ 0x468400\n\nget disk information\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ 0x449490\n  or:\n    api: GetLogicalDrives @ 0x44950B\n\nget disk information via IOCTL (2 matches)\nnamespace   host-interaction/hardware/storage                                   \nauthor      william.ballenthin@mandiant.com                                     \nscope       basic block                                                         \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-…\n            http://www.ioctls.net/                                              \nbasic block @ 0x40CC8C in function 0x40CBA0\n  and:\n    or:\n      match: interact with driver via IOCTL @ 0x40CCA8\n        or:\n          api: DeviceIoControl @ 0x40CCA8\n    or:\n      number: 0x2D1080 = IOCTL_STORAGE_GET_DEVICE_NUMBER @ 0x40CCA2\nbasic block @ 0x40D5F0 in function 0x40D560\n  and:\n    or:\n      match: interact with driver via IOCTL @ 0x40D661\n        or:\n          api: DeviceIoControl @ 0x40D661\n    or:\n      number: 0x2D1080 = IOCTL_STORAGE_GET_DEVICE_NUMBER @ 0x40D65B\n\nget disk size\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ 0x42A3C0\n  or:\n    api: GetDiskFreeSpaceEx @ 0x42A422\n\nget storage device properties\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com                                        \nscope       function                                                            \nreferences  https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-wini…\nfunction @ 0x40DBA0\n  and:\n    number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY @ 0x40DCC0, 0x40DD23\n    or:\n      match: interact with driver via IOCTL @ 0x40DCDC, 0x40DD29\n        or:\n          api: DeviceIoControl @ 0x40DD29\n        or:\n          api: DeviceIoControl @ 0x40DCDC\n\ncreate or open mutex on Windows\nnamespace  host-interaction/mutex                                               \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com,          \n           mehunhoff@google.com                                                 \nscope      instruction                                                          \nmbc        Process::Create Mutex [C0042]                                        \ninstruction @ 0x427500\n  or:\n    api: CreateMutex @ 0x427500\n\nget proxy (2 matches)\nnamespace  host-interaction/network/proxy                           \nauthor     moritz.raabe@mandiant.com                                \nscope      function                                                 \natt&ck     Discovery::System Network Configuration Discovery [T1016]\nfunction @ 0x4178D0\n  and:\n    match: create or open registry key @ 0x417920\n      or:\n        api: RegOpenKeyEx @ 0x417942\n    string: \"ProxyServer\" @ 0x4179D3\nfunction @ 0x4183B0\n  and:\n    match: create or open registry key @ 0x418499, 0x41858B\n      or:\n        api: RegOpenKeyEx @ 0x4184C1\n      or:\n        api: RegCreateKeyEx @ 0x4185AC\n    string: \"ProxyServer\" @ 0x4186C7\n\nshutdown system\nnamespace  host-interaction/os                   \nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \natt&ck     Impact::System Shutdown/Reboot [T1529]\nfunction @ 0x434E20\n  or:\n    api: InitiateSystemShutdownEx @ 0x43502C\n\nget system information on Windows\nnamespace  host-interaction/os/info                       \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x4268E0\n  and:\n    os: windows\n    or:\n      api: GetNativeSystemInfo @ 0x42777D\n\nget thread local storage value\nnamespace  host-interaction/process    \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x4B24AB\n  and:\n    api: TlsGetValue @ 0x4B24E4\n\ncreate process on Windows (12 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x4242F9 in function 0x4240D0\n  or:\n    api: ShellExecute @ 0x424307\nbasic block @ 0x42E03A in function 0x42D700\n  or:\n    api: ShellExecute @ 0x42E04D\nbasic block @ 0x42FE3E in function 0x42F9D0\n  or:\n    api: ShellExecute @ 0x42FE7C\nbasic block @ 0x439E34 in function 0x439510\n  or:\n    api: CreateProcess @ 0x439E51\nbasic block @ 0x43A802 in function 0x43A650\n  or:\n    api: CreateProcess @ 0x43A827\nbasic block @ 0x43B4FB in function 0x43B170\n  or:\n    api: ShellExecute @ 0x43B54A\nbasic block @ 0x446756 in function 0x4465C0\n  or:\n    api: ShellExecute @ 0x446765\nbasic block @ 0x44678A in function 0x4465C0\n  or:\n    api: ShellExecute @ 0x44679B\nbasic block @ 0x44D0E2 in function 0x44C600\n  or:\n    api: ShellExecute @ 0x44D105\nbasic block @ 0x4543E8 in function 0x454270\n  or:\n    api: CreateProcessWithToken @ 0x454455\nbasic block @ 0x45B05B in function 0x45AE90\n  or:\n    api: ShellExecute @ 0x45B0A0\nbasic block @ 0x46873C in function 0x468420\n  or:\n    api: ShellExecute @ 0x46874A\n\ncreate process suspended\nnamespace   host-interaction/process/create                                     \nauthor      william.ballenthin@mandiant.com, mehunhoff@google.com               \nscope       basic block                                                         \nmbc         Process::Create Process::Create Suspended Process [C0017.003]       \nreferences  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-…\n            https://learn.microsoft.com/en-us/windows/win32/procthread/process-…\nbasic block @ 0x4543E8 in function 0x454270\n  or:\n    and:\n      or:\n        number: 0x4 = CREATE_SUSPENDED @ 0x454435\n      or:\n        api: CreateProcessWithToken @ 0x454455\n\nenumerate processes\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ 0x455350\n  or:\n    and:\n      api: Process32First @ 0x4553A5\n      api: Process32Next @ 0x4553C5\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x45536D\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x45536B\n\nmodify access privileges (2 matches)\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ 0x434F4F\n  and:\n    api: AdjustTokenPrivileges @ 0x434F4F\ninstruction @ 0x454341\n  and:\n    api: AdjustTokenPrivileges @ 0x454341\n\nterminate process\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x49F080\n  or:\n    and:\n      or:\n        api: TerminateProcess @ 0x49F098\n        api: ExitProcess @ 0x49F0AA\n\nquery or enumerate registry key (4 matches)\nnamespace  host-interaction/registry                                 \nauthor     michael.hunhoff@mandiant.com                              \nscope      function                                                  \natt&ck     Discovery::Query Registry [T1012]                         \nmbc        Operating System::Registry::Query Registry Key [C0036.005]\nfunction @ 0x4089A0\n  and:\n    or:\n      api: RegEnumKeyEx @ 0x408A4A, 0x408A83\nfunction @ 0x4368C0\n  and:\n    optional:\n      match: create or open registry key @ 0x436B3E, 0x436C32\n        or:\n          api: RegOpenKeyEx @ 0x436C76\n        or:\n          api: RegOpenKeyEx @ 0x436B52\n    or:\n      api: RegEnumKeyEx @ 0x436BD7\nfunction @ 0x438810\n  and:\n    optional:\n      match: create or open registry key @ 0x438A60, 0x438D8B\n        or:\n          api: RegOpenKeyEx @ 0x438A99\n        or:\n          api: RegOpenKeyEx @ 0x438DB0\n    or:\n      api: RegEnumKeyEx @ 0x438B1F\nfunction @ 0x46EAC0\n  and:\n    optional:\n      match: create or open registry key @ 0x46EAC0, 0x46EBA5\n        or:\n          api: RegOpenKeyEx @ 0x46EB3A\n        or:\n          api: RegOpenKeyEx @ 0x46EBC6\n    or:\n      api: RegEnumKeyEx @ 0x46EB97\n\nquery or enumerate registry value (15 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x40A800\n  and:\n    optional:\n      match: create or open registry key @ 0x40A82C\n        or:\n          api: RegOpenKeyEx @ 0x40A84C\n    or:\n      api: RegQueryValueEx @ 0x40A86A, 0x40A89A\nfunction @ 0x40E630\n  and:\n    or:\n      api: RegQueryValueEx @ 0x40E666\nfunction @ 0x4178D0\n  and:\n    optional:\n      match: create or open registry key @ 0x417920\n        or:\n          api: RegOpenKeyEx @ 0x417942\n    or:\n      api: RegQueryValueEx @ 0x41798C, 0x4179DE, 0x417E09\nfunction @ 0x41B350\n  and:\n    optional:\n      match: create or open registry key @ 0x41B44A\n        or:\n          api: RegOpenKeyEx @ 0x41B466\n    or:\n      api: RegQueryValueEx @ 0x41B55C\nfunction @ 0x41B6A0\n  and:\n    optional:\n      match: create or open registry key @ 0x41B79A\n        or:\n          api: RegOpenKeyEx @ 0x41B7B6\n    or:\n      api: RegQueryValueEx @ 0x41B8AB\nfunction @ 0x41B9F0\n  and:\n    or:\n      api: RegEnumValue @ 0x41BB9A\nfunction @ 0x4268E0\n  and:\n    optional:\n      match: create or open registry key @ 0x42836D\n        or:\n          api: RegOpenKeyEx @ 0x42838F\n    or:\n      api: RegQueryValueEx @ 0x4283C6\nfunction @ 0x42B480\n  and:\n    optional:\n      match: create or open registry key @ 0x42B850\n        or:\n          api: RegOpenKeyEx @ 0x42B8A4\n    or:\n      api: RegQueryValueEx @ 0x42B8D5\nfunction @ 0x42BC20\n  and:\n    optional:\n      match: create or open registry key @ 0x42BD86, 0x42C045\n        or:\n          api: RegOpenKeyEx @ 0x42C05D\n        or:\n          api: RegOpenKeyEx @ 0x42BD9A\n    or:\n      api: RegQueryValueEx @ 0x42C0A3\nfunction @ 0x4368C0\n  and:\n    optional:\n      match: create or open registry key @ 0x436B3E, 0x436C32\n        or:\n          api: RegOpenKeyEx @ 0x436C76\n        or:\n          api: RegOpenKeyEx @ 0x436B52\n    or:\n      api: RegQueryValueEx @ 0x436CC0\nfunction @ 0x438810\n  and:\n    optional:\n      match: create or open registry key @ 0x438A60, 0x438D8B\n        or:\n          api: RegOpenKeyEx @ 0x438A99\n        or:\n          api: RegOpenKeyEx @ 0x438DB0\n    or:\n      api: RegQueryValueEx @ 0x438DFA\nfunction @ 0x4486E0\n  and:\n    or:\n      api: RegQueryValueEx @ 0x448827, 0x44885C\nfunction @ 0x45A370\n  and:\n    optional:\n      match: create or open registry key @ 0x45A3CE\n        or:\n          api: RegOpenKeyEx @ 0x45A402\n    or:\n      api: RegQueryValueEx @ 0x45A499\nfunction @ 0x45B790\n  and:\n    optional:\n      match: create or open registry key @ 0x45B7E9\n        or:\n          api: RegOpenKeyEx @ 0x45B819\n    or:\n      api: RegQueryValueEx @ 0x45B847, 0x45B899\nfunction @ 0x46EAC0\n  and:\n    optional:\n      match: create or open registry key @ 0x46EAC0, 0x46EBA5\n        or:\n          api: RegOpenKeyEx @ 0x46EB3A\n        or:\n          api: RegOpenKeyEx @ 0x46EBC6\n    or:\n      api: RegGetValue @ 0x46EC1E, 0x46EE59, 0x46EEB1, 0x46EEF6, and 2 more...\n\nset registry value (10 matches)\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ 0x408250\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x4084D0, 0x408528, 0x408571, 0x4086BF\nfunction @ 0x4083F6\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x4084D0\nfunction @ 0x408613\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x4086BF\nfunction @ 0x4183B0\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x418499, 0x41858B\n          or:\n            api: RegOpenKeyEx @ 0x4184C1\n          or:\n            api: RegCreateKeyEx @ 0x4185AC\n      or:\n        api: RegSetValueEx @ 0x4187B8, 0x418ED7\n        api: RegSetKeyValue @ 0x4186D4, 0x4188B0, 0x4189A4, 0x418BDD, and 36 more...\nfunction @ 0x4354B0\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x4354B0, 0x4356A5\n          or:\n            api: RegCreateKeyEx @ 0x4354FD\n          or:\n            api: RegCreateKeyEx @ 0x4356CD\n      or:\n        api: RegSetValueEx @ 0x4355D6, 0x435754\nfunction @ 0x448F90\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x448F90\n          or:\n            api: RegCreateKeyEx @ 0x448FE0\n      or:\n        api: RegSetValueEx @ 0x44900D\nfunction @ 0x450470\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x45050D\nfunction @ 0x4506E0\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x45077D\nfunction @ 0x45B120\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x45B259\nfunction @ 0x45B790\n  or:\n    and:\n      optional:\n        match: create or open registry key @ 0x45B7E9\n          or:\n            api: RegOpenKeyEx @ 0x45B819\n      or:\n        api: RegSetValueEx @ 0x45B90F\n\ndelete registry key (4 matches)\nnamespace  host-interaction/registry/delete                                \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\nscope      function                                                        \natt&ck     Defense Evasion::Modify Registry [T1112]                        \nmbc        Operating System::Registry::Delete Registry Key [C0036.002]     \nfunction @ 0x408B30\n  and:\n    or:\n      api: RegDeleteKey @ 0x408BAE, 0x408C38\nfunction @ 0x408E10\n  and:\n    or:\n      api: RegDeleteKey @ 0x40954F\nfunction @ 0x42A9F0\n  and:\n    optional:\n      match: create or open registry key @ 0x42A9F0, 0x42AA46\n        or:\n          api: RegOpenKeyEx @ 0x42AA36\n        or:\n          api: RegCreateKeyEx @ 0x42AA6F\n    or:\n      api: RegDeleteKey @ 0x42AA54, 0x42AA8E\nfunction @ 0x435840\n  and:\n    optional:\n      match: create or open registry key @ 0x435840, 0x435A2A\n        or:\n          api: RegCreateKeyEx @ 0x43588D\n        or:\n          api: RegCreateKeyEx @ 0x435A52\n    or:\n      api: RegDeleteKey @ 0x43595B, 0x435ACE\n\ndelete registry value\nnamespace  host-interaction/registry/delete                             \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Defense Evasion::Modify Registry [T1112]                     \nmbc        Operating System::Registry::Delete Registry Value [C0036.007]\nfunction @ 0x408E10\n  and:\n    or:\n      api: RegDeleteValue @ 0x40915C\n\nquery service status (4 matches)\nnamespace  host-interaction/service                   \nauthor     michael.hunhoff@mandiant.com               \nscope      function                                   \natt&ck     Discovery::System Service Discovery [T1007]\nfunction @ 0x416C40\n  or:\n    api: QueryServiceStatusEx @ 0x416E86, 0x417086\nfunction @ 0x41AEF0\n  or:\n    api: QueryServiceStatusEx @ 0x41B185\nfunction @ 0x4202E0\n  or:\n    api: QueryServiceStatusEx @ 0x420573, 0x420818\nfunction @ 0x42B480\n  or:\n    api: QueryServiceStatusEx @ 0x42B802\n\ncreate service\nnamespace  host-interaction/service/create                                      \nauthor     moritz.raabe@mandiant.com                                            \nscope      function                                                             \natt&ck     Persistence::Create or Modify System Process::Windows Service        \n           [T1543.003], Execution::System Services::Service Execution           \n           [T1569.002]                                                          \nfunction @ 0x417480\n  and:\n    api: CreateService @ 0x417694\n    optional:\n      api: OpenSCManager @ 0x417564\n\ndelete service (2 matches)\nnamespace  host-interaction/service/delete                                      \nauthor     moritz.raabe@mandiant.com                                            \nscope      function                                                             \natt&ck     Persistence::Create or Modify System Process::Windows Service        \n           [T1543.003]                                                          \nfunction @ 0x416C40\n  and:\n    api: DeleteService @ 0x41716F\n    optional:\n      match: get service handle @ 0x416C40\n        or:\n          api: OpenService @ 0x416D64\nfunction @ 0x41BD80\n  and:\n    api: DeleteService @ 0x41BFBC\n    optional:\n      match: get service handle @ 0x41BD80\n        or:\n          api: OpenService @ 0x41BEBD\n\nstart service (2 matches)\nnamespace  host-interaction/service/start                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      function                                                             \natt&ck     Persistence::Create or Modify System Process::Windows Service        \n           [T1543.003]                                                          \nfunction @ 0x41AB30\n  and:\n    api: StartService @ 0x41AD48\n    optional:\n      match: get service handle @ 0x41AB30\n        or:\n          api: OpenService @ 0x41AC46\nfunction @ 0x4202E0\n  and:\n    api: StartService @ 0x4206B2\n    optional:\n      match: get service handle @ 0x4202E0\n        or:\n          api: OpenService @ 0x42047A\n\nstop service\nnamespace  host-interaction/service/stop                                        \nauthor     moritz.raabe@mandiant.com                                            \nscope      function                                                             \natt&ck     Persistence::Create or Modify System Process::Windows Service        \n           [T1543.003], Impact::Service Stop [T1489]                            \nfunction @ 0x416C40\n  and:\n    optional:\n      match: get service handle @ 0x416C40\n        or:\n          api: OpenService @ 0x416D64\n    or:\n      basic block:\n        and:\n          number: 0x1 = SERVICE_CONTROL_STOP @ 0x416F52\n          or:\n            api: ControlServiceEx @ 0x416F64\n\nget session information\nnamespace  host-interaction/session                      \nauthor     michael.hunhoff@mandiant.com                  \nscope      function                                      \natt&ck     Discovery::System Owner/User Discovery [T1033]\nfunction @ 0x45C2D0\n  and:\n    api: WTSQuerySessionInformation @ 0x45C35C\n    optional:\n      api: WTSFreeMemory @ 0x45C446\n\nget session user name\nnamespace  host-interaction/session                                             \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope      function                                                             \natt&ck     Discovery::System Owner/User Discovery [T1033], Discovery::Account   \n           Discovery [T1087]                                                    \nfunction @ 0x4183B0\n  or:\n    api: GetUserName @ 0x418FC4\n\nget token membership\nnamespace  host-interaction/session                      \nauthor     michael.hunhoff@mandiant.com                  \nscope      function                                      \natt&ck     Discovery::System Owner/User Discovery [T1033]\nfunction @ 0x45C540\n  and:\n    api: CheckTokenMembership @ 0x45C598\n    optional:\n      api: AllocateAndInitializeSid @ 0x45C585\n      api: FreeSid @ 0x45C5A8\n\nget installed programs (3 matches)\nnamespace  host-interaction/software            \nauthor     moritz.raabe@mandiant.com, @_re_fox  \nscope      function                             \natt&ck     Discovery::Software Discovery [T1518]\nfunction @ 0x4368C0\n  and:\n    match: create or open registry key @ 0x436B3E, 0x436C32\n      or:\n        api: RegOpenKeyEx @ 0x436C76\n      or:\n        api: RegOpenKeyEx @ 0x436B52\n    characteristic: loop @ 0x4368C0\n    regex: /SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall/i\n      - \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" @ 0x43695F\n    optional:\n      string: \"DisplayName\" @ 0x436CB5\nfunction @ 0x438810\n  and:\n    match: create or open registry key @ 0x438A60, 0x438D8B\n      or:\n        api: RegOpenKeyEx @ 0x438A99\n      or:\n        api: RegOpenKeyEx @ 0x438DB0\n    characteristic: loop @ 0x438810\n    regex: /SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall/i\n      - \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\" @ 0x438868\nfunction @ 0x46EAC0\n  and:\n    match: create or open registry key @ 0x46EAC0, 0x46EBA5\n      or:\n        api: RegOpenKeyEx @ 0x46EB3A\n      or:\n        api: RegOpenKeyEx @ 0x46EBC6\n    characteristic: loop @ 0x46EAC0\n    regex: /SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall/i\n      - \"SOFTWARE\\\\MICROSOFT\\\\WINDOWS\\\\CURRENTVERSION\\\\UNINSTALL\" @ 0x46EB30\n    optional:\n      string: \"DisplayName\" @ 0x46EC12\n\ncreate thread (2 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x44C393 in function 0x44BBB0\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthreadex @ 0x44C486\nbasic block @ 0x44E7DE in function 0x44DB40\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthreadex @ 0x44E8A4\n\nallocate thread local storage\nnamespace  host-interaction/thread/tls                   \nauthor     michael.hunhoff@mandiant.com                  \nscope      function                                      \nmbc        Process::Allocate Thread Local Storage [C0040]\nfunction @ 0x4B242D\n  or:\n    api: TlsAlloc @ 0x4B2461\n\nset thread local storage value\nnamespace  host-interaction/thread/tls                    \nauthor     michael.hunhoff@mandiant.com                   \nscope      function                                       \nmbc        Process::Set Thread Local Storage Value [C0041]\nfunction @ 0x4B24EA\n  and:\n    api: TlsSetValue @ 0x4B2526\n\nimpersonate user\nnamespace  host-interaction/user                                                \nauthor     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com                 \nscope      function                                                             \natt&ck     Privilege Escalation::Access Token Manipulation::Token               \n           Impersonation/Theft [T1134.001]                                      \nfunction @ 0x454270\n  or:\n    and:\n      api: OpenProcessToken @ 0x4542E3\n      or:\n        api: DuplicateTokenEx @ 0x4543B9\n      api: CreateProcessWithToken @ 0x454455\n\nconnect to WMI namespace via WbemLocator (6 matches)\nnamespace  host-interaction/wmi                                 \nauthor     michael.hunhoff@mandiant.com                         \nscope      function                                             \natt&ck     Execution::Windows Management Instrumentation [T1047]\nfunction @ 0x40C030\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40C0AB\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40C0A6\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40C09D\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40C0D0\nfunction @ 0x40C400\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40C47B\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40C476\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40C46D\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40C4A0\nfunction @ 0x40C7D0\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40C84B\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40C846\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40C83D\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40C870\nfunction @ 0x40CBA0\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40CD48\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40CD43\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40CD3A\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40CD76\nfunction @ 0x40D100\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40D18E\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40D189\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40D180\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40D1B3\nfunction @ 0x40D560\n  or:\n    and: = static detection rule\n      basic block:\n        and:\n          api: CoCreateInstance @ 0x40D6DB\n          or:\n            bytes: 11f890453a1dd011891f00aa004b2e24 = CLSID_WbemLocator as bytes @ 0x40D6D6\n          or:\n            bytes: 87a612dc7f73cf11884d00aa004b2e24 = IID_IWbemLocator as bytes @ 0x40D6CD\n      basic block:\n        or:\n          and:\n            arch: i386\n            offset: 0xC = ppv->ConnectServer @ 0x40D709\n\naccess PEB ldr_data (5 matches)\nnamespace   linking/runtime-linking                                             \nauthor      moritz.raabe@mandiant.com                                           \nscope       basic block                                                         \natt&ck      Execution::Shared Modules [T1129]                                   \nreferences  https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/n…\n            https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4…\nbasic block @ 0x440910 in function 0x440910\n  or:\n    and: = x32\n      arch: i386\n      match: PEB access @ 0x440910\n        or:\n          and:\n            arch: i386\n            characteristic: fs access @ 0x44091A, 0x440932\n            or:\n              offset: 0x30 @ 0x440977, 0x4409A3\n      offset: 0xC = PEB.LDR_DATA @ 0x44095E\n      or: = resolve a module list\n        offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x44095E\nbasic block @ 0x440CD0 in function 0x440CD0\n  or:\n    and: = x32\n      arch: i386\n      match: PEB access @ 0x440CD0\n        or:\n          and:\n            arch: i386\n            characteristic: fs access @ 0x440CDA, 0x440CEE, 0x440D83\n            or:\n              offset: 0x30 @ 0x440D4B\n      offset: 0xC = PEB.LDR_DATA @ 0x440D0C\n      or: = resolve a module list\n        offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x440D0C\n        offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x440D1A\n        offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x440D28\nbasic block @ 0x4412A0 in function 0x4412A0\n  or:\n    and: = x32\n      arch: i386\n      match: PEB access @ 0x4412A0\n        or:\n          and:\n            arch: i386\n            characteristic: fs access @ 0x4412AA, 0x4412BE, 0x441353\n            or:\n              offset: 0x30 @ 0x44131B\n      offset: 0xC = PEB.LDR_DATA @ 0x4412DC\n      or: = resolve a module list\n        offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x4412DC\n        offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x4412EA\n        offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x4412F8\nbasic block @ 0x4516F0 in function 0x4516F0\n  or:\n    and: = x32\n      arch: i386\n      match: PEB access @ 0x4516F0\n        or:\n          and:\n            arch: i386\n            characteristic: fs access @ 0x4516FA, 0x451711, 0x4517B9\n            or:\n              offset: 0x30 @ 0x451786\n      offset: 0xC = PEB.LDR_DATA @ 0x451730\n      or: = resolve a module list\n        offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x451730\n        offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x45176D\n        offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x451777\nbasic block @ 0x47DDE0 in function 0x47DDE0\n  or:\n    and: = x32\n      arch: i386\n      match: PEB access @ 0x47DDE0\n        or:\n          and:\n            arch: i386\n            characteristic: fs access @ 0x47DDEA, 0x47DE02\n            or:\n              offset: 0x30 @ 0x47DE6C\n      offset: 0xC = PEB.LDR_DATA @ 0x47DE2A\n      or: = resolve a module list\n        offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x47DE2A\n        offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x47DE38\n        offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x47DE46\n\nget kernel32 base address (2 matches)\nnamespace   linking/runtime-linking                                             \nauthor      moritz.raabe@mandiant.com                                           \nscope       basic block                                                         \natt&ck      Execution::Shared Modules [T1129]                                   \nreferences  https://idafchev.github.io/exploit/2017/09/26/writing_windows_shell…\n            https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/l…\nbasic block @ 0x440CD0 in function 0x440CD0\n  and:\n    match: access PEB ldr_data @ 0x440CD0\n      or:\n        and: = x32\n          arch: i386\n          match: PEB access @ 0x440CD0\n            or:\n              and:\n                arch: i386\n                characteristic: fs access @ 0x440CDA, 0x440CEE, 0x440D83\n                or:\n                  offset: 0x30 @ 0x440D4B\n          offset: 0xC = PEB.LDR_DATA @ 0x440D0C\n          or: = resolve a module list\n            offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x440D0C\n            offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x440D1A\n            offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x440D28\n    count(offset): 2 @ 0x440CF8, 0x440D5C\n    or:\n      and:\n        arch: i386\n        offset: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase @ 0x440D21\nbasic block @ 0x4412A0 in function 0x4412A0\n  and:\n    match: access PEB ldr_data @ 0x4412A0\n      or:\n        and: = x32\n          arch: i386\n          match: PEB access @ 0x4412A0\n            or:\n              and:\n                arch: i386\n                characteristic: fs access @ 0x4412AA, 0x4412BE, 0x441353\n                or:\n                  offset: 0x30 @ 0x44131B\n          offset: 0xC = PEB.LDR_DATA @ 0x4412DC\n          or: = resolve a module list\n            offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x4412DC\n            offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x4412EA\n            offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x4412F8\n    count(offset): 2 @ 0x4412C8, 0x44132C\n    or:\n      and:\n        arch: i386\n        offset: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase @ 0x4412F1\n\nget ntdll base address\nnamespace   linking/runtime-linking                                             \nauthor      moritz.raabe@mandiant.com                                           \nscope       basic block                                                         \natt&ck      Execution::Shared Modules [T1129]                                   \nreferences  https://idafchev.github.io/exploit/2017/09/26/writing_windows_shell…\n            https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/l…\nbasic block @ 0x47DDE0 in function 0x47DDE0\n  and:\n    match: access PEB ldr_data @ 0x47DDE0\n      or:\n        and: = x32\n          arch: i386\n          match: PEB access @ 0x47DDE0\n            or:\n              and:\n                arch: i386\n                characteristic: fs access @ 0x47DDEA, 0x47DE02\n                or:\n                  offset: 0x30 @ 0x47DE6C\n          offset: 0xC = PEB.LDR_DATA @ 0x47DE2A\n          or: = resolve a module list\n            offset: 0xC = PEB.LDR_DATA.InLoadOrderModuleList @ 0x47DE2A\n            offset: 0x14 = PEB.LDR_DATA.InMemoryOrderModuleList @ 0x47DE38\n            offset: 0x1C = PEB.LDR_DATA.InInitializationOrderModuleList @ 0x47DE46\n    count(offset): 1 @ 0x47DE1A\n    or:\n      and:\n        arch: i386\n        offset: 0x18 = LDR_DATA_TABLE_ENTRY.DllBase @ 0x47DE3F\n\nlink function at runtime on Windows (16 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x40817B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40817B\ninstruction @ 0x40891B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40891B\ninstruction @ 0x408B79\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x408B79\ninstruction @ 0x408BE9\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x408BE9\ninstruction @ 0x409502\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x409502\ninstruction @ 0x435BFA\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x435BFA\ninstruction @ 0x448D22\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x448D22\ninstruction @ 0x451187\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x451187\ninstruction @ 0x453947\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x453947\ninstruction @ 0x45BEB8\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x45BEB8\ninstruction @ 0x491106\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x491106\ninstruction @ 0x49111B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x49111B\ninstruction @ 0x49233D\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x49233D\ninstruction @ 0x49933F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x49933F\ninstruction @ 0x49F111\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x49F111\ninstruction @ 0x4B22A6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4B22A6\n\nparse PE header (2 matches)\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x495147\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x495158, 0x495162, 0x49516F, 0x495175, and 1 more...\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x495162\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x495153\nfunction @ 0x4BE290\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x4BE29B, 0x4BE2A5, 0x4BE2B4\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x4BE2A5\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x4BE296\n\nresolve function by parsing PE exports\nnamespace  load-code/pe\nauthor     sara-rn     \nscope      function    \nfunction @ 0x424690\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x4248E0\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4246FE\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x424751\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4246C2\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4246E9\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x424708\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4246C9\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4246D0\n\npersist via Windows service (2 matches)\nnamespace  persistence/service                                                  \nauthor     moritz.raabe@mandiant.com                                            \nscope      function                                                             \natt&ck     Persistence::Create or Modify System Process::Windows Service        \n           [T1543.003], Execution::System Services::Service Execution           \n           [T1569.002]                                                          \nfunction @ 0x417480\n  or:\n    and:\n      or:\n        basic block:\n          and:\n            number: 0x2 = SERVICE_AUTO_START @ 0x417680\n            api: CreateService @ 0x417694\nfunction @ 0x4183B0\n  or:\n    and:\n      match: set registry value @ 0x4183B0\n        or:\n          and:\n            optional:\n              match: create or open registry key @ 0x418499, 0x41858B\n                or:\n                  api: RegOpenKeyEx @ 0x4184C1\n                or:\n                  api: RegCreateKeyEx @ 0x4185AC\n            or:\n              api: RegSetValueEx @ 0x4187B8, 0x418ED7\n              api: RegSetKeyValue @ 0x4186D4, 0x4188B0, 0x4189A4, 0x418BDD, and 36 more...\n      regex: /System\\\\(ControlSet\\d{3}|CurrentControlSet)\\\\Services/i\n        - \"System\\\\CurrentControlSet\\\\Services\\\\\" @ 0x4183EF\n\n\n\n"},"hashes":{"md5":"306d298f4ffd7cd8a40031876906ee4e","sha1":"446bc7b8d09e39215ed60f87c10e785c6083e836","sha256":"f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559c3c1100f9"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 4017</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 224537</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"MBSetup\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"306d298f4ffd7cd8a40031876906ee4e\",\n        \"sha256\": \"f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6ace3559\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_peb_access__27_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"PEB access (27 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Process Environment\",\n        \"Block [B0001.019]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x411DE0\",\n      \"label\": \"Block 0x411DE0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x411DE0\"\n    },\n    {\n      \"id\": \"cap_contain_loop__543_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (543 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x402730\",\n      \"label\": \"Function 0x402730\",\n      \"type\": \"function\",\n      \"address\": \"0x402730\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__8_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (8 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4081B1\",\n      \"label\": \"Block 0x4081B1\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4081B1\"\n    },\n    {\n      \"id\": \"api_RegCreateKeyEx\",\n      \"label\": \"RegCreateKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delay_execution__18_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (18 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x41706E\",\n      \"label\": \"Block 0x41706E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41706E\"\n    },\n    {\n      \"id\": \"api_Sleep\",\n      \"label\": \"Sleep\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_os_version__4_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"get OS version (4 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40E180\",\n      \"label\": \"Function 0x40E180\",\n      \"type\": \"function\",\n      \"address\": \"0x40E180\"\n    },\n    {\n      \"id\": \"api_VerifyVersionInfo\",\n      \"label\": \"VerifyVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_VerSetConditionMask\",\n      \"label\": \"VerSetConditionMask\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_service_handle__8_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"get service handle (8 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x416C40\",\n      \"label\": \"Function 0x416C40\",\n      \"type\": \"function\",\n      \"address\": \"0x416C40\"\n    },\n    {\n      \"id\": \"api_OpenService\",\n      \"label\": \"OpenService\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_process__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"open process (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Open Process [C0065]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x453BE3\",\n      \"label\": \"Block 0x453BE3\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x453BE3\"\n    },\n    {\n      \"id\": \"api_OpenProcess\",\n      \"label\": \"OpenProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_reference_analysis_tools_strings\",\n      \"label\": \"reference analysis tools strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings\",\n      \"label\": \"reference anti-VM strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_parallels\",\n      \"label\": \"reference anti-VM strings targeting Parallels\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_vmware\",\n      \"label\": \"reference anti-VM strings targeting VMWare\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com___johnk3r\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, @johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_virtualbox\",\n      \"label\": \"reference anti-VM strings targeting VirtualBox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_anti_vm_strings_targeting_xen\",\n      \"label\": \"reference anti-VM strings targeting Xen\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contain_obfuscated_stackstrings\",\n      \"label\": \"contain obfuscated stackstrings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Static Analysis::Executable Code Obfuscation::Argument\",\n        \"Obfuscation [B0032.020]\",\n        \"Anti-Static Analysis::Executable Code\",\n        \"Obfuscation::Stack Strings [B0032.017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4647F0\",\n      \"label\": \"Block 0x4647F0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4647F0\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Static Analysis::Executable Code Obfuscation::Argument\",\n        \"Obfuscation [B0032.020]\",\n        \"Anti-Static Analysis::Executable Code\",\n        \"Obfuscation::Stack Strings [B0032.017]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_geographical_location__3_matches_\",\n      \"label\": \"get geographical location (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B8D86\",\n      \"label\": \"Function 0x4B8D86\",\n      \"type\": \"function\",\n      \"address\": \"0x4B8D86\"\n    },\n    {\n      \"id\": \"func_0x4B8CB0\",\n      \"label\": \"Function 0x4B8CB0\",\n      \"type\": \"function\",\n      \"address\": \"0x4B8CB0\"\n    },\n    {\n      \"id\": \"func_0x49216E\",\n      \"label\": \"Function 0x49216E\",\n      \"type\": \"function\",\n      \"address\": \"0x49216E\"\n    },\n    {\n      \"id\": \"api_GetLocaleInfo\",\n      \"label\": \"GetLocaleInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetLocaleInfoEx\",\n      \"label\": \"GetLocaleInfoEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_sql_statements__2_matches_\",\n      \"label\": \"reference SQL statements (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40CBA0\",\n      \"label\": \"Function 0x40CBA0\",\n      \"type\": \"function\",\n      \"address\": \"0x40CBA0\"\n    },\n    {\n      \"id\": \"func_0x40D560\",\n      \"label\": \"Function 0x40D560\",\n      \"type\": \"function\",\n      \"address\": \"0x40D560\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_initialize_winhttp_library\",\n      \"label\": \"initialize WinHTTP library\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::WinHTTP [C0002.008]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x469560\",\n      \"label\": \"Function 0x469560\",\n      \"type\": \"function\",\n      \"address\": \"0x469560\"\n    },\n    {\n      \"id\": \"api_WinHttpOpen\",\n      \"label\": \"WinHttpOpen\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::WinHTTP [C0002.008]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_http_header__3_matches_\",\n      \"label\": \"read HTTP header (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46B430\",\n      \"label\": \"Function 0x46B430\",\n      \"type\": \"function\",\n      \"address\": \"0x46B430\"\n    },\n    {\n      \"id\": \"func_0x478DD0\",\n      \"label\": \"Function 0x478DD0\",\n      \"type\": \"function\",\n      \"address\": \"0x478DD0\"\n    },\n    {\n      \"id\": \"func_0x46D980\",\n      \"label\": \"Function 0x46D980\",\n      \"type\": \"function\",\n      \"address\": \"0x46D980\"\n    },\n    {\n      \"id\": \"api_WinHttpQueryHeaders\",\n      \"label\": \"WinHttpQueryHeaders\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_http_header\",\n      \"label\": \"set HTTP header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Set Header [C0002.013]\"\n      ]\n    },\n    {\n      \"id\": \"api_WinHttpAddRequestHeaders\",\n      \"label\": \"WinHttpAddRequestHeaders\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_check_http_status_code__5_matches_\",\n      \"label\": \"check HTTP status code (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x452990\",\n      \"label\": \"Function 0x452990\",\n      \"type\": \"function\",\n      \"address\": \"0x452990\"\n    },\n    {\n      \"id\": \"func_0x405050\",\n      \"label\": \"Function 0x405050\",\n      \"type\": \"function\",\n      \"address\": \"0x405050\"\n    },\n    {\n      \"id\": \"cap_author______mr_tz\",\n      \"label\": \"author     @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Read Header [C0002.014]\"\n      ]\n    },\n    {\n      \"id\": \"cap_prepare_http_request__3_matches_\",\n      \"label\": \"prepare HTTP request (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Create Request [C0002.012]\"\n      ]\n    },\n    {\n      \"id\": \"api_WinHttpOpenRequest\",\n      \"label\": \"WinHttpOpenRequest\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_receive_http_response__3_matches_\",\n      \"label\": \"receive HTTP response (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::HTTP Communication::Get Response [C0002.017]\"\n      ]\n    },\n    {\n      \"id\": \"api_WinHttpReceiveResponse\",\n      \"label\": \"WinHttpReceiveResponse\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_WinHttpQueryDataAvailable\",\n      \"label\": \"WinHttpQueryDataAvailable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_WinHttpReadData\",\n      \"label\": \"WinHttpReadData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_connect_pipe\",\n      \"label\": \"connect pipe\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Connect Pipe [C0003.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x420990\",\n      \"label\": \"Function 0x420990\",\n      \"type\": \"function\",\n      \"address\": \"0x420990\"\n    },\n    {\n      \"id\": \"api_CallNamedPipe\",\n      \"label\": \"CallNamedPipe\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Connect Pipe [C0003.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_pipe\",\n      \"label\": \"read pipe\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Read Pipe [C0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_______moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author       moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Read Pipe [C0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_pipe\",\n      \"label\": \"write pipe\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Communication::Interprocess Communication::Write Pipe [C0003.004]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_via_wincrypt\",\n      \"label\": \"hash data via WinCrypt\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash [C0029]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40A610\",\n      \"label\": \"Function 0x40A610\",\n      \"type\": \"function\",\n      \"address\": \"0x40A610\"\n    },\n    {\n      \"id\": \"api_CryptHashData\",\n      \"label\": \"CryptHashData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CryptGetHashParam\",\n      \"label\": \"CryptGetHashParam\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_initialize_hashing_via_wincrypt\",\n      \"label\": \"initialize hashing via WinCrypt\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_CryptCreateHash\",\n      \"label\": \"CryptCreateHash\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CryptDestroyHash\",\n      \"label\": \"CryptDestroyHash\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hash_data_using_sha1\",\n      \"label\": \"hash data using SHA1\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash::SHA1 [C0029.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_william_ballenthin_mandiant_com\",\n      \"label\": \"william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Cryptographic Hash::SHA1 [C0029.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hash_data_using_sha1_via_wincrypt\",\n      \"label\": \"hash data using SHA1 via WinCrypt\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_contains_pdb_path\",\n      \"label\": \"contains PDB path\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"label\": \"extract resource via kernel32 functions (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x447330\",\n      \"label\": \"Function 0x447330\",\n      \"type\": \"function\",\n      \"address\": \"0x447330\"\n    },\n    {\n      \"id\": \"func_0x409790\",\n      \"label\": \"Function 0x409790\",\n      \"type\": \"function\",\n      \"address\": \"0x409790\"\n    },\n    {\n      \"id\": \"func_0x490180\",\n      \"label\": \"Function 0x490180\",\n      \"type\": \"function\",\n      \"address\": \"0x490180\"\n    },\n    {\n      \"id\": \"func_0x413370\",\n      \"label\": \"Function 0x413370\",\n      \"type\": \"function\",\n      \"address\": \"0x413370\"\n    },\n    {\n      \"id\": \"func_0x452880\",\n      \"label\": \"Function 0x452880\",\n      \"type\": \"function\",\n      \"address\": \"0x452880\"\n    },\n    {\n      \"id\": \"api_FindResourceEx\",\n      \"label\": \"FindResourceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_manipulate_safe_mode_programs\",\n      \"label\": \"manipulate safe mode programs\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4354B0\",\n      \"label\": \"Function 0x4354B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4354B0\"\n    },\n    {\n      \"id\": \"cap_accept_command_line_arguments\",\n      \"label\": \"accept command line arguments\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [E1059]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4268E0\",\n      \"label\": \"Function 0x4268E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4268E0\"\n    },\n    {\n      \"id\": \"api_CommandLineToArgv\",\n      \"label\": \"CommandLineToArgv\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetCommandLine\",\n      \"label\": \"GetCommandLine\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [E1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"label\": \"interact with driver via IOCTL (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_DeviceIoControl\",\n      \"label\": \"DeviceIoControl\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_environment_variable\",\n      \"label\": \"query environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B63EF\",\n      \"label\": \"Function 0x4B63EF\",\n      \"type\": \"function\",\n      \"address\": \"0x4B63EF\"\n    },\n    {\n      \"id\": \"api_GetEnvironmentStrings\",\n      \"label\": \"GetEnvironmentStrings\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_environment_variable\",\n      \"label\": \"set environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Environment Variable::Set Variable [C0034.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B67F8\",\n      \"label\": \"Function 0x4B67F8\",\n      \"type\": \"function\",\n      \"address\": \"0x4B67F8\"\n    },\n    {\n      \"id\": \"api_SetEnvironmentVariable\",\n      \"label\": \"SetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_common_file_path__16_matches_\",\n      \"label\": \"get common file path (16 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x44BBB0\",\n      \"label\": \"Function 0x44BBB0\",\n      \"type\": \"function\",\n      \"address\": \"0x44BBB0\"\n    },\n    {\n      \"id\": \"func_0x455440\",\n      \"label\": \"Function 0x455440\",\n      \"type\": \"function\",\n      \"address\": \"0x455440\"\n    },\n    {\n      \"id\": \"func_0x434AA0\",\n      \"label\": \"Function 0x434AA0\",\n      \"type\": \"function\",\n      \"address\": \"0x434AA0\"\n    },\n    {\n      \"id\": \"func_0x448B30\",\n      \"label\": \"Function 0x448B30\",\n      \"type\": \"function\",\n      \"address\": \"0x448B30\"\n    },\n    {\n      \"id\": \"func_0x42CAF0\",\n      \"label\": \"Function 0x42CAF0\",\n      \"type\": \"function\",\n      \"address\": \"0x42CAF0\"\n    },\n    {\n      \"id\": \"func_0x436F10\",\n      \"label\": \"Function 0x436F10\",\n      \"type\": \"function\",\n      \"address\": \"0x436F10\"\n    },\n    {\n      \"id\": \"func_0x40DBA0\",\n      \"label\": \"Function 0x40DBA0\",\n      \"type\": \"function\",\n      \"address\": \"0x40DBA0\"\n    },\n    {\n      \"id\": \"func_0x429DB0\",\n      \"label\": \"Function 0x429DB0\",\n      \"type\": \"function\",\n      \"address\": \"0x429DB0\"\n    },\n    {\n      \"id\": \"func_0x492328\",\n      \"label\": \"Function 0x492328\",\n      \"type\": \"function\",\n      \"address\": \"0x492328\"\n    },\n    {\n      \"id\": \"func_0x4499B0\",\n      \"label\": \"Function 0x4499B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4499B0\"\n    },\n    {\n      \"id\": \"func_0x449B90\",\n      \"label\": \"Function 0x449B90\",\n      \"type\": \"function\",\n      \"address\": \"0x449B90\"\n    },\n    {\n      \"id\": \"func_0x449490\",\n      \"label\": \"Function 0x449490\",\n      \"type\": \"function\",\n      \"address\": \"0x449490\"\n    },\n    {\n      \"id\": \"func_0x42BC20\",\n      \"label\": \"Function 0x42BC20\",\n      \"type\": \"function\",\n      \"address\": \"0x42BC20\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SHGetKnownFolderPath\",\n      \"label\": \"SHGetKnownFolderPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetCurrentDirectory\",\n      \"label\": \"GetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_set_current_directory\",\n      \"label\": \"set current directory\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"api_SetCurrentDirectory\",\n      \"label\": \"SetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_directory__2_matches_\",\n      \"label\": \"create directory (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x44D830\",\n      \"label\": \"Function 0x44D830\",\n      \"type\": \"function\",\n      \"address\": \"0x44D830\"\n    },\n    {\n      \"id\": \"api_CreateDirectory\",\n      \"label\": \"CreateDirectory\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_delete_file__3_matches_\",\n      \"label\": \"delete file (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x415480\",\n      \"label\": \"Function 0x415480\",\n      \"type\": \"function\",\n      \"address\": \"0x415480\"\n    },\n    {\n      \"id\": \"func_0x43BFF0\",\n      \"label\": \"Function 0x43BFF0\",\n      \"type\": \"function\",\n      \"address\": \"0x43BFF0\"\n    },\n    {\n      \"id\": \"func_0x44DB40\",\n      \"label\": \"Function 0x44DB40\",\n      \"type\": \"function\",\n      \"address\": \"0x44DB40\"\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__3_matches_\",\n      \"label\": \"check if file exists (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46EAC0\",\n      \"label\": \"Function 0x46EAC0\",\n      \"type\": \"function\",\n      \"address\": \"0x46EAC0\"\n    },\n    {\n      \"id\": \"api_GetLastError\",\n      \"label\": \"GetLastError\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api_PathFileExists\",\n      \"label\": \"PathFileExists\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_enumerate_files_on_windows__2_matches_\",\n      \"label\": \"enumerate files on Windows (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B598B\",\n      \"label\": \"Function 0x4B598B\",\n      \"type\": \"function\",\n      \"address\": \"0x4B598B\"\n    },\n    {\n      \"id\": \"api_FindFirstFileEx\",\n      \"label\": \"FindFirstFileEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextFile\",\n      \"label\": \"FindNextFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindFirstFile\",\n      \"label\": \"FindFirstFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindClose\",\n      \"label\": \"FindClose\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes__2_matches_\",\n      \"label\": \"get file attributes (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46EFC7\",\n      \"label\": \"Block 0x46EFC7\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46EFC7\"\n    },\n    {\n      \"id\": \"bb_0x492987\",\n      \"label\": \"Block 0x492987\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x492987\"\n    },\n    {\n      \"id\": \"cap_get_file_version_info\",\n      \"label\": \"get file version info\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x454FC0\",\n      \"label\": \"Function 0x454FC0\",\n      \"type\": \"function\",\n      \"address\": \"0x454FC0\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfoSize\",\n      \"label\": \"GetFileVersionInfoSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfo\",\n      \"label\": \"GetFileVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_VerQueryValue\",\n      \"label\": \"VerQueryValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__5_matches_\",\n      \"label\": \"read file on Windows (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B2F28\",\n      \"label\": \"Function 0x4B2F28\",\n      \"type\": \"function\",\n      \"address\": \"0x4B2F28\"\n    },\n    {\n      \"id\": \"func_0x4B2933\",\n      \"label\": \"Function 0x4B2933\",\n      \"type\": \"function\",\n      \"address\": \"0x4B2933\"\n    },\n    {\n      \"id\": \"func_0x43EC60\",\n      \"label\": \"Function 0x43EC60\",\n      \"type\": \"function\",\n      \"address\": \"0x43EC60\"\n    },\n    {\n      \"id\": \"func_0x4B2A80\",\n      \"label\": \"Function 0x4B2A80\",\n      \"type\": \"function\",\n      \"address\": \"0x4B2A80\"\n    },\n    {\n      \"id\": \"func_0x4B1575\",\n      \"label\": \"Function 0x4B1575\",\n      \"type\": \"function\",\n      \"address\": \"0x4B1575\"\n    },\n    {\n      \"id\": \"api_fread\",\n      \"label\": \"fread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_clear_file_content\",\n      \"label\": \"clear file content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4BD065\",\n      \"label\": \"Function 0x4BD065\",\n      \"type\": \"function\",\n      \"address\": \"0x4BD065\"\n    },\n    {\n      \"id\": \"api_SetFilePointer\",\n      \"label\": \"SetFilePointer\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetEndOfFile\",\n      \"label\": \"SetEndOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____jakeperalta7\",\n      \"label\": \"author     jakeperalta7\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__2_matches_\",\n      \"label\": \"write file on Windows (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B03D0\",\n      \"label\": \"Function 0x4B03D0\",\n      \"type\": \"function\",\n      \"address\": \"0x4B03D0\"\n    },\n    {\n      \"id\": \"func_0x4B0CBA\",\n      \"label\": \"Function 0x4B0CBA\",\n      \"type\": \"function\",\n      \"address\": \"0x4B0CBA\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_graphical_window\",\n      \"label\": \"find graphical window\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text\",\n      \"label\": \"get graphical window text\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x404AC0\",\n      \"label\": \"Function 0x404AC0\",\n      \"type\": \"function\",\n      \"address\": \"0x404AC0\"\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_graphical_window__15_matches_\",\n      \"label\": \"hide graphical window (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x410105\",\n      \"label\": \"Block 0x410105\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x410105\"\n    },\n    {\n      \"id\": \"bb_0x4683FC\",\n      \"label\": \"Block 0x4683FC\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4683FC\"\n    },\n    {\n      \"id\": \"bb_0x40F39F\",\n      \"label\": \"Block 0x40F39F\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40F39F\"\n    },\n    {\n      \"id\": \"bb_0x4255D9\",\n      \"label\": \"Block 0x4255D9\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4255D9\"\n    },\n    {\n      \"id\": \"bb_0x41EF4A\",\n      \"label\": \"Block 0x41EF4A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41EF4A\"\n    },\n    {\n      \"id\": \"bb_0x464151\",\n      \"label\": \"Block 0x464151\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x464151\"\n    },\n    {\n      \"id\": \"bb_0x4644D8\",\n      \"label\": \"Block 0x4644D8\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4644D8\"\n    },\n    {\n      \"id\": \"bb_0x42761E\",\n      \"label\": \"Block 0x42761E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x42761E\"\n    },\n    {\n      \"id\": \"bb_0x41F805\",\n      \"label\": \"Block 0x41F805\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41F805\"\n    },\n    {\n      \"id\": \"bb_0x42568A\",\n      \"label\": \"Block 0x42568A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x42568A\"\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_information\",\n      \"label\": \"get disk information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetLogicalDrives\",\n      \"label\": \"GetLogicalDrives\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_information_via_ioctl__2_matches_\",\n      \"label\": \"get disk information via IOCTL (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40CC8C\",\n      \"label\": \"Block 0x40CC8C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40CC8C\"\n    },\n    {\n      \"id\": \"bb_0x40D5F0\",\n      \"label\": \"Block 0x40D5F0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40D5F0\"\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_size\",\n      \"label\": \"get disk size\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x42A3C0\",\n      \"label\": \"Function 0x42A3C0\",\n      \"type\": \"function\",\n      \"address\": \"0x42A3C0\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpaceEx\",\n      \"label\": \"GetDiskFreeSpaceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_storage_device_properties\",\n      \"label\": \"get storage device properties\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_create_or_open_mutex_on_windows\",\n      \"label\": \"create or open mutex on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateMutex\",\n      \"label\": \"CreateMutex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_mehunhoff_google_com\",\n      \"label\": \"mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Mutex [C0042]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_proxy__2_matches_\",\n      \"label\": \"get proxy (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Network Configuration Discovery [T1016]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4178D0\",\n      \"label\": \"Function 0x4178D0\",\n      \"type\": \"function\",\n      \"address\": \"0x4178D0\"\n    },\n    {\n      \"id\": \"func_0x4183B0\",\n      \"label\": \"Function 0x4183B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4183B0\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_shutdown_system\",\n      \"label\": \"shutdown system\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::System Shutdown/Reboot [T1529]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x434E20\",\n      \"label\": \"Function 0x434E20\",\n      \"type\": \"function\",\n      \"address\": \"0x434E20\"\n    },\n    {\n      \"id\": \"api_InitiateSystemShutdownEx\",\n      \"label\": \"InitiateSystemShutdownEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_system_information_on_windows\",\n      \"label\": \"get system information on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetNativeSystemInfo\",\n      \"label\": \"GetNativeSystemInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_thread_local_storage_value\",\n      \"label\": \"get thread local storage value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4B24AB\",\n      \"label\": \"Function 0x4B24AB\",\n      \"type\": \"function\",\n      \"address\": \"0x4B24AB\"\n    },\n    {\n      \"id\": \"api_TlsGetValue\",\n      \"label\": \"TlsGetValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__12_matches_\",\n      \"label\": \"create process on Windows (12 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4242F9\",\n      \"label\": \"Block 0x4242F9\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4242F9\"\n    },\n    {\n      \"id\": \"bb_0x42FE3E\",\n      \"label\": \"Block 0x42FE3E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x42FE3E\"\n    },\n    {\n      \"id\": \"bb_0x4543E8\",\n      \"label\": \"Block 0x4543E8\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4543E8\"\n    },\n    {\n      \"id\": \"bb_0x44678A\",\n      \"label\": \"Block 0x44678A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x44678A\"\n    },\n    {\n      \"id\": \"bb_0x439E34\",\n      \"label\": \"Block 0x439E34\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x439E34\"\n    },\n    {\n      \"id\": \"bb_0x45B05B\",\n      \"label\": \"Block 0x45B05B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x45B05B\"\n    },\n    {\n      \"id\": \"bb_0x43A802\",\n      \"label\": \"Block 0x43A802\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x43A802\"\n    },\n    {\n      \"id\": \"bb_0x42E03A\",\n      \"label\": \"Block 0x42E03A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x42E03A\"\n    },\n    {\n      \"id\": \"bb_0x46873C\",\n      \"label\": \"Block 0x46873C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46873C\"\n    },\n    {\n      \"id\": \"bb_0x43B4FB\",\n      \"label\": \"Block 0x43B4FB\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x43B4FB\"\n    },\n    {\n      \"id\": \"bb_0x44D0E2\",\n      \"label\": \"Block 0x44D0E2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x44D0E2\"\n    },\n    {\n      \"id\": \"bb_0x446756\",\n      \"label\": \"Block 0x446756\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x446756\"\n    },\n    {\n      \"id\": \"api_ShellExecute\",\n      \"label\": \"ShellExecute\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcessWithToken\",\n      \"label\": \"CreateProcessWithToken\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_CreateProcess\",\n      \"label\": \"CreateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_create_process_suspended\",\n      \"label\": \"create process suspended\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process::Create Suspended Process [C0017.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process::Create Suspended Process [C0017.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_processes\",\n      \"label\": \"enumerate processes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x455350\",\n      \"label\": \"Function 0x455350\",\n      \"type\": \"function\",\n      \"address\": \"0x455350\"\n    },\n    {\n      \"id\": \"api_CreateToolhelp32Snapshot\",\n      \"label\": \"CreateToolhelp32Snapshot\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32First\",\n      \"label\": \"Process32First\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32Next\",\n      \"label\": \"Process32Next\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_modify_access_privileges__2_matches_\",\n      \"label\": \"modify access privileges (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_terminate_process\",\n      \"label\": \"terminate process\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x49F080\",\n      \"label\": \"Function 0x49F080\",\n      \"type\": \"function\",\n      \"address\": \"0x49F080\"\n    },\n    {\n      \"id\": \"api_TerminateProcess\",\n      \"label\": \"TerminateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"api_ExitProcess\",\n      \"label\": \"ExitProcess\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"label\": \"query or enumerate registry key (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Key [C0036.005]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4089A0\",\n      \"label\": \"Function 0x4089A0\",\n      \"type\": \"function\",\n      \"address\": \"0x4089A0\"\n    },\n    {\n      \"id\": \"func_0x438810\",\n      \"label\": \"Function 0x438810\",\n      \"type\": \"function\",\n      \"address\": \"0x438810\"\n    },\n    {\n      \"id\": \"func_0x4368C0\",\n      \"label\": \"Function 0x4368C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4368C0\"\n    },\n    {\n      \"id\": \"api_RegEnumKeyEx\",\n      \"label\": \"RegEnumKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"label\": \"query or enumerate registry value (15 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x42B480\",\n      \"label\": \"Function 0x42B480\",\n      \"type\": \"function\",\n      \"address\": \"0x42B480\"\n    },\n    {\n      \"id\": \"func_0x40A800\",\n      \"label\": \"Function 0x40A800\",\n      \"type\": \"function\",\n      \"address\": \"0x40A800\"\n    },\n    {\n      \"id\": \"func_0x45B790\",\n      \"label\": \"Function 0x45B790\",\n      \"type\": \"function\",\n      \"address\": \"0x45B790\"\n    },\n    {\n      \"id\": \"func_0x4486E0\",\n      \"label\": \"Function 0x4486E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4486E0\"\n    },\n    {\n      \"id\": \"func_0x41B350\",\n      \"label\": \"Function 0x41B350\",\n      \"type\": \"function\",\n      \"address\": \"0x41B350\"\n    },\n    {\n      \"id\": \"func_0x45A370\",\n      \"label\": \"Function 0x45A370\",\n      \"type\": \"function\",\n      \"address\": \"0x45A370\"\n    },\n    {\n      \"id\": \"func_0x41B6A0\",\n      \"label\": \"Function 0x41B6A0\",\n      \"type\": \"function\",\n      \"address\": \"0x41B6A0\"\n    },\n    {\n      \"id\": \"func_0x41B9F0\",\n      \"label\": \"Function 0x41B9F0\",\n      \"type\": \"function\",\n      \"address\": \"0x41B9F0\"\n    },\n    {\n      \"id\": \"func_0x40E630\",\n      \"label\": \"Function 0x40E630\",\n      \"type\": \"function\",\n      \"address\": \"0x40E630\"\n    },\n    {\n      \"id\": \"api_RegEnumValue\",\n      \"label\": \"RegEnumValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_RegGetValue\",\n      \"label\": \"RegGetValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_registry_value__10_matches_\",\n      \"label\": \"set registry value (10 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408250\",\n      \"label\": \"Function 0x408250\",\n      \"type\": \"function\",\n      \"address\": \"0x408250\"\n    },\n    {\n      \"id\": \"func_0x450470\",\n      \"label\": \"Function 0x450470\",\n      \"type\": \"function\",\n      \"address\": \"0x450470\"\n    },\n    {\n      \"id\": \"func_0x408613\",\n      \"label\": \"Function 0x408613\",\n      \"type\": \"function\",\n      \"address\": \"0x408613\"\n    },\n    {\n      \"id\": \"func_0x45B120\",\n      \"label\": \"Function 0x45B120\",\n      \"type\": \"function\",\n      \"address\": \"0x45B120\"\n    },\n    {\n      \"id\": \"func_0x4506E0\",\n      \"label\": \"Function 0x4506E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4506E0\"\n    },\n    {\n      \"id\": \"func_0x4083F6\",\n      \"label\": \"Function 0x4083F6\",\n      \"type\": \"function\",\n      \"address\": \"0x4083F6\"\n    },\n    {\n      \"id\": \"func_0x448F90\",\n      \"label\": \"Function 0x448F90\",\n      \"type\": \"function\",\n      \"address\": \"0x448F90\"\n    },\n    {\n      \"id\": \"api_RegSetValueEx\",\n      \"label\": \"RegSetValueEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"api_RegSetKeyValue\",\n      \"label\": \"RegSetKeyValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_registry_key__4_matches_\",\n      \"label\": \"delete registry key (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408E10\",\n      \"label\": \"Function 0x408E10\",\n      \"type\": \"function\",\n      \"address\": \"0x408E10\"\n    },\n    {\n      \"id\": \"func_0x435840\",\n      \"label\": \"Function 0x435840\",\n      \"type\": \"function\",\n      \"address\": \"0x435840\"\n    },\n    {\n      \"id\": \"func_0x42A9F0\",\n      \"label\": \"Function 0x42A9F0\",\n      \"type\": \"function\",\n      \"address\": \"0x42A9F0\"\n    },\n    {\n      \"id\": \"func_0x408B30\",\n      \"label\": \"Function 0x408B30\",\n      \"type\": \"function\",\n      \"address\": \"0x408B30\"\n    },\n    {\n      \"id\": \"api_RegDeleteKey\",\n      \"label\": \"RegDeleteKey\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Key [C0036.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_registry_value\",\n      \"label\": \"delete registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Delete Registry Value [C0036.007]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegDeleteValue\",\n      \"label\": \"RegDeleteValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_service_status__4_matches_\",\n      \"label\": \"query service status (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Service Discovery [T1007]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41AEF0\",\n      \"label\": \"Function 0x41AEF0\",\n      \"type\": \"function\",\n      \"address\": \"0x41AEF0\"\n    },\n    {\n      \"id\": \"func_0x4202E0\",\n      \"label\": \"Function 0x4202E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4202E0\"\n    },\n    {\n      \"id\": \"api_QueryServiceStatusEx\",\n      \"label\": \"QueryServiceStatusEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_service\",\n      \"label\": \"create service\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Create or Modify System Process::Windows Service\",\n        \"[T1543.003]\",\n        \"Execution::System Services::Service Execution\",\n        \"[T1569.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x417480\",\n      \"label\": \"Function 0x417480\",\n      \"type\": \"function\",\n      \"address\": \"0x417480\"\n    },\n    {\n      \"id\": \"api_OpenSCManager\",\n      \"label\": \"OpenSCManager\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateService\",\n      \"label\": \"CreateService\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_service__2_matches_\",\n      \"label\": \"delete service (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Create or Modify System Process::Windows Service\",\n        \"[T1543.003]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41BD80\",\n      \"label\": \"Function 0x41BD80\",\n      \"type\": \"function\",\n      \"address\": \"0x41BD80\"\n    },\n    {\n      \"id\": \"api_DeleteService\",\n      \"label\": \"DeleteService\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_start_service__2_matches_\",\n      \"label\": \"start service (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Create or Modify System Process::Windows Service\",\n        \"[T1543.003]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x41AB30\",\n      \"label\": \"Function 0x41AB30\",\n      \"type\": \"function\",\n      \"address\": \"0x41AB30\"\n    },\n    {\n      \"id\": \"api_StartService\",\n      \"label\": \"StartService\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_stop_service\",\n      \"label\": \"stop service\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Create or Modify System Process::Windows Service\",\n        \"[T1543.003]\",\n        \"Impact::Service Stop [T1489]\"\n      ]\n    },\n    {\n      \"id\": \"api_ControlServiceEx\",\n      \"label\": \"ControlServiceEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_session_information\",\n      \"label\": \"get session information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x45C2D0\",\n      \"label\": \"Function 0x45C2D0\",\n      \"type\": \"function\",\n      \"address\": \"0x45C2D0\"\n    },\n    {\n      \"id\": \"api_WTSQuerySessionInformation\",\n      \"label\": \"WTSQuerySessionInformation\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_WTSFreeMemory\",\n      \"label\": \"WTSFreeMemory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_session_user_name\",\n      \"label\": \"get session user name\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\",\n        \"Discovery::Account\",\n        \"Discovery [T1087]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetUserName\",\n      \"label\": \"GetUserName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_token_membership\",\n      \"label\": \"get token membership\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Owner/User Discovery [T1033]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x45C540\",\n      \"label\": \"Function 0x45C540\",\n      \"type\": \"function\",\n      \"address\": \"0x45C540\"\n    },\n    {\n      \"id\": \"api_AllocateAndInitializeSid\",\n      \"label\": \"AllocateAndInitializeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CheckTokenMembership\",\n      \"label\": \"CheckTokenMembership\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FreeSid\",\n      \"label\": \"FreeSid\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_installed_programs__3_matches_\",\n      \"label\": \"get installed programs (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Software Discovery [T1518]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com____re_fox\",\n      \"label\": \"author     moritz.raabe@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Software Discovery [T1518]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_thread__2_matches_\",\n      \"label\": \"create thread (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x44E7DE\",\n      \"label\": \"Block 0x44E7DE\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x44E7DE\"\n    },\n    {\n      \"id\": \"bb_0x44C393\",\n      \"label\": \"Block 0x44C393\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x44C393\"\n    },\n    {\n      \"id\": \"api__beginthreadex\",\n      \"label\": \"_beginthreadex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_allocate_thread_local_storage\",\n      \"label\": \"allocate thread local storage\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Allocate Thread Local Storage [C0040]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B242D\",\n      \"label\": \"Function 0x4B242D\",\n      \"type\": \"function\",\n      \"address\": \"0x4B242D\"\n    },\n    {\n      \"id\": \"api_TlsAlloc\",\n      \"label\": \"TlsAlloc\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_thread_local_storage_value\",\n      \"label\": \"set thread local storage value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Set Thread Local Storage Value [C0041]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4B24EA\",\n      \"label\": \"Function 0x4B24EA\",\n      \"type\": \"function\",\n      \"address\": \"0x4B24EA\"\n    },\n    {\n      \"id\": \"api_TlsSetValue\",\n      \"label\": \"TlsSetValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_impersonate_user\",\n      \"label\": \"impersonate user\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x454270\",\n      \"label\": \"Function 0x454270\",\n      \"type\": \"function\",\n      \"address\": \"0x454270\"\n    },\n    {\n      \"id\": \"api_DuplicateTokenEx\",\n      \"label\": \"DuplicateTokenEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_OpenProcessToken\",\n      \"label\": \"OpenProcessToken\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, 99.elad.levi@gmail.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation::Token\",\n        \"Impersonation/Theft [T1134.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"label\": \"connect to WMI namespace via WbemLocator (6 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Windows Management Instrumentation [T1047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40C400\",\n      \"label\": \"Function 0x40C400\",\n      \"type\": \"function\",\n      \"address\": \"0x40C400\"\n    },\n    {\n      \"id\": \"func_0x40D100\",\n      \"label\": \"Function 0x40D100\",\n      \"type\": \"function\",\n      \"address\": \"0x40D100\"\n    },\n    {\n      \"id\": \"func_0x40C7D0\",\n      \"label\": \"Function 0x40C7D0\",\n      \"type\": \"function\",\n      \"address\": \"0x40C7D0\"\n    },\n    {\n      \"id\": \"func_0x40C030\",\n      \"label\": \"Function 0x40C030\",\n      \"type\": \"function\",\n      \"address\": \"0x40C030\"\n    },\n    {\n      \"id\": \"api_CoCreateInstance\",\n      \"label\": \"CoCreateInstance\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"label\": \"access PEB ldr_data (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4516F0\",\n      \"label\": \"Block 0x4516F0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4516F0\"\n    },\n    {\n      \"id\": \"bb_0x47DDE0\",\n      \"label\": \"Block 0x47DDE0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47DDE0\"\n    },\n    {\n      \"id\": \"bb_0x440910\",\n      \"label\": \"Block 0x440910\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x440910\"\n    },\n    {\n      \"id\": \"bb_0x440CD0\",\n      \"label\": \"Block 0x440CD0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x440CD0\"\n    },\n    {\n      \"id\": \"bb_0x4412A0\",\n      \"label\": \"Block 0x4412A0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4412A0\"\n    },\n    {\n      \"id\": \"cap_get_kernel32_base_address__2_matches_\",\n      \"label\": \"get kernel32 base address (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_ntdll_base_address\",\n      \"label\": \"get ntdll base address\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__16_matches_\",\n      \"label\": \"link function at runtime on Windows (16 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_pe_header__2_matches_\",\n      \"label\": \"parse PE header (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x495147\",\n      \"label\": \"Function 0x495147\",\n      \"type\": \"function\",\n      \"address\": \"0x495147\"\n    },\n    {\n      \"id\": \"func_0x4BE290\",\n      \"label\": \"Function 0x4BE290\",\n      \"type\": \"function\",\n      \"address\": \"0x4BE290\"\n    },\n    {\n      \"id\": \"cap_resolve_function_by_parsing_pe_exports\",\n      \"label\": \"resolve function by parsing PE exports\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x424690\",\n      \"label\": \"Function 0x424690\",\n      \"type\": \"function\",\n      \"address\": \"0x424690\"\n    },\n    {\n      \"id\": \"cap_author_____sara_rn\",\n      \"label\": \"author     sara-rn\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_persist_via_windows_service__2_matches_\",\n      \"label\": \"persist via Windows service (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Create or Modify System Process::Windows Service\",\n        \"[T1543.003]\",\n        \"Execution::System Services::Service Execution\",\n        \"[T1569.002]\"\n      ]\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_peb_access__27_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_peb_access__27_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x411DE0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__543_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__543_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x402730\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__8_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x4081B1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__18_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__18_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x41706E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version__4_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_os_version__4_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x40E180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E180\",\n      \"target\": \"api_VerifyVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E180\",\n      \"target\": \"api_VerSetConditionMask\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_service_handle__8_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_service_handle__8_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_process__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_process__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x453BE3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_analysis_tools_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_parallels\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_vmware\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com___johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_virtualbox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_anti_vm_strings_targeting_xen\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_obfuscated_stackstrings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_obfuscated_stackstrings\",\n      \"target\": \"bb_0x4647F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4647F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_geographical_location__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__3_matches_\",\n      \"target\": \"func_0x4B8D86\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__3_matches_\",\n      \"target\": \"func_0x4B8CB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__3_matches_\",\n      \"target\": \"func_0x49216E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B8D86\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8CB0\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49216E\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8D86\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8CB0\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49216E\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B8D86\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B8CB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x49216E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B8D86\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8CB0\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49216E\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8D86\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B8CB0\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49216E\",\n      \"target\": \"api_GetLocaleInfoEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_sql_statements__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_reference_sql_statements__2_matches_\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_reference_sql_statements__2_matches_\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_initialize_winhttp_library\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_initialize_winhttp_library\",\n      \"target\": \"func_0x469560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x469560\",\n      \"target\": \"api_WinHttpOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x469560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x469560\",\n      \"target\": \"api_WinHttpOpen\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_http_header__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_http_header__3_matches_\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_http_header__3_matches_\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_http_header__3_matches_\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpQueryHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_http_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_http_header\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpAddRequestHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpAddRequestHeaders\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_http_status_code__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_http_status_code__5_matches_\",\n      \"target\": \"func_0x452990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_http_status_code__5_matches_\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_http_status_code__5_matches_\",\n      \"target\": \"func_0x405050\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_http_status_code__5_matches_\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_http_status_code__5_matches_\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz\",\n      \"target\": \"func_0x452990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz\",\n      \"target\": \"func_0x405050\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_prepare_http_request__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_prepare_http_request__3_matches_\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_prepare_http_request__3_matches_\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_prepare_http_request__3_matches_\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpOpenRequest\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_receive_http_response__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_receive_http_response__3_matches_\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_http_response__3_matches_\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_receive_http_response__3_matches_\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B430\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x478DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46D980\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpReceiveResponse\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpQueryDataAvailable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B430\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478DD0\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46D980\",\n      \"target\": \"api_WinHttpReadData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_pipe\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_pipe\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_pipe\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_pipe\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_pipe\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_pipe\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x420990\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x420990\",\n      \"target\": \"api_CallNamedPipe\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_via_wincrypt\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_via_wincrypt\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptHashData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptGetHashParam\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptHashData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptGetHashParam\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_initialize_hashing_via_wincrypt\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_initialize_hashing_via_wincrypt\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptDestroyHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptDestroyHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_using_sha1\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_using_sha1\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_using_sha1_via_wincrypt\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_using_sha1_via_wincrypt\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptHashData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptDestroyHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40A610\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptCreateHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptHashData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A610\",\n      \"target\": \"api_CryptDestroyHash\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contains_pdb_path\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x447330\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x409790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x490180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x413370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions__5_matches_\",\n      \"target\": \"func_0x452880\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x447330\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x409790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x490180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x413370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x452880\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_FindResourceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x447330\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409790\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x490180\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x413370\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x452880\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_manipulate_safe_mode_programs\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_manipulate_safe_mode_programs\",\n      \"target\": \"func_0x4354B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x4354B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_accept_command_line_arguments\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_accept_command_line_arguments\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_CommandLineToArgv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_CommandLineToArgv\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_interact_with_driver_via_ioctl__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable\",\n      \"target\": \"func_0x4B63EF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B63EF\",\n      \"target\": \"api_GetEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x4B63EF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B63EF\",\n      \"target\": \"api_GetEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_environment_variable\",\n      \"target\": \"func_0x4B67F8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B67F8\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B67F8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B67F8\",\n      \"target\": \"api_SetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__16_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x44BBB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x455440\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x434AA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x448B30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x42CAF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x436F10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x40DBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x429DB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x492328\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x4499B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x449B90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__16_matches_\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x44BBB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x455440\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x434AA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x448B30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x42CAF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x436F10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40DBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x429DB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x492328\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4499B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x449B90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_SHGetKnownFolderPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44BBB0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455440\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x434AA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448B30\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42CAF0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x429DB0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x492328\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4499B0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449B90\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_current_directory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_current_directory\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_SetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x44D830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_directory__2_matches_\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x44D830\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x44D830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x44D830\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x415480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x43BFF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__3_matches_\",\n      \"target\": \"func_0x44DB40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x415480\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43BFF0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44DB40\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x415480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x43BFF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x44DB40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x415480\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43BFF0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x44DB40\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__3_matches_\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_PathFileExists\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_on_windows__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__2_matches_\",\n      \"target\": \"func_0x436F10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows__2_matches_\",\n      \"target\": \"func_0x4B598B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindFirstFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindFirstFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x436F10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B598B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindFirstFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindFirstFileEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x436F10\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B598B\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__2_matches_\",\n      \"target\": \"bb_0x46EFC7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__2_matches_\",\n      \"target\": \"bb_0x492987\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46EFC7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x492987\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_version_info\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_version_info\",\n      \"target\": \"func_0x454FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x454FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454FC0\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__5_matches_\",\n      \"target\": \"func_0x4B2F28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__5_matches_\",\n      \"target\": \"func_0x4B2933\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__5_matches_\",\n      \"target\": \"func_0x43EC60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__5_matches_\",\n      \"target\": \"func_0x4B2A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__5_matches_\",\n      \"target\": \"func_0x4B1575\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B2F28\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2933\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43EC60\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2A80\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B1575\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2F28\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2933\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43EC60\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2A80\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B1575\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B2F28\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B2933\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x43EC60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B2A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B1575\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B2F28\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2933\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43EC60\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2A80\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B1575\",\n      \"target\": \"api_fread\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2F28\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2933\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x43EC60\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B2A80\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B1575\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_clear_file_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_clear_file_content\",\n      \"target\": \"func_0x4BD065\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4BD065\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4BD065\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____jakeperalta7\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____jakeperalta7\",\n      \"target\": \"func_0x4BD065\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4BD065\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4BD065\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x4B03D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x4B0CBA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B03D0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B0CBA\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B03D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4B0CBA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B03D0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4B0CBA\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text\",\n      \"target\": \"func_0x404AC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404AC0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x404AC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404AC0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x410105\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x4683FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x40F39F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x4255D9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x41EF4A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x464151\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x4644D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x42761E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x41F805\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__15_matches_\",\n      \"target\": \"bb_0x42568A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x410105\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4683FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x40F39F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4255D9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x41EF4A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x464151\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4644D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x42761E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x41F805\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x42568A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetLogicalDrives\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x449490\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x449490\",\n      \"target\": \"api_GetLogicalDrives\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information_via_ioctl__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information_via_ioctl__2_matches_\",\n      \"target\": \"bb_0x40CC8C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_disk_information_via_ioctl__2_matches_\",\n      \"target\": \"bb_0x40D5F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"target\": \"bb_0x40CC8C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"target\": \"bb_0x40D5F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_size\",\n      \"target\": \"func_0x42A3C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42A3C0\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x42A3C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42A3C0\",\n      \"target\": \"api_GetDiskFreeSpaceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_storage_device_properties\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_storage_device_properties\",\n      \"target\": \"func_0x40DBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40DBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40DBA0\",\n      \"target\": \"api_DeviceIoControl\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_mutex_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_proxy__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_proxy__2_matches_\",\n      \"target\": \"func_0x4178D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_proxy__2_matches_\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4178D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_shutdown_system\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_shutdown_system\",\n      \"target\": \"func_0x434E20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x434E20\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x434E20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x434E20\",\n      \"target\": \"api_InitiateSystemShutdownEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_system_information_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_system_information_on_windows\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetNativeSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_GetNativeSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_thread_local_storage_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_thread_local_storage_value\",\n      \"target\": \"func_0x4B24AB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B24AB\",\n      \"target\": \"api_TlsGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B24AB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B24AB\",\n      \"target\": \"api_TlsGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__12_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x4242F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x42FE3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x4543E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x44678A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x439E34\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x45B05B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x43A802\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x42E03A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x46873C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x43B4FB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x44D0E2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__12_matches_\",\n      \"target\": \"bb_0x446756\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4242F9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x42FE3E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4543E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x44678A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x439E34\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x45B05B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x43A802\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x42E03A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x46873C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x43B4FB\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x44D0E2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x446756\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_suspended\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_suspended\",\n      \"target\": \"bb_0x4543E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"bb_0x4543E8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes\",\n      \"target\": \"func_0x455350\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x455350\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x455350\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process\",\n      \"target\": \"func_0x49F080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x49F080\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49F080\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x49F080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x49F080\",\n      \"target\": \"api_TerminateProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x49F080\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"target\": \"func_0x4089A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_key__4_matches_\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4089A0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4089A0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4089A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4089A0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4089A0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegEnumKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x42B480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x40A800\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x4178D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x45B790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x4486E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x41B350\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x45A370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x41B6A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x41B9F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x40E630\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__15_matches_\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x42B480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40A800\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4178D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x45B790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4486E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4268E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41B350\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x45A370\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41B6A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x41B9F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40E630\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x42BC20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegEnumValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40A800\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4178D0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4486E0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4268E0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B350\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45A370\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B6A0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41B9F0\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E630\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42BC20\",\n      \"target\": \"api_RegGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value__10_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x4354B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x408250\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x45B790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x450470\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x408613\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x45B120\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x4506E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x4083F6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_set_registry_value__10_matches_\",\n      \"target\": \"func_0x448F90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4354B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x408250\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x45B790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x450470\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x408613\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x45B120\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4506E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4083F6\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x448F90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4354B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408250\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B790\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x450470\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408613\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45B120\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4506E0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4083F6\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x448F90\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_key__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__4_matches_\",\n      \"target\": \"func_0x408E10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__4_matches_\",\n      \"target\": \"func_0x435840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__4_matches_\",\n      \"target\": \"func_0x42A9F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_registry_key__4_matches_\",\n      \"target\": \"func_0x408B30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x408E10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x435840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x42A9F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x408B30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegDeleteKey\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x435840\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42A9F0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408B30\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_registry_value\",\n      \"target\": \"func_0x408E10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x408E10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E10\",\n      \"target\": \"api_RegDeleteValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_service_status__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_service_status__4_matches_\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_service_status__4_matches_\",\n      \"target\": \"func_0x41AEF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_service_status__4_matches_\",\n      \"target\": \"func_0x42B480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_service_status__4_matches_\",\n      \"target\": \"func_0x4202E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AEF0\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x41AEF0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x42B480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4202E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AEF0\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x42B480\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_QueryServiceStatusEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_service\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_service\",\n      \"target\": \"func_0x417480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_OpenSCManager\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x417480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_OpenSCManager\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_service__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_service__2_matches_\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_service__2_matches_\",\n      \"target\": \"func_0x41BD80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_DeleteService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41BD80\",\n      \"target\": \"api_DeleteService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41BD80\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41BD80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_DeleteService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41BD80\",\n      \"target\": \"api_DeleteService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41BD80\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_start_service__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_start_service__2_matches_\",\n      \"target\": \"func_0x4202E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_start_service__2_matches_\",\n      \"target\": \"func_0x41AB30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_StartService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AB30\",\n      \"target\": \"api_StartService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AB30\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4202E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x41AB30\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_StartService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AB30\",\n      \"target\": \"api_StartService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4202E0\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x41AB30\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_stop_service\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_stop_service\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_ControlServiceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x416C40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_ControlServiceEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x416C40\",\n      \"target\": \"api_OpenService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_session_information\",\n      \"target\": \"func_0x45C2D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x45C2D0\",\n      \"target\": \"api_WTSQuerySessionInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C2D0\",\n      \"target\": \"api_WTSFreeMemory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x45C2D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x45C2D0\",\n      \"target\": \"api_WTSQuerySessionInformation\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C2D0\",\n      \"target\": \"api_WTSFreeMemory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_session_user_name\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_session_user_name\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_GetUserName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_token_membership\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_token_membership\",\n      \"target\": \"func_0x45C540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x45C540\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_AllocateAndInitializeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_CheckTokenMembership\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x45C540\",\n      \"target\": \"api_FreeSid\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_installed_programs__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_installed_programs__3_matches_\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_installed_programs__3_matches_\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_installed_programs__3_matches_\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com____re_fox\",\n      \"target\": \"func_0x4368C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com____re_fox\",\n      \"target\": \"func_0x438810\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com____re_fox\",\n      \"target\": \"func_0x46EAC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4368C0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x438810\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EAC0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread__2_matches_\",\n      \"target\": \"bb_0x44E7DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__2_matches_\",\n      \"target\": \"bb_0x44C393\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x44E7DE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x44C393\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_thread_local_storage\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_thread_local_storage\",\n      \"target\": \"func_0x4B242D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B242D\",\n      \"target\": \"api_TlsAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B242D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B242D\",\n      \"target\": \"api_TlsAlloc\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_thread_local_storage_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_thread_local_storage_value\",\n      \"target\": \"func_0x4B24EA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B24EA\",\n      \"target\": \"api_TlsSetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4B24EA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4B24EA\",\n      \"target\": \"api_TlsSetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_impersonate_user\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_impersonate_user\",\n      \"target\": \"func_0x454270\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_CreateProcessWithToken\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_DuplicateTokenEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_OpenProcessToken\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__99_elad_levi_gmail_com\",\n      \"target\": \"func_0x454270\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_CreateProcessWithToken\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_DuplicateTokenEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x454270\",\n      \"target\": \"api_OpenProcessToken\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40C400\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40D100\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40C7D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_connect_to_wmi_namespace_via_wbemlocator__6_matches_\",\n      \"target\": \"func_0x40C030\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C400\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D100\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C7D0\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C030\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C400\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40D100\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40D560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40CBA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C7D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C030\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C400\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D100\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D560\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40CBA0\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C7D0\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C030\",\n      \"target\": \"api_CoCreateInstance\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"target\": \"bb_0x4516F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"target\": \"bb_0x47DDE0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"target\": \"bb_0x440910\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"target\": \"bb_0x440CD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_access_peb_ldr_data__5_matches_\",\n      \"target\": \"bb_0x4412A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4516F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x47DDE0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x440910\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x440CD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4412A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_kernel32_base_address__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_kernel32_base_address__2_matches_\",\n      \"target\": \"bb_0x4412A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_kernel32_base_address__2_matches_\",\n      \"target\": \"bb_0x440CD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4412A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x440CD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_ntdll_base_address\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_ntdll_base_address\",\n      \"target\": \"bb_0x47DDE0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x47DDE0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__16_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header__2_matches_\",\n      \"target\": \"func_0x495147\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header__2_matches_\",\n      \"target\": \"func_0x4BE290\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x495147\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4BE290\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_function_by_parsing_pe_exports\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports\",\n      \"target\": \"func_0x424690\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____sara_rn\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x424690\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_windows_service__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_persist_via_windows_service__2_matches_\",\n      \"target\": \"func_0x417480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_persist_via_windows_service__2_matches_\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x417480\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4183B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegCreateKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetKeyValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x417480\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4183B0\",\n      \"target\": \"api_CreateService\",\n      \"relationship\": \"calls\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-15 17:54:36.222753\",\n    \"total_functions\": \"4017\",\n    \"total_features\": \"224537\",\n    \"pdb_path\": \"C:\\\\\\\\Jenkins\\\\\\\\workspace\\\\\\\\MBAM-Windows\\\\\\\\A_MB5_MBSetup\\\\\\\\bin\\\\\\\\Win32\\\\\\\\Release\\\\\\\\MBSet\\nup.pdb\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-15 17:54:40"}
{"_id":{"$oid":"6a11b98832de6bb6782baab0"},"sha256":"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378","analysis_data":{"success":true,"results":{"normal":{"success":false,"error":"WARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n"},"verbose":{"success":true,"path":"/tmp/sdm_capa_az6ln599/HxDSetup-019e5534-ae66-7590-befd-f3c55a2b3e38.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_az6ln599/HxDSetup-019e5534-ae66-7590-befd-f3c55a2b3e38.exe_very_verbose.txt"}},"outputs":{"normal":"ERROR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n\n\nSTDOUT:\n\n\nSTDERR:\nWARNING  capa.capabilities.common:                                  common.py:88\n         ----------------------------------------------------------             \n         ----------------------                                                 \nWARNING  capa.capabilities.common:  This sample appears to be an    common.py:90\n         installer.                                                             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  capa cannot handle installers   common.py:90\n         well. This means the results may be misleading or                      \n         incomplete.                                                            \nWARNING  capa.capabilities.common:  You should try to understand    common.py:90\n         the install mechanism and analyze created files with capa.             \nWARNING  capa.capabilities.common:                                  common.py:90\nWARNING  capa.capabilities.common:  Identified via rule: (internal) common.py:91\n         installer file limitation                                              \nWARNING  capa.capabilities.common:                                  common.py:93\nWARNING  capa.capabilities.common:  Use -v or -vv if you really     common.py:94\n         want to see the capabilities identified by capa.                       \nWARNING  capa.capabilities.common:                                  common.py:95\n         ----------------------------------------------------------             \n         ----------------------                                                 \n","verbose":"md5                     4f9e75a41d02666cd5cc86bd33a578fe                        \nsha1                    ac08b28e953d7d200bbb3c2e644890a689d0d8b1                \nsha256                  dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c6…\npath                    /home/apogean/projects/malware/windows/all_runs/HxDSetu…\ntimestamp               2026-05-23 19:58:04.465369                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIdTHXjE/rules                                   \nfunction count          555                                                     \nlibrary function count  2                                                       \ntotal feature count     59937                                                   \n\nreference analysis tools strings\nnamespace  anti-analysis\nscope      file         \n\nget geographical location (5 matches)\nnamespace  collection\nscope      function  \nmatches    0x405DD4  \n           0x405DE8  \n           0x408EB4  \n           0x408F00  \n           0x40E658  \n\ncompiled with Borland Delphi\nnamespace  compiler/delphi\nscope      file           \n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32\nscope      function                        \nmatches    0x40C6B0                        \n\nencode data using XOR (3 matches)\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x40AA4B                      \n           0x40AA4B                      \n           0x40C70D                      \n\ngenerate random numbers using the Delphi LCG\nnamespace  data-manipulation/prng/lcg\nscope      basic block               \nmatches    0x4030E4                  \n\npackaged as an Inno Setup installer\nnamespace  executable/installer/inno-setup\nscope      file                           \n\ncontain a thread local storage (.tls) section\nnamespace  executable/pe/section/tls\nscope      file                     \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    0x40EE2C           \n\naccept command line arguments (3 matches)\nnamespace  host-interaction/cli\nscope      function            \nmatches    0x40B84C            \n           0x40B89C            \n           0x40B8FC            \n\nquery environment variable\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x40B710                             \n\nget common file path (3 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x40699C                    \n           0x40B9A4                    \n           0x40B9D0                    \n\ncreate directory\nnamespace  host-interaction/file-system/create\nscope      function                           \nmatches    0x40E42C                           \n\ndelete directory\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x411CBF                           \n\ndelete file\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x40E180                           \n\ncheck if file exists\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x40E5F4                           \n\nget file attributes\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x40B698                         \n\nclear file content\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x40C410                          \n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x4044F0                          \n           0x4096AC                          \n\nget disk size\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x408068                         \n\nshutdown system\nnamespace  host-interaction/os\nscope      function           \nmatches    0x40E550           \n\nget system information on Windows\nnamespace  host-interaction/os/info\nscope      function                \nmatches    0x40ED58                \n\nget thread local storage value\nnamespace  host-interaction/process\nscope      function                \nmatches    0x406588                \n\ncreate process on Windows\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x40EB68                       \n\ncreate process suspended\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x40EB68                       \n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nscope      basic block                    \nmatches    0x40EDB4                       \n\nmodify access privileges\nnamespace  host-interaction/process/modify\nscope      instruction                    \nmatches    0x40E5A6                       \n\nquery or enumerate registry value (4 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x403714                 \n           0x405DD4                 \n           0x405DE8                 \n           0x40BB34                 \n\nset thread local storage value\nnamespace  host-interaction/thread/tls\nscope      function                   \nmatches    0x406544                   \n\nlink function at runtime on Windows (7 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x405C20               \n           0x40674C               \n           0x40676E               \n           0x411112               \n           0x411138               \n           0x4112FA               \n           0x411310               \n\nidentify system language via API\nnamespace  targeting/language\nscope      function          \nmatches    0x40E684          \n\n\n\n","very_verbose":"md5                     4f9e75a41d02666cd5cc86bd33a578fe                        \nsha1                    ac08b28e953d7d200bbb3c2e644890a689d0d8b1                \nsha256                  dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c6…\npath                    /home/apogean/projects/malware/windows/all_runs/HxDSetu…\ntimestamp               2026-05-23 19:58:23.223556                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIyoiFxb/rules                                   \nfunction count          555                                                     \nlibrary function count  2                                                       \ntotal feature count     59937                                                   \n\nallocate memory (5 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x4015E4 in function 0x4015E4\n  or:\n    api: VirtualAlloc @ 0x4015FA\n\nallocate or change RW memory (5 matches, only showing first match of library \nrule)\nauthor  0x534a@mailbox.org, @mr-tz     \nscope   basic block                    \nmbc     Memory::Allocate Memory [C0007]\nbasic block @ 0x4015E4 in function 0x4015E4\n  and:\n    or:\n      match: allocate memory @ 0x4015E4\n        or:\n          api: VirtualAlloc @ 0x4015FA\n    or:\n      number: 0x4 = PAGE_READWRITE @ 0x4015EC\n\ncalculate modulo 256 via x86 assembly (3 matches, only showing first match of \nlibrary rule)\nauthor  moritz.raabe@mandiant.com\nscope   instruction              \nmbc     Data::Modulo [C0058]     \ninstruction @ 0x40C70F\n  and:\n    or:\n      arch: i386\n    mnemonic: and @ 0x40C70F\n    or:\n      number: 0xFF @ 0x40C70F\n\nchange memory protection (2 matches, only showing first match of library rule)\nauthor  @mr-tz                                  \nscope   basic block                             \nmbc     Memory::Change Memory Protection [C0008]\nbasic block @ 0x40EDB4 in function 0x40ED58\n  or:\n    api: VirtualProtect @ 0x40EDC2\n\ncontain loop (130 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x40148C\n  or:\n    characteristic: tight loop @ 0x401497\n\ncreate or open file (library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x40C31D\n  or:\n    api: CreateFile @ 0x40C31D\n\ncreate or open registry key (10 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x403714 in function 0x403714\n  or:\n    api: RegOpenKeyEx @ 0x403736\n\ndelay execution (21 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x401670 in function 0x40165C\n  or:\n    and:\n      os: windows\n      or:\n        api: Sleep @ 0x401672\n\nget OS version (2 matches, only showing first match of library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x40A358\n  or:\n    api: GetVersionEx @ 0x40A366\n\nreference analysis tools strings\nnamespace   anti-analysis                                                       \nauthor      michael.hunhoff@mandiant.com                                        \nscope       file                                                                \nmbc         Discovery::Analysis Tool Discovery::Process detection [B0013.001]   \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nor:\n  regex: /(?<!\\w)ida?(\\.exe)?$/i\n    - \")IDA\" @ file+0xEFD6A\n\nget geographical location (5 matches)\nnamespace  collection                                  \nauthor     moritz.raabe, michael.hunhoff@mandiant.com  \nscope      function                                    \natt&ck     Discovery::System Location Discovery [T1614]\nfunction @ 0x405DD4\n  or:\n    api: GetLocaleInfo @ 0x405F46\nfunction @ 0x405DE8\n  or:\n    api: GetLocaleInfo @ 0x405F46\nfunction @ 0x408EB4\n  or:\n    api: GetLocaleInfo @ 0x408ED2\nfunction @ 0x408F00\n  or:\n    api: GetLocaleInfo @ 0x408F13\nfunction @ 0x40E658\n  or:\n    api: GetLocaleInfo @ 0x40E66E\n\ncompiled with Borland Delphi\nnamespace  compiler/delphi                        \nauthor     william.ballenthin@mandiant.com, @mr-tz\nscope      file                                   \nor:\n  substring: SOFTWARE\\Borland\\Delphi\\RTL\n    - \"SOFTWARE\\\\Borland\\\\Delphi\\\\RTL\" @ file+0x2BAC\n\nhash data with CRC32\nnamespace  data-manipulation/checksum/crc32 \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \nmbc        Data::Checksum::CRC32 [C0032.001]\nfunction @ 0x40C6B0\n  or:\n    and:\n      number: 0x1 = bits in a byte @ 0x40C6BF, 0x40C6C3, 0x40C6CC\n      instruction:\n        and:\n          operand[1].number: 0x1 @ 0x40C6BF\n          or:\n            mnemonic: test @ 0x40C6BF\n      instruction:\n        and:\n          mnemonic: shr @ 0x40C6C3\n          number: 0x1 @ 0x40C6C3\n        and:\n          mnemonic: shr @ 0x40C6CC\n          number: 0x1 @ 0x40C6CC\n      characteristic: nzxor @ 0x40C6C5\n      operand[1].number: 0xEDB88320 @ 0x40C6C5\n\nencode data using XOR (3 matches)\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x40AA4B in function 0x40AA03\n  and:\n    characteristic: tight loop @ 0x40AA4B\n    characteristic: nzxor @ 0x40AA5B\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x40AA4B in function 0x40AA03\n  and:\n    characteristic: tight loop @ 0x40AA4B\n    characteristic: nzxor @ 0x40AA5B\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x40C70D in function 0x40C6E4\n  and:\n    characteristic: tight loop @ 0x40C70D\n    characteristic: nzxor @ 0x40C718, 0x40C728\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\ngenerate random numbers using the Delphi LCG\nnamespace   data-manipulation/prng/lcg                                          \nauthor      william.ballenthin@mandiant.com                                     \nscope       basic block                                                         \nmbc         Cryptography::Generate Pseudo-random Sequence [C0021]               \nreferences  https://en.wikipedia.org/wiki/Linear_congruential_generator,        \n            https://community.osr.com/discussion/130410/generating-random-numbe…\nbasic block @ 0x4030E4 in function 0x4030E4\n  and:\n    instruction:\n      and:\n        mnemonic: imul @ 0x4030E7\n        number: 0x8088405 = multiplier a @ 0x4030E7\n    mnemonic: inc = increment c @ 0x4030F1\n\npackaged as an Inno Setup installer\nnamespace   executable/installer/inno-setup  \nauthor      awillia2@cisco.com               \nscope       file                             \nreferences  https://jrsoftware.org/isinfo.php\nand:\n  regex: /^Inno Setup Setup Data \\(/\n    - \"Inno Setup Setup Data (5.5.7) (u)\" @ file+0x1120C, file+0x2D5F54\n  regex: /^Inno Setup Messages \\(/\n    - \"Inno Setup Messages (5.5.3) (u)\" @ file+0x1124C\n\ncontain a thread local storage (.tls) section\nnamespace  executable/pe/section/tls   \nauthor     michael.hunhoff@mandiant.com\nscope      file                        \nsection: .tls @ 0x41A000\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x40EE2C\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x40EE5B\n        api: LockResource @ 0x40EE6C\n      optional:\n        or:\n          api: FindResource @ 0x40EE36\n        api: SizeofResource @ 0x40EE49\n\naccept command line arguments (3 matches)\nnamespace  host-interaction/cli                                      \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Execution::Command and Scripting Interpreter [T1059]      \nmbc        Execution::Command and Scripting Interpreter [E1059]      \nfunction @ 0x40B84C\n  or:\n    api: GetCommandLine @ 0x40B862\nfunction @ 0x40B89C\n  or:\n    api: GetCommandLine @ 0x40B8B1\nfunction @ 0x40B8FC\n  or:\n    api: GetCommandLine @ 0x40B947\n\nquery environment variable\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x40B710\n  or:\n    api: GetEnvironmentVariable @ 0x40B746\n\nget common file path (3 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x40699C\n  or:\n    api: GetSystemDirectory @ 0x4069AF\nfunction @ 0x40B9A4\n  or:\n    api: GetWindowsDirectory @ 0x40B9B7\nfunction @ 0x40B9D0\n  or:\n    api: GetSystemDirectory @ 0x40B9E3\n\ncreate directory\nnamespace  host-interaction/file-system/create                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Create Directory [C0046]                  \nfunction @ 0x40E42C\n  or:\n    api: CreateDirectory @ 0x40E474\n\ndelete directory\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete Directory [C0048]                  \nfunction @ 0x411CBF\n  or:\n    api: RemoveDirectory @ 0x411E1C\n\ndelete file\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x40E180\n  or:\n    api: DeleteFile @ 0x40E1B7\n\ncheck if file exists\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x40E5F4\n  or:\n    basic block:\n      and:\n        api: GetLastError @ 0x40E636\n        instruction:\n          and:\n            mnemonic: cmp @ 0x40E63B\n            number: 0x2 = ERROR_FILE_NOT_FOUND @ 0x40E63B\n\nget file attributes\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x40B698 in function 0x40B698\n  or:\n    api: GetFileAttributes @ 0x40B6C1\n\nclear file content\nnamespace  host-interaction/file-system/write\nauthor     jakeperalta7                      \nscope      function                          \nmbc        File System::Writes File [C0052]  \nfunction @ 0x40C410\n  and:\n    api: SetEndOfFile @ 0x40C417\n    not:\n      api: SetFilePointer\n\nwrite file on Windows (2 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x4044F0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x40453B\n      or:\n        api: WriteFile @ 0x40452F, 0x40454A\nfunction @ 0x4096AC\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x409763\n      or:\n        api: WriteFile @ 0x409758, 0x409772\n\nget disk size\nnamespace   host-interaction/hardware/storage                                   \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \natt&ck      Discovery::System Information Discovery [T1082]                     \nmbc         Discovery::System Information Discovery [E1082]                     \nreferences  https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/A…\nfunction @ 0x408068\n  or:\n    api: GetDiskFreeSpace @ 0x408089\n\nshutdown system\nnamespace  host-interaction/os                   \nauthor     michael.hunhoff@mandiant.com          \nscope      function                              \natt&ck     Impact::System Shutdown/Reboot [T1529]\nfunction @ 0x40E550\n  or:\n    api: ExitWindowsEx @ 0x40E5BC\n\nget system information on Windows\nnamespace  host-interaction/os/info                       \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com  \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nfunction @ 0x40ED58\n  and:\n    os: windows\n    or:\n      api: GetSystemInfo @ 0x40ED6B\n\nget thread local storage value\nnamespace  host-interaction/process    \nauthor     michael.hunhoff@mandiant.com\nscope      function                    \nfunction @ 0x406588\n  and:\n    api: TlsGetValue @ 0x4065AD, 0x4065BE\n\ncreate process on Windows\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x40EB68 in function 0x40EB68\n  or:\n    api: CreateProcess @ 0x40EBD8\n\ncreate process suspended\nnamespace   host-interaction/process/create                                     \nauthor      william.ballenthin@mandiant.com, mehunhoff@google.com               \nscope       basic block                                                         \nmbc         Process::Create Process::Create Suspended Process [C0017.003]       \nreferences  https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-…\n            https://learn.microsoft.com/en-us/windows/win32/procthread/process-…\nbasic block @ 0x40EB68 in function 0x40EB68\n  or:\n    and:\n      or:\n        number: 0x4 = CREATE_SUSPENDED @ 0x40EB99\n      or:\n        api: CreateProcess @ 0x40EBD8\n\nallocate or change RWX memory\nnamespace  host-interaction/process/inject\nauthor     @mr-tz, mehunhoff@google.com   \nscope      basic block                    \nmbc        Memory::Allocate Memory [C0007]\nbasic block @ 0x40EDB4 in function 0x40ED58\n  or:\n    basic block:\n      and:\n        or:\n          match: change memory protection @ 0x40EDB4\n            or:\n              api: VirtualProtect @ 0x40EDC2\n        or:\n          number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x40EDB9\n\nmodify access privileges\nnamespace  host-interaction/process/modify                        \nauthor     moritz.raabe@mandiant.com                              \nscope      instruction                                            \natt&ck     Privilege Escalation::Access Token Manipulation [T1134]\ninstruction @ 0x40E5A6\n  and:\n    api: AdjustTokenPrivileges @ 0x40E5A6\n\nquery or enumerate registry value (4 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x403714\n  and:\n    optional:\n      match: create or open registry key @ 0x403714\n        or:\n          api: RegOpenKeyEx @ 0x403736\n    or:\n      api: RegQueryValueEx @ 0x403769\nfunction @ 0x405DD4\n  and:\n    optional:\n      match: create or open registry key @ 0x405E24, 0x405E2D, 0x405E4B, 0x405E69\n        or:\n          api: RegOpenKeyEx @ 0x405E7E\n        or:\n          api: RegOpenKeyEx @ 0x405E60\n        or:\n          api: RegOpenKeyEx @ 0x405E24\n        or:\n          api: RegOpenKeyEx @ 0x405E42\n    or:\n      api: RegQueryValueEx @ 0x405EC7, 0x405EE5\nfunction @ 0x405DE8\n  and:\n    optional:\n      match: create or open registry key @ 0x405DE8, 0x405E2D, 0x405E4B, 0x405E69\n        or:\n          api: RegOpenKeyEx @ 0x405E24\n        or:\n          api: RegOpenKeyEx @ 0x405E7E\n        or:\n          api: RegOpenKeyEx @ 0x405E60\n        or:\n          api: RegOpenKeyEx @ 0x405E42\n    or:\n      api: RegQueryValueEx @ 0x405EC7, 0x405EE5\nfunction @ 0x40BB34\n  and:\n    or:\n      api: RegQueryValueEx @ 0x40BB70, 0x40BBE0\n\nset thread local storage value\nnamespace  host-interaction/thread/tls                    \nauthor     michael.hunhoff@mandiant.com                   \nscope      function                                       \nmbc        Process::Set Thread Local Storage Value [C0041]\nfunction @ 0x406544\n  and:\n    api: TlsSetValue @ 0x406581\n\n(internal) installer file limitation\nnamespace    internal/limitation/static                                         \nauthor       william.ballenthin@mandiant.com                                    \nscope        file                                                               \ndescription  This sample appears to be an installer.                            \n                                                                                \n             capa cannot handle installers well. This means the results may be  \n             misleading or incomplete.                                          \n             You should try to understand the install mechanism and analyze     \n             created files with capa.                                           \n                                                                                \nor:\n  match: executable/installer @ global\n    and:\n      regex: /^Inno Setup Setup Data \\(/\n        - \"Inno Setup Setup Data (5.5.7) (u)\" @ file+0x1120C, file+0x2D5F54\n      regex: /^Inno Setup Messages \\(/\n        - \"Inno Setup Messages (5.5.3) (u)\" @ file+0x1124C\n\nlink function at runtime on Windows (7 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x405C20\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x405C20\ninstruction @ 0x40674C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40674C\ninstruction @ 0x40676E\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40676E\ninstruction @ 0x411112\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x411112\ninstruction @ 0x411138\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x411138\ninstruction @ 0x4112FA\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4112FA\ninstruction @ 0x411310\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x411310\n\nidentify system language via API\nnamespace  targeting/language                                                   \nauthor     william.ballenthin@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::System Location Discovery::System Language Discovery      \n           [T1614.001]                                                          \nfunction @ 0x40E684\n  and:\n    os: windows\n    or:\n      api: GetUserDefaultLangID @ 0x40E6E6\n\n\n\n"},"hashes":{"md5":"4f9e75a41d02666cd5cc86bd33a578fe","sha1":"ac08b28e953d7d200bbb3c2e644890a689d0d8b1","sha256":"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 555</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 59937</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"HxDSetu\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"4f9e75a41d02666cd5cc86bd33a578fe\",\n        \"sha256\": \"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c6\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_allocate_memory__5_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"allocate memory (5 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4015E4\",\n      \"label\": \"Block 0x4015E4\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4015E4\"\n    },\n    {\n      \"id\": \"api_VirtualAlloc\",\n      \"label\": \"VirtualAlloc\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_library_rule_\",\n      \"label\": \"library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Modulo [C0058]\"\n      ]\n    },\n    {\n      \"id\": \"cap_change_memory_protection__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"change memory protection (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Change Memory Protection [C0008]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40EDB4\",\n      \"label\": \"Block 0x40EDB4\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40EDB4\"\n    },\n    {\n      \"id\": \"api_VirtualProtect\",\n      \"label\": \"VirtualProtect\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_contain_loop__130_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (130 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40148C\",\n      \"label\": \"Function 0x40148C\",\n      \"type\": \"function\",\n      \"address\": \"0x40148C\"\n    },\n    {\n      \"id\": \"bb_0x403714\",\n      \"label\": \"Block 0x403714\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x403714\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_delay_execution__21_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (21 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x401670\",\n      \"label\": \"Block 0x401670\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x401670\"\n    },\n    {\n      \"id\": \"api_Sleep\",\n      \"label\": \"Sleep\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_os_version__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"get OS version (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40A358\",\n      \"label\": \"Function 0x40A358\",\n      \"type\": \"function\",\n      \"address\": \"0x40A358\"\n    },\n    {\n      \"id\": \"api_GetVersionEx\",\n      \"label\": \"GetVersionEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_reference_analysis_tools_strings\",\n      \"label\": \"reference analysis tools strings\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Analysis Tool Discovery::Process detection [B0013.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_geographical_location__5_matches_\",\n      \"label\": \"get geographical location (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x405DE8\",\n      \"label\": \"Function 0x405DE8\",\n      \"type\": \"function\",\n      \"address\": \"0x405DE8\"\n    },\n    {\n      \"id\": \"func_0x408F00\",\n      \"label\": \"Function 0x408F00\",\n      \"type\": \"function\",\n      \"address\": \"0x408F00\"\n    },\n    {\n      \"id\": \"func_0x408EB4\",\n      \"label\": \"Function 0x408EB4\",\n      \"type\": \"function\",\n      \"address\": \"0x408EB4\"\n    },\n    {\n      \"id\": \"func_0x405DD4\",\n      \"label\": \"Function 0x405DD4\",\n      \"type\": \"function\",\n      \"address\": \"0x405DD4\"\n    },\n    {\n      \"id\": \"func_0x40E658\",\n      \"label\": \"Function 0x40E658\",\n      \"type\": \"function\",\n      \"address\": \"0x40E658\"\n    },\n    {\n      \"id\": \"api_GetLocaleInfo\",\n      \"label\": \"GetLocaleInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_compiled_with_borland_delphi\",\n      \"label\": \"compiled with Borland Delphi\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com___mr_tz\",\n      \"label\": \"author     william.ballenthin@mandiant.com, @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_hash_data_with_crc32\",\n      \"label\": \"hash data with CRC32\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Checksum::CRC32 [C0032.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40C6B0\",\n      \"label\": \"Function 0x40C6B0\",\n      \"type\": \"function\",\n      \"address\": \"0x40C6B0\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Checksum::CRC32 [C0032.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_generate_random_numbers_using_the_delphi_lcg\",\n      \"label\": \"generate random numbers using the Delphi LCG\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence [C0021]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4030E4\",\n      \"label\": \"Block 0x4030E4\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4030E4\"\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Cryptography::Generate Pseudo-random Sequence [C0021]\"\n      ]\n    },\n    {\n      \"id\": \"cap_packaged_as_an_inno_setup_installer\",\n      \"label\": \"packaged as an Inno Setup installer\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author______awillia2_cisco_com\",\n      \"label\": \"author      awillia2@cisco.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_contain_a_thread_local_storage___tls__section\",\n      \"label\": \"contain a thread local storage (.tls) section\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40EE2C\",\n      \"label\": \"Function 0x40EE2C\",\n      \"type\": \"function\",\n      \"address\": \"0x40EE2C\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_accept_command_line_arguments__3_matches_\",\n      \"label\": \"accept command line arguments (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [E1059]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B89C\",\n      \"label\": \"Function 0x40B89C\",\n      \"type\": \"function\",\n      \"address\": \"0x40B89C\"\n    },\n    {\n      \"id\": \"func_0x40B8FC\",\n      \"label\": \"Function 0x40B8FC\",\n      \"type\": \"function\",\n      \"address\": \"0x40B8FC\"\n    },\n    {\n      \"id\": \"func_0x40B84C\",\n      \"label\": \"Function 0x40B84C\",\n      \"type\": \"function\",\n      \"address\": \"0x40B84C\"\n    },\n    {\n      \"id\": \"api_GetCommandLine\",\n      \"label\": \"GetCommandLine\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Command and Scripting Interpreter [E1059]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable\",\n      \"label\": \"query environment variable\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B710\",\n      \"label\": \"Function 0x40B710\",\n      \"type\": \"function\",\n      \"address\": \"0x40B710\"\n    },\n    {\n      \"id\": \"api_GetEnvironmentVariable\",\n      \"label\": \"GetEnvironmentVariable\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_common_file_path__3_matches_\",\n      \"label\": \"get common file path (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B9D0\",\n      \"label\": \"Function 0x40B9D0\",\n      \"type\": \"function\",\n      \"address\": \"0x40B9D0\"\n    },\n    {\n      \"id\": \"func_0x40B9A4\",\n      \"label\": \"Function 0x40B9A4\",\n      \"type\": \"function\",\n      \"address\": \"0x40B9A4\"\n    },\n    {\n      \"id\": \"func_0x40699C\",\n      \"label\": \"Function 0x40699C\",\n      \"type\": \"function\",\n      \"address\": \"0x40699C\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_directory\",\n      \"label\": \"create directory\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40E42C\",\n      \"label\": \"Function 0x40E42C\",\n      \"type\": \"function\",\n      \"address\": \"0x40E42C\"\n    },\n    {\n      \"id\": \"api_CreateDirectory\",\n      \"label\": \"CreateDirectory\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create Directory [C0046]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_directory\",\n      \"label\": \"delete directory\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete Directory [C0048]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x411CBF\",\n      \"label\": \"Function 0x411CBF\",\n      \"type\": \"function\",\n      \"address\": \"0x411CBF\"\n    },\n    {\n      \"id\": \"api_RemoveDirectory\",\n      \"label\": \"RemoveDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_file\",\n      \"label\": \"delete file\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40E180\",\n      \"label\": \"Function 0x40E180\",\n      \"type\": \"function\",\n      \"address\": \"0x40E180\"\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists\",\n      \"label\": \"check if file exists\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40E5F4\",\n      \"label\": \"Function 0x40E5F4\",\n      \"type\": \"function\",\n      \"address\": \"0x40E5F4\"\n    },\n    {\n      \"id\": \"api_GetLastError\",\n      \"label\": \"GetLastError\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_file_attributes\",\n      \"label\": \"get file attributes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40B698\",\n      \"label\": \"Block 0x40B698\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40B698\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_clear_file_content\",\n      \"label\": \"clear file content\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40C410\",\n      \"label\": \"Function 0x40C410\",\n      \"type\": \"function\",\n      \"address\": \"0x40C410\"\n    },\n    {\n      \"id\": \"api_SetFilePointer\",\n      \"label\": \"SetFilePointer\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetEndOfFile\",\n      \"label\": \"SetEndOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____jakeperalta7\",\n      \"label\": \"author     jakeperalta7\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__2_matches_\",\n      \"label\": \"write file on Windows (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4096AC\",\n      \"label\": \"Function 0x4096AC\",\n      \"type\": \"function\",\n      \"address\": \"0x4096AC\"\n    },\n    {\n      \"id\": \"func_0x4044F0\",\n      \"label\": \"Function 0x4044F0\",\n      \"type\": \"function\",\n      \"address\": \"0x4044F0\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_disk_size\",\n      \"label\": \"get disk size\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408068\",\n      \"label\": \"Function 0x408068\",\n      \"type\": \"function\",\n      \"address\": \"0x408068\"\n    },\n    {\n      \"id\": \"api_GetDiskFreeSpace\",\n      \"label\": \"GetDiskFreeSpace\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_shutdown_system\",\n      \"label\": \"shutdown system\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::System Shutdown/Reboot [T1529]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40E550\",\n      \"label\": \"Function 0x40E550\",\n      \"type\": \"function\",\n      \"address\": \"0x40E550\"\n    },\n    {\n      \"id\": \"api_ExitWindowsEx\",\n      \"label\": \"ExitWindowsEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_system_information_on_windows\",\n      \"label\": \"get system information on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40ED58\",\n      \"label\": \"Function 0x40ED58\",\n      \"type\": \"function\",\n      \"address\": \"0x40ED58\"\n    },\n    {\n      \"id\": \"api_GetSystemInfo\",\n      \"label\": \"GetSystemInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [T1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_thread_local_storage_value\",\n      \"label\": \"get thread local storage value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x406588\",\n      \"label\": \"Function 0x406588\",\n      \"type\": \"function\",\n      \"address\": \"0x406588\"\n    },\n    {\n      \"id\": \"api_TlsGetValue\",\n      \"label\": \"TlsGetValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_process_on_windows\",\n      \"label\": \"create process on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40EB68\",\n      \"label\": \"Block 0x40EB68\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40EB68\"\n    },\n    {\n      \"id\": \"api_CreateProcess\",\n      \"label\": \"CreateProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_create_process_suspended\",\n      \"label\": \"create process suspended\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process::Create Suspended Process [C0017.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author      william.ballenthin@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process::Create Suspended Process [C0017.003]\"\n      ]\n    },\n    {\n      \"id\": \"cap_allocate_or_change_rwx_memory\",\n      \"label\": \"allocate or change RWX memory\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"label\": \"author     @mr-tz, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Memory::Allocate Memory [C0007]\"\n      ]\n    },\n    {\n      \"id\": \"cap_modify_access_privileges\",\n      \"label\": \"modify access privileges\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Privilege Escalation::Access Token Manipulation [T1134]\"\n      ]\n    },\n    {\n      \"id\": \"api_AdjustTokenPrivileges\",\n      \"label\": \"AdjustTokenPrivileges\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"label\": \"query or enumerate registry value (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x403714\",\n      \"label\": \"Function 0x403714\",\n      \"type\": \"function\",\n      \"address\": \"0x403714\"\n    },\n    {\n      \"id\": \"func_0x40BB34\",\n      \"label\": \"Function 0x40BB34\",\n      \"type\": \"function\",\n      \"address\": \"0x40BB34\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_thread_local_storage_value\",\n      \"label\": \"set thread local storage value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Set Thread Local Storage Value [C0041]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x406544\",\n      \"label\": \"Function 0x406544\",\n      \"type\": \"function\",\n      \"address\": \"0x406544\"\n    },\n    {\n      \"id\": \"api_TlsSetValue\",\n      \"label\": \"TlsSetValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap__internal__installer_file_limitation\",\n      \"label\": \"(internal) installer file limitation\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"label\": \"author       william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__7_matches_\",\n      \"label\": \"link function at runtime on Windows (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_identify_system_language_via_api\",\n      \"label\": \"identify system language via API\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery::System Language Discovery\",\n        \"[T1614.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40E684\",\n      \"label\": \"Function 0x40E684\",\n      \"type\": \"function\",\n      \"address\": \"0x40E684\"\n    },\n    {\n      \"id\": \"api_GetUserDefaultLangID\",\n      \"label\": \"GetUserDefaultLangID\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_memory__5_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_memory__5_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x4015E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x4015E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_change_memory_protection__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_change_memory_protection__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x40EDB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__130_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__130_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x40148C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x403714\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__21_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__21_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x401670\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_os_version__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x40A358\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40A358\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_analysis_tools_strings\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_geographical_location__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__5_matches_\",\n      \"target\": \"func_0x405DE8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__5_matches_\",\n      \"target\": \"func_0x408F00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__5_matches_\",\n      \"target\": \"func_0x408EB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__5_matches_\",\n      \"target\": \"func_0x405DD4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location__5_matches_\",\n      \"target\": \"func_0x40E658\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408F00\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408EB4\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E658\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x405DE8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x408F00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x408EB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x405DD4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40E658\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408F00\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x408EB4\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40E658\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_compiled_with_borland_delphi\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com___mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hash_data_with_crc32\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hash_data_with_crc32\",\n      \"target\": \"func_0x40C6B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40C6B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_generate_random_numbers_using_the_delphi_lcg\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_generate_random_numbers_using_the_delphi_lcg\",\n      \"target\": \"bb_0x4030E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______william_ballenthin_mandiant_com\",\n      \"target\": \"bb_0x4030E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_packaged_as_an_inno_setup_installer\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______awillia2_cisco_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_a_thread_local_storage___tls__section\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions\",\n      \"target\": \"func_0x40EE2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40EE2C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40EE2C\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_accept_command_line_arguments__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_accept_command_line_arguments__3_matches_\",\n      \"target\": \"func_0x40B89C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_accept_command_line_arguments__3_matches_\",\n      \"target\": \"func_0x40B8FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_accept_command_line_arguments__3_matches_\",\n      \"target\": \"func_0x40B84C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B89C\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B8FC\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B84C\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B89C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B8FC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B84C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B89C\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B8FC\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B84C\",\n      \"target\": \"api_GetCommandLine\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable\",\n      \"target\": \"func_0x40B710\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B710\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x40B710\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B710\",\n      \"target\": \"api_GetEnvironmentVariable\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__3_matches_\",\n      \"target\": \"func_0x40B9D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__3_matches_\",\n      \"target\": \"func_0x40B9A4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__3_matches_\",\n      \"target\": \"func_0x40699C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B9D0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9A4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40699C\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9D0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9A4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40699C\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B9D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B9A4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40699C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B9D0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9A4\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40699C\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9D0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40B9A4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40699C\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_directory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_directory\",\n      \"target\": \"func_0x40E42C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E42C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40E42C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E42C\",\n      \"target\": \"api_CreateDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_directory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_directory\",\n      \"target\": \"func_0x411CBF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x411CBF\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x411CBF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x411CBF\",\n      \"target\": \"api_RemoveDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file\",\n      \"target\": \"func_0x40E180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E180\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40E180\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E180\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists\",\n      \"target\": \"func_0x40E5F4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E5F4\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40E5F4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E5F4\",\n      \"target\": \"api_GetLastError\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes\",\n      \"target\": \"bb_0x40B698\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x40B698\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_clear_file_content\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_clear_file_content\",\n      \"target\": \"func_0x40C410\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C410\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C410\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____jakeperalta7\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____jakeperalta7\",\n      \"target\": \"func_0x40C410\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C410\",\n      \"target\": \"api_SetFilePointer\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C410\",\n      \"target\": \"api_SetEndOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x4096AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__2_matches_\",\n      \"target\": \"func_0x4044F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4096AC\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044F0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4096AC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4044F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4096AC\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044F0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_size\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_size\",\n      \"target\": \"func_0x408068\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408068\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x408068\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408068\",\n      \"target\": \"api_GetDiskFreeSpace\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_shutdown_system\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_shutdown_system\",\n      \"target\": \"func_0x40E550\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E550\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40E550\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E550\",\n      \"target\": \"api_ExitWindowsEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_system_information_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_system_information_on_windows\",\n      \"target\": \"func_0x40ED58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40ED58\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40ED58\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40ED58\",\n      \"target\": \"api_GetSystemInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_thread_local_storage_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_thread_local_storage_value\",\n      \"target\": \"func_0x406588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406588\",\n      \"target\": \"api_TlsGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x406588\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406588\",\n      \"target\": \"api_TlsGetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows\",\n      \"target\": \"bb_0x40EB68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x40EB68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_suspended\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_suspended\",\n      \"target\": \"bb_0x40EB68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______william_ballenthin_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"bb_0x40EB68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_allocate_or_change_rwx_memory\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_allocate_or_change_rwx_memory\",\n      \"target\": \"bb_0x40EDB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______mr_tz__mehunhoff_google_com\",\n      \"target\": \"bb_0x40EDB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_modify_access_privileges\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x403714\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x40BB34\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x405DE8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x405DD4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x403714\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40BB34\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x403714\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40BB34\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x403714\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40BB34\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x405DE8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x405DD4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x403714\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40BB34\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x403714\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40BB34\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DE8\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405DD4\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_thread_local_storage_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_thread_local_storage_value\",\n      \"target\": \"func_0x406544\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406544\",\n      \"target\": \"api_TlsSetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x406544\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x406544\",\n      \"target\": \"api_TlsSetValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap__internal__installer_file_limitation\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_identify_system_language_via_api\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_identify_system_language_via_api\",\n      \"target\": \"func_0x40E684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E684\",\n      \"target\": \"api_GetUserDefaultLangID\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40E684\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40E684\",\n      \"target\": \"api_GetUserDefaultLangID\",\n      \"relationship\": \"calls\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-23 19:58:23.223556\",\n    \"total_functions\": \"555\",\n    \"total_features\": \"59937\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-23 19:58:24"}
{"_id":{"$oid":"6a131bac32de6bb6782baac3"},"sha256":"a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee88f252ca0","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_dswg4lxd/BrowsingHistoryView-019e5a9f39047902b64b76f6e25fc509.exe_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_dswg4lxd/BrowsingHistoryView-019e5a9f39047902b64b76f6e25fc509.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_dswg4lxd/BrowsingHistoryView-019e5a9f39047902b64b76f6e25fc509.exe_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 0f5aba101aa4d94be74690aa60bf7840                                  │\n│ sha1     │ 40557e751e76b1f9608c2d0c12ce0cccd2588e11                          │\n│ sha256   │ a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee88f252ca0  │\n│ analysis │ static                                                            │\n│ os       │ windows                                                           │\n│ format   │ pe                                                                │\n│ arch     │ i386                                                              │\n│ path     │ /home/apogean/projects/malware/windows/all_runs/BrowsingHistoryV… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic        ┃ ATT&CK Technique                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Clipboard Data [T1115]                                │\n│                      │ Data from Information Repositories [T1213]            │\n│                      │ Input Capture::Keylogging [T1056.001]                 │\n│ DEFENSE EVASION      │ Hide Artifacts::Hidden Window [T1564.003]             │\n│                      │ Obfuscated Files or Information [T1027]               │\n│ DISCOVERY            │ Application Window Discovery [T1010]                  │\n│                      │ File and Directory Discovery [T1083]                  │\n│                      │ Process Discovery [T1057]                             │\n│                      │ Query Registry [T1012]                                │\n│                      │ Software Discovery [T1518]                            │\n│                      │ System Information Discovery [T1082]                  │\n│ EXECUTION            │ Shared Modules [T1129]                                │\n│ PERSISTENCE          │ Boot or Logon Autostart Execution::Registry Run Keys  │\n│                      │ / Startup Folder [T1547.001]                          │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective            ┃ MBC Behavior                                      ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ ANTI-BEHAVIORAL ANALYSIS │ Debugger Detection::Timing/Delay Check            │\n│                          │ GetTickCount [B0001.032]                          │\n│ COLLECTION               │ Keylogging::Polling [F0002.002]                   │\n│ DATA                     │ Check String [C0019]                              │\n│                          │ Encode Data::XOR [C0026.002]                      │\n│ DEFENSE EVASION          │ Obfuscated Files or                               │\n│                          │ Information::Encoding-Standard Algorithm          │\n│                          │ [E1027.m02]                                       │\n│                          │ Obfuscated Files or                               │\n│                          │ Information::Encryption-Standard Algorithm        │\n│                          │ [E1027.m05]                                       │\n│ DISCOVERY                │ Application Window Discovery [E1010]              │\n│                          │ Code Discovery::Enumerate PE Sections [B0046.001] │\n│                          │ File and Directory Discovery [E1083]              │\n│                          │ System Information Discovery [E1082]              │\n│ FILE SYSTEM              │ Copy File [C0045]                                 │\n│                          │ Delete File [C0047]                               │\n│                          │ Get File Attributes [C0049]                       │\n│                          │ Read File [C0051]                                 │\n│                          │ Writes File [C0052]                               │\n│ IMPACT                   │ Clipboard Modification [E1510]                    │\n│ OPERATING SYSTEM         │ Registry::Query Registry Value [C0036.006]        │\n│                          │ Registry::Set Registry Key [C0036.001]            │\n│ PERSISTENCE              │ Registry Run Keys / Startup Folder [F0012]        │\n│ PROCESS                  │ Create Process [C0017]                            │\n│                          │ Create Thread [C0038]                             │\n│                          │ Terminate Process [C0018]                         │\n└──────────────────────────┴───────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                            ┃ Namespace                            ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ check for time delay via GetTickCount │ anti-analysis/anti-debugging/debugg… │\n│ parse credit card information         │ collection/credit-card               │\n│ reference SQL statements (2 matches)  │ collection/database/sql              │\n│ log keystrokes via polling (2         │ collection/keylog                    │\n│ matches)                              │                                      │\n│ encode data using XOR (6 matches)     │ data-manipulation/encoding/xor       │\n│ encrypt data using speck              │ data-manipulation/encryption/speck   │\n│ extract resource via kernel32         │ executable/resource                  │\n│ functions                             │                                      │\n│ write clipboard data (3 matches)      │ host-interaction/clipboard           │\n│ query environment variable (2         │ host-interaction/environment-variab… │\n│ matches)                              │                                      │\n│ get common file path (9 matches)      │ host-interaction/file-system         │\n│ get file system object information    │ host-interaction/file-system         │\n│ copy file (2 matches)                 │ host-interaction/file-system/copy    │\n│ delete file (5 matches)               │ host-interaction/file-system/delete  │\n│ check if file exists (7 matches)      │ host-interaction/file-system/exists  │\n│ enumerate files on Windows            │ host-interaction/file-system/files/… │\n│ get file attributes (23 matches)      │ host-interaction/file-system/meta    │\n│ get file version info                 │ host-interaction/file-system/meta    │\n│ read .ini file (5 matches)            │ host-interaction/file-system/read    │\n│ read file on Windows (13 matches)     │ host-interaction/file-system/read    │\n│ read file via mapping                 │ host-interaction/file-system/read    │\n│ write file on Windows (17 matches)    │ host-interaction/file-system/write   │\n│ enumerate gui resources               │ host-interaction/gui                 │\n│ get graphical window text (2 matches) │ host-interaction/gui/window/get-text │\n│ hide graphical window (4 matches)     │ host-interaction/gui/window/hide     │\n│ get disk information                  │ host-interaction/hardware/storage    │\n│ enumerate internet cache              │ host-interaction/internet/cache      │\n│ check OS version                      │ host-interaction/os/version          │\n│ create process on Windows (5 matches) │ host-interaction/process/create      │\n│ enumerate processes                   │ host-interaction/process/list        │\n│ terminate process                     │ host-interaction/process/terminate   │\n│ query or enumerate registry value (4  │ host-interaction/registry            │\n│ matches)                              │                                      │\n│ set registry value                    │ host-interaction/registry/create     │\n│ create thread                         │ host-interaction/thread/create       │\n│ link function at runtime on Windows   │ linking/runtime-linking              │\n│ (36 matches)                          │                                      │\n│ link many functions at runtime (4     │ linking/runtime-linking              │\n│ matches)                              │                                      │\n│ linked against sqlite3                │ linking/static/sqlite3               │\n│ enumerate PE sections (3 matches)     │ load-code/pe                         │\n│ parse PE header                       │ load-code/pe                         │\n│ resolve function by parsing PE        │ load-code/pe                         │\n│ exports (28 matches)                  │                                      │\n│ persist via Run registry key (3       │ persistence/registry/run             │\n│ matches)                              │                                      │\n└───────────────────────────────────────┴──────────────────────────────────────┘\n\n","verbose":"md5                     0f5aba101aa4d94be74690aa60bf7840                        \nsha1                    40557e751e76b1f9608c2d0c12ce0cccd2588e11                \nsha256                  a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee…\npath                    /home/apogean/projects/malware/windows/all_runs/Browsin…\ntimestamp               2026-05-24 21:08:35.534989                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIGiuBUG/rules                                   \nfunction count          1623                                                    \nlibrary function count  11                                                      \ntotal feature count     118065                                                  \n\ncheck for time delay via GetTickCount\nnamespace  anti-analysis/anti-debugging/debugger-detection\nscope      function                                       \nmatches    0x4750E0                                       \n\nparse credit card information\nnamespace  collection/credit-card\nscope      function              \nmatches    0x439DD0              \n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql\nscope      function               \nmatches    0x45E8B0               \n           0x45EE50               \n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x46F590         \n           0x4741C0         \n\nencode data using XOR (6 matches)\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x4659F1                      \n           0x467600                      \n           0x467B22                      \n           0x467BD7                      \n           0x468920                      \n           0x487D70                      \n\nencrypt data using speck\nnamespace  data-manipulation/encryption/speck\nscope      function                          \nmatches    0x45EE50                          \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    0x465A20           \n\nopen clipboard (3 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x46E560                  \n           0x46ECC0                  \n           0x476940                  \n\nwrite clipboard data (3 matches)\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x476940                  \n           0x47A390                  \n           0x47B5A0                  \n\nquery environment variable (2 matches)\nnamespace  host-interaction/environment-variable\nscope      function                             \nmatches    0x46E0B0                             \n           0x482B00                             \n\nget common file path (9 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x46B6F0                    \n           0x46E0B0                    \n           0x46ECC0                    \n           0x46ED80                    \n           0x471C90                    \n           0x479D70                    \n           0x479DC0                    \n           0x47A0E0                    \n           0x481F50                    \n\nget file system object information\nnamespace  host-interaction/file-system\nscope      basic block                 \nmatches    0x471CBE                    \n\ncopy file (2 matches)\nnamespace  host-interaction/file-system/copy\nscope      function                         \nmatches    0x46B6F0                         \n           0x481F50                         \n\ndelete file (5 matches)\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x46B6F0                           \n           0x46EA60                           \n           0x46ECC0                           \n           0x477A20                           \n           0x481F50                           \n\ncheck if file exists (7 matches)\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x46BA40                           \n           0x475A80                           \n           0x479FC0                           \n           0x47E0B0                           \n           0x4841A0                           \n           0x484310                           \n           0x4890E0                           \n\nenumerate files on Windows\nnamespace  host-interaction/file-system/files/list\nscope      function                               \nmatches    0x478A40                               \n\nget file attributes (23 matches)\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x46BA40                         \n           0x46F114                         \n           0x475A80                         \n           0x479FC0                         \n           0x47E16A                         \n           0x48422E                         \n           0x484407                         \n           0x48445C                         \n           0x4844C8                         \n           0x484534                         \n           0x4845A4                         \n           0x484618                         \n           0x484678                         \n           0x4846E4                         \n           0x484750                         \n           0x4848A0                         \n           0x484CD3                         \n           0x484D68                         \n           0x485092                         \n           0x485433                         \n           0x4855FA                         \n           0x4896E2                         \n           0x489776                         \n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x465EB0                         \n           0x477380                         \n           0x477E40                         \n           0x47B5A0                         \n           0x486890                         \n\nget file version info\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x488410                         \n\nread .ini file (5 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x466940                         \n           0x466A20                         \n           0x475630                         \n           0x4756B0                         \n           0x475A80                         \n\nread file on Windows (13 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x465EB0                         \n           0x477590                         \n           0x477850                         \n           0x477CA0                         \n           0x477E40                         \n           0x47B5A0                         \n           0x47C090                         \n           0x47C1A0                         \n           0x47C640                         \n           0x47CA10                         \n           0x47CB10                         \n           0x47CC50                         \n           0x486890                         \n\nread file via mapping\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x477380                         \n\nwrite file on Windows (17 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x470860                          \n           0x4708E0                          \n           0x470F80                          \n           0x472220                          \n           0x472570                          \n           0x472640                          \n           0x4727D0                          \n           0x472C00                          \n           0x472E90                          \n           0x472FB0                          \n           0x4737C0                          \n           0x473A20                          \n           0x474520                          \n           0x474770                          \n           0x474960                          \n           0x477380                          \n           0x48113A                          \n\nenumerate gui resources\nnamespace  host-interaction/gui\nscope      function            \nmatches    0x46F2B0            \n\nget graphical window text (2 matches)\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    0x4761B0                            \n           0x4764B0                            \n\nhide graphical window (4 matches)\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    0x46CA70                        \n           0x46E543                        \n           0x46F135                        \n           0x487EB7                        \n\nget disk information\nnamespace  host-interaction/hardware/storage\nscope      function                         \nmatches    0x477380                         \n\nenumerate internet cache\nnamespace  host-interaction/internet/cache\nscope      function                       \nmatches    0x476ED0                       \n\ncheck OS version\nnamespace  host-interaction/os/version\nscope      function                   \nmatches    0x485840                   \n\ncreate process on Windows (5 matches)\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x46E32C                       \n           0x46F5BD                       \n           0x470344                       \n           0x470395                       \n           0x479A00                       \n\nenumerate processes\nnamespace  host-interaction/process/list\nscope      function                     \nmatches    0x46A230                     \n\nterminate process\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x40193E                          \n\nquery or enumerate registry value (4 matches)\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x4667E0                 \n           0x4781D0                 \n           0x485840                 \n           0x4890E0                 \n\nset registry value\nnamespace  host-interaction/registry/create\nscope      function                        \nmatches    0x4667E0                        \n\ncreate thread\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x41154B                      \n\nlink function at runtime on Windows (36 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x469E68               \n           0x469E79               \n           0x469E8A               \n           0x469E9B               \n           0x469EAC               \n           0x46A359               \n           0x46A367               \n           0x46A375               \n           0x46A383               \n           0x46A391               \n           0x46A3F1               \n           0x46A44C               \n           0x46A87C               \n           0x46A88D               \n           0x46A89E               \n           0x46A8AF               \n           0x46A8C0               \n           0x46AABA               \n           0x46AACC               \n           0x46AADF               \n           0x46AAF2               \n           0x46AB04               \n           0x46AB17               \n           0x46AB2A               \n           0x46AB3C               \n           0x46F2F6               \n           0x47821C               \n           0x47A90F               \n           0x47A96F               \n           0x47FBA1               \n           0x485920               \n           0x485AF0               \n           0x48914A               \n           0x48926F               \n           0x489390               \n           0x4894A6               \n\nlink many functions at runtime (4 matches)\nnamespace  linking/runtime-linking\nscope      function               \nmatches    0x469E40               \n           0x46A230               \n           0x46A850               \n           0x46AA90               \n\nlinked against sqlite3\nnamespace  linking/static/sqlite3\nscope      file                  \n\nenumerate PE sections (3 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x42DF60    \n           0x4484F0    \n           0x449830    \n\nparse PE header\nnamespace  load-code/pe\nscope      function    \nmatches    0x40193E    \n\nresolve function by parsing PE exports (28 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x4274A0    \n           0x42D080    \n           0x43A8C0    \n           0x43B060    \n           0x43C8A0    \n           0x43D170    \n           0x43E5D0    \n           0x445080    \n           0x4471E0    \n           0x448790    \n           0x449830    \n           0x44FAD0    \n           0x451A00    \n           0x451C10    \n           0x452260    \n           0x453200    \n           0x453BB0    \n           0x456FA0    \n           0x458770    \n           0x45A790    \n           0x45B320    \n           0x45EE50    \n           0x4693D0    \n           0x46B010    \n           0x46DA50    \n           0x481F50    \n           0x482C10    \n           0x484310    \n\npersist via Run registry key (3 matches)\nnamespace  persistence/registry/run\nscope      function                \nmatches    0x4781D0                \n           0x485840                \n           0x4890E0                \n\n\n\n","very_verbose":"md5                     0f5aba101aa4d94be74690aa60bf7840                        \nsha1                    40557e751e76b1f9608c2d0c12ce0cccd2588e11                \nsha256                  a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee…\npath                    /home/apogean/projects/malware/windows/all_runs/Browsin…\ntimestamp               2026-05-24 21:09:20.973471                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEI8A7jGf/rules                                   \nfunction count          1623                                                    \nlibrary function count  11                                                      \ntotal feature count     118065                                                  \n\ncalculate modulo 256 via x86 assembly (24 matches, only showing first match of \nlibrary rule)\nauthor  moritz.raabe@mandiant.com\nscope   instruction              \nmbc     Data::Modulo [C0058]     \ninstruction @ 0x4053A2\n  and:\n    or:\n      arch: i386\n    mnemonic: and @ 0x4053A2\n    or:\n      number: 0xFF @ 0x4053A2\n\ncontain loop (747 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x4014A0\n  or:\n    characteristic: loop @ 0x4014A0\n\ncreate or open file (12 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x465ED9\n  or:\n    api: CreateFile @ 0x465ED9\n\ncreate or open registry key (6 matches, only showing first match of library \nrule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x478260 in function 0x4781D0\n  or:\n    api: RegOpenKeyEx @ 0x478293\n\nget OS version (5 matches, only showing first match of library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x46A5E0\n  or:\n    api: GetVersionEx @ 0x46A60C\n\nopen process (4 matches, only showing first match of library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ 0x46A2B0 in function 0x46A230\n  or:\n    api: OpenProcess @ 0x46A30D\n\ncheck for time delay via GetTickCount\nnamespace  anti-analysis/anti-debugging/debugger-detection                      \nauthor     michael.hunhoff@mandiant.com                                         \nscope      function                                                             \nmbc        Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check     \n           GetTickCount [B0001.032]                                             \nfunction @ 0x4750E0\n  and:\n    basic block:\n      and:\n        mnemonic: sub @ 0x47514B\n        mnemonic: cmp @ 0x47514F\n    count(api(GetTickCount)): 2 or more @ 0x4750E6, 0x475145\n\nparse credit card information\nnamespace  collection/credit-card    \nauthor     @_re_fox                  \nscope      function                  \nmbc        Data::Check String [C0019]\nfunction @ 0x439DD0\n  and:\n    not: = if a function also compares these non-hex characters it's most likely NOT \nparsing CC data\n      and:\n        match: parse credit card information/efff727f6e2f4f8da22050885c920578\n        match: parse credit card information/9d69217cd41f45bda65f68dc58eba594\n        match: parse credit card information/7e601cb3a1fe4ac693b83e4540bae902\n        match: parse credit card information/af277ea9d2704e6a9db43fc05a4d9459\n    3 or more:\n      instruction:\n        and:\n          mnemonic: cmp @ 0x43A0F9\n          number: 0x3D = '=' (Track 2 separator) @ 0x43A0F9\n        and:\n          mnemonic: cmp @ 0x43A0BD\n          number: 0x3D = '=' (Track 2 separator) @ 0x43A0BD\n      instruction:\n        and:\n          mnemonic: cmp @ 0x43A038\n          number: 0x25 = '%' (Track 1 start sentinel) @ 0x43A038\n      instruction:\n        and:\n          mnemonic: cmp @ 0x43A0B4\n          number: 0x3F = '?' (Track 1 & 2 end sentinel) @ 0x43A0B4\n        and:\n          mnemonic: cmp @ 0x43A145\n          number: 0x3F = '?' (Track 1 & 2 end sentinel) @ 0x43A145\n\nreference SQL statements (2 matches)\nnamespace  collection/database/sql                               \nauthor     william.ballenthin@mandiant.com                       \nscope      function                                              \natt&ck     Collection::Data from Information Repositories [T1213]\nfunction @ 0x45E8B0\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"INSERT INTO vacuum_db.sqlite_master SELECT*FROM \\\"%w\\\".sqlite_master WHERE type\nIN('view','trigger') OR(type='table'AND rootpage=0)\" @ 0x45ED0C\n      - \"SELECT sql FROM \\\"%w\\\".sqlite_master WHERE type='index' AND length(sql)>10\" @ 0x45ECBF\n      - \"SELECT sql FROM \\\"%w\\\".sqlite_master WHERE type='table'AND \nname<>'sqlite_sequence' AND coalesce(rootpage,1)>0\" @ 0x45EC9F\n      - \"SELECT'INSERT INTO vacuum_db.'||quote(name)||' \nSELECT*FROM\\\"%w\\\".'||quote(name)FROM vacuum_db.sqlite_master WHERE \ntype='table'AND coalesce(rootpage,1)>0\" @ 0x45ECE5\nfunction @ 0x45EE50\n  and:\n    regex: /SELECT.*FROM.*WHERE/\n      - \"SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid\" @ 0x462664\n\nlog keystrokes via polling (2 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ 0x46F590\n  or:\n    api: GetKeyState @ 0x46F788\nfunction @ 0x4741C0\n  or:\n    api: GetKeyState @ 0x4741E5\n\nencode data using XOR (6 matches)\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x4659F1 in function 0x4659E0\n  and:\n    characteristic: tight loop @ 0x4659F1\n    characteristic: nzxor @ 0x465A09\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x467600 in function 0x4675E0\n  and:\n    characteristic: tight loop @ 0x467600\n    characteristic: nzxor @ 0x46760D\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x467B22 in function 0x467AB0\n  and:\n    characteristic: tight loop @ 0x467B22\n    characteristic: nzxor @ 0x467B39, 0x467B3D\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x467BD7 in function 0x467B80\n  and:\n    characteristic: tight loop @ 0x467BD7\n    characteristic: nzxor @ 0x467BEE, 0x467BF2\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x468920 in function 0x468670\n  and:\n    characteristic: tight loop @ 0x468920\n    characteristic: nzxor @ 0x46892D\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x487D70 in function 0x487D60\n  and:\n    characteristic: tight loop @ 0x487D70\n    characteristic: nzxor @ 0x487D70, 0x487D7D\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\nencrypt data using speck\nnamespace   data-manipulation/encryption/speck                                  \nauthor      still@teamt5.org                                                    \nscope       function                                                            \natt&ck      Defense Evasion::Obfuscated Files or Information [T1027]            \nmbc         Defense Evasion::Obfuscated Files or                                \n            Information::Encryption-Standard Algorithm [E1027.m05]              \nreferences  https://github.com/maxmouchet/gfc/blob/8d818b0fe2023c92cbf8d7eb8967…\n            https://github.com/TheWover/donut/blob/47758d787209dd1744f58c140102…\nfunction @ 0x45EE50\n  and:\n    match: contain loop @ 0x45EE50\n      or:\n        characteristic: loop @ 0x45EE50\n        characteristic: tight loop @ 0x45F1F0, 0x45F875, 0x460660, 0x4606E1, and 5 more...\n    instruction:\n      and:\n        mnemonic: cmp @ 0x463C49\n        or:\n          number: 0x1A = encryption loop @ 0x463C49\n      and:\n        mnemonic: cmp @ 0x4615A1\n        or:\n          number: 0x1A = encryption loop @ 0x4615A1\n      and:\n        mnemonic: cmp @ 0x4634AB\n        or:\n          number: 0x1A = encryption loop @ 0x4634AB\n    instruction:\n      and:\n        mnemonic: cmp @ 0x45F5C0\n        or:\n          number: 0x3 = master key copy loop @ 0x45F5C0\n      and:\n        mnemonic: cmp @ 0x463620\n        or:\n          number: 0x4 = master key copy loop @ 0x463620\n      and:\n        mnemonic: cmp @ 0x45F604\n        or:\n          number: 0x3 = master key copy loop @ 0x45F604\n      and:\n        mnemonic: cmp @ 0x462ECC\n        or:\n          number: 0x3 = master key copy loop @ 0x462ECC\n      and:\n        mnemonic: cmp @ 0x462F8D\n        or:\n          number: 0x4 = master key copy loop @ 0x462F8D\n      and:\n        mnemonic: cmp @ 0x4601AE\n        or:\n          number: 0x3 = master key copy loop @ 0x4601AE\n      and:\n        mnemonic: cmp @ 0x45F096\n        or:\n          number: 0x4 = master key copy loop @ 0x45F096\n      and:\n        mnemonic: cmp @ 0x45FD5E\n        or:\n          number: 0x4 = master key copy loop @ 0x45FD5E\n    count(characteristic(nzxor)): 2 or more @ 0x45FD02, 0x45FD0D, 0x45FD33, 0x45FD3E, and 2 more...\n    2 or more:\n      mnemonic: shl @ 0x460C88, 0x460D66, 0x460DC0, 0x460E02, and 11 more...\n      mnemonic: imul @ 0x45EF12, 0x45EFE9, 0x45F039, 0x45F81E, and 7 more...\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x465A20\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x465A4E\n        api: LockResource @ 0x465A59\n      optional:\n        or:\n          api: FindResource @ 0x465A31\n        api: SizeofResource @ 0x465A40\n\nopen clipboard (3 matches)\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x46E560\n  and:\n    api: OpenClipboard @ 0x46E5C9\nfunction @ 0x46ECC0\n  and:\n    api: OpenClipboard @ 0x46ED34\nfunction @ 0x476940\n  and:\n    api: OpenClipboard @ 0x47695A\n    optional:\n      api: CloseClipboard @ 0x4769DF\n\nwrite clipboard data (3 matches)\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \nmbc         Impact::Clipboard Modification [E1510]                              \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x476940\n  and:\n    optional:\n      match: open clipboard @ 0x476940\n        and:\n          api: OpenClipboard @ 0x47695A\n          optional:\n            api: CloseClipboard @ 0x4769DF\n      api: EmptyClipboard @ 0x476968\n    or:\n      api: SetClipboardData @ 0x4769D9\nfunction @ 0x47A390\n  and:\n    optional:\n      api: EmptyClipboard @ 0x47A398\n    or:\n      api: SetClipboardData @ 0x47A3EA\nfunction @ 0x47B5A0\n  and:\n    optional:\n      api: EmptyClipboard @ 0x47B5AC\n    or:\n      api: SetClipboardData @ 0x47B62A\n\nquery environment variable (2 matches)\nnamespace  host-interaction/environment-variable          \nauthor     michael.hunhoff@mandiant.com, @_re_fox         \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x46E0B0\n  or:\n    api: ExpandEnvironmentStrings @ 0x46E18E\nfunction @ 0x482B00\n  or:\n    api: ExpandEnvironmentStrings @ 0x482BC2\n\nget common file path (9 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x46B6F0\n  or:\n    api: GetTempPath @ 0x46B807\n    api: GetTempFileName @ 0x46B845\n    api: GetWindowsDirectory @ 0x46B81E\nfunction @ 0x46E0B0\n  or:\n    api: GetCurrentDirectory @ 0x46E1F4\nfunction @ 0x46ECC0\n  or:\n    api: GetTempPath @ 0x46ECD3\n    api: GetTempFileName @ 0x46ED0A\n    api: GetWindowsDirectory @ 0x46ECEA\nfunction @ 0x46ED80\n  or:\n    api: GetTempPath @ 0x46F12F\nfunction @ 0x471C90\n  or:\n    api: GetWindowsDirectory @ 0x471CFA\nfunction @ 0x479D70\n  or:\n    api: GetSystemDirectory @ 0x479D84\nfunction @ 0x479DC0\n  or:\n    api: GetWindowsDirectory @ 0x479DD4\nfunction @ 0x47A0E0\n  or:\n    api: GetTempPath @ 0x47A0EF\n    api: GetTempFileName @ 0x47A11E\n    api: GetWindowsDirectory @ 0x47A103\nfunction @ 0x481F50\n  or:\n    api: GetTempPath @ 0x482080\n    api: GetTempFileName @ 0x4820BE\n    api: GetWindowsDirectory @ 0x482097\n\nget file system object information\nnamespace  host-interaction/file-system                   \nauthor     michael.hunhoff@mandiant.com                   \nscope      basic block                                    \natt&ck     Discovery::File and Directory Discovery [T1083]\nbasic block @ 0x471CBE in function 0x471C90\n  or:\n    api: SHGetFileInfo @ 0x471D18\n\ncopy file (2 matches)\nnamespace  host-interaction/file-system/copy                      \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Copy File [C0045]                         \nfunction @ 0x46B6F0\n  or:\n    api: CopyFile @ 0x46B856\nfunction @ 0x481F50\n  or:\n    api: CopyFile @ 0x4820CF\n\ndelete file (5 matches)\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x46B6F0\n  or:\n    api: DeleteFile @ 0x46B874\nfunction @ 0x46EA60\n  or:\n    api: DeleteFile @ 0x46EA9E\nfunction @ 0x46ECC0\n  or:\n    api: DeleteFile @ 0x46ED6B\nfunction @ 0x477A20\n  or:\n    api: DeleteFile @ 0x477B94\nfunction @ 0x481F50\n  or:\n    api: DeleteFile @ 0x48297D\n\ncheck if file exists (7 matches)\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x46BA40\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x46BA8C\n        instruction:\n          and:\n            mnemonic: cmp @ 0x46BA92\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x46BA92\nfunction @ 0x475A80\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x475A84\n        instruction:\n          and:\n            mnemonic: cmp @ 0x475A8A\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x475A8A\nfunction @ 0x479FC0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x479FC1\n        instruction:\n          and:\n            mnemonic: cmp @ 0x479FC9\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x479FC9\nfunction @ 0x47E0B0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x47E185\n        instruction:\n          and:\n            mnemonic: cmp @ 0x47E18B\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x47E18B\nfunction @ 0x4841A0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x484268\n        instruction:\n          and:\n            mnemonic: cmp @ 0x48426E\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x48426E\nfunction @ 0x484310\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x4848E6\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4848E8\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x4848E8\n      and:\n        api: GetFileAttributes @ 0x4845F7\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4845F9\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x4845F9\n      and:\n        api: GetFileAttributes @ 0x484733\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484735\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484735\n      and:\n        api: GetFileAttributes @ 0x484436\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484438\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484438\n      and:\n        api: GetFileAttributes @ 0x484517\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484519\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484519\n      and:\n        api: GetFileAttributes @ 0x484D89\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484D8F\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484D8F\n      and:\n        api: GetFileAttributes @ 0x4846C7\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4846C9\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x4846C9\n      and:\n        api: GetFileAttributes @ 0x48479F\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4847A1\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x4847A1\n      and:\n        api: GetFileAttributes @ 0x4850B3\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4850B9\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x4850B9\n      and:\n        api: GetFileAttributes @ 0x484CF6\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484CFC\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484CFC\n      and:\n        api: GetFileAttributes @ 0x484583\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484585\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484585\n      and:\n        api: GetFileAttributes @ 0x485454\n        instruction:\n          and:\n            mnemonic: cmp @ 0x48545A\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x48545A\n      and:\n        api: GetFileAttributes @ 0x48465B\n        instruction:\n          and:\n            mnemonic: cmp @ 0x48465D\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x48465D\n      and:\n        api: GetFileAttributes @ 0x48561B\n        instruction:\n          and:\n            mnemonic: cmp @ 0x485621\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x485621\n      and:\n        api: GetFileAttributes @ 0x484464\n        instruction:\n          and:\n            mnemonic: cmp @ 0x484466\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x484466\nfunction @ 0x4890E0\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x489777\n        instruction:\n          and:\n            mnemonic: cmp @ 0x489779\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x489779\n\nenumerate files on Windows\nnamespace   host-interaction/file-system/files/list                             \nauthor      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com          \nscope       function                                                            \natt&ck      Discovery::File and Directory Discovery [T1083]                     \nmbc         Discovery::File and Directory Discovery [E1083]                     \nreferences  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b16…\nfunction @ 0x478A40\n  or:\n    and:\n      or:\n        api: FindFirstFile @ 0x478A53\n      or:\n        api: FindNextFile @ 0x478A6F\n      optional:\n        api: FindClose @ 0x478A83\n\nget file attributes (23 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x46BA40 in function 0x46BA40\n  or:\n    api: GetFileAttributes @ 0x46BA8C\nbasic block @ 0x46F114 in function 0x46ED80\n  or:\n    api: GetFileAttributes @ 0x46F11F\nbasic block @ 0x475A80 in function 0x475A80\n  or:\n    api: GetFileAttributes @ 0x475A84\nbasic block @ 0x479FC0 in function 0x479FC0\n  or:\n    api: GetFileAttributes @ 0x479FC1\nbasic block @ 0x47E16A in function 0x47E0B0\n  or:\n    api: GetFileAttributes @ 0x47E185\nbasic block @ 0x48422E in function 0x4841A0\n  or:\n    api: GetFileAttributes @ 0x484268\nbasic block @ 0x484407 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484436\nbasic block @ 0x48445C in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484464\nbasic block @ 0x4844C8 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484517\nbasic block @ 0x484534 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484583\nbasic block @ 0x4845A4 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x4845F7\nbasic block @ 0x484618 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x48465B\nbasic block @ 0x484678 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x4846C7\nbasic block @ 0x4846E4 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484733\nbasic block @ 0x484750 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x48479F\nbasic block @ 0x4848A0 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x4848E6\nbasic block @ 0x484CD3 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484CF6\nbasic block @ 0x484D68 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x484D89\nbasic block @ 0x485092 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x4850B3\nbasic block @ 0x485433 in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x485454\nbasic block @ 0x4855FA in function 0x484310\n  or:\n    api: GetFileAttributes @ 0x48561B\nbasic block @ 0x4896E2 in function 0x4890E0\n  or:\n    api: GetFileAttributes @ 0x489729\nbasic block @ 0x489776 in function 0x4890E0\n  or:\n    api: GetFileAttributes @ 0x489777\n\nget file size (5 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x465EB0\n  or:\n    api: GetFileSize @ 0x465EE9\nfunction @ 0x477380\n  or:\n    api: GetFileSize @ 0x4774B2\nfunction @ 0x477E40\n  or:\n    api: GetFileSize @ 0x477EC5\nfunction @ 0x47B5A0\n  or:\n    api: GetFileSize @ 0x47B5DD\nfunction @ 0x486890\n  or:\n    api: GetFileSize @ 0x4868BC\n\nget file version info\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x488410\n  and:\n    or:\n      api: GetFileVersionInfo @ 0x4884BD\n    optional: = retrieve specified version information from the version-information resource\n      api: VerQueryValue @ 0x4884D2, 0x488512\n      or:\n        api: GetFileVersionInfoSize @ 0x48842D\n\nread .ini file (5 matches)\nnamespace  host-interaction/file-system/read     \nauthor     @_re_fox, michael.hunhoff@mandiant.com\nscope      function                              \nmbc        File System::Read File [C0051]        \nfunction @ 0x466940\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x4669CA\nfunction @ 0x466A20\n  and:\n    or:\n      api: GetPrivateProfileInt @ 0x466A58\nfunction @ 0x475630\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x47566F\nfunction @ 0x4756B0\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x4756F6\nfunction @ 0x475A80\n  and:\n    or:\n      api: GetPrivateProfileInt @ 0x475AD8\n      api: GetPrivateProfileString @ 0x475B17, 0x475B3D, 0x475B66\n\nread file on Windows (13 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x465EB0\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x465ED3\n          match: create or open file @ 0x465ED9\n            or:\n              api: CreateFile @ 0x465ED9\n      or:\n        api: ReadFile @ 0x465F0E\nfunction @ 0x477590\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4777EB\nfunction @ 0x477850\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4779CD\nfunction @ 0x477CA0\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x477CE0, 0x477D13, 0x477D9B\nfunction @ 0x477E40\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x477E5F\n          match: create or open file @ 0x477E65\n            or:\n              api: CreateFile @ 0x477E65\n      or:\n        api: ReadFile @ 0x477E9A\nfunction @ 0x47B5A0\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x47B5C0\n          match: create or open file @ 0x47B5C6\n            or:\n              api: CreateFile @ 0x47B5C6\n      or:\n        api: ReadFile @ 0x47B60D\nfunction @ 0x47C090\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x47C0D1\nfunction @ 0x47C1A0\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x47C239\nfunction @ 0x47C640\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x47C6FB, 0x47C75A\nfunction @ 0x47CA10\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x47CA66\nfunction @ 0x47CB10\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x47CC2A\nfunction @ 0x47CC50\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x47CC7A\n          match: create or open file @ 0x47CC86\n            or:\n              api: CreateFile @ 0x47CC86\n      or:\n        api: ReadFile @ 0x47CCAC\nfunction @ 0x486890\n  or:\n    and:\n      os: windows\n      optional:\n        and:\n          number: 0x80000000 = GENERIC_READ @ 0x4868A1\n          match: create or open file @ 0x4868AD\n            or:\n              api: CreateFile @ 0x4868AD\n      or:\n        api: ReadFile @ 0x48690D\n\nread file via mapping\nnamespace  host-interaction/file-system/read\nauthor     michael.hunhoff@mandiant.com     \nscope      function                         \nmbc        File System::Read File [C0051]   \nfunction @ 0x477380\n  or:\n    and:\n      basic block:\n        and:\n          api: MapViewOfFile @ 0x4774F5\n          or:\n            number: 0x4 = FILE_MAP_READ @ 0x4774F2\n      optional:\n        api: UnmapViewOfFile @ 0x47751A\n        and:\n          match: get file size @ 0x477380\n            or:\n              api: GetFileSize @ 0x4774B2\n        basic block:\n          and:\n            api: CreateFileMapping @ 0x4774E1\n            or:\n              number: 0x2 = PAGE_READONLY @ 0x4774D6\n\nwrite file on Windows (17 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x470860\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x4708D0\nfunction @ 0x4708E0\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x470950\nfunction @ 0x470F80\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x470FA3\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x470F9C\n      or:\n        api: WriteFile @ 0x470FBB\nfunction @ 0x472220\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47234F\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4723A8\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4724B9\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4723B3\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4724C3\n      or:\n        api: WriteFile @ 0x4723D9, 0x4724E2\nfunction @ 0x472570\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4725E7\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4725F3\n      or:\n        api: WriteFile @ 0x472616\nfunction @ 0x472640\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47272A\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472733\n      or:\n        api: WriteFile @ 0x472676, 0x47274B, 0x47279E\nfunction @ 0x4727D0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47294C\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472A56, 0x472A59\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472B13\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472A79\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472B0D\n      or:\n        api: WriteFile @ 0x4728E2, 0x472B31, 0x472B8A, 0x472BD2\nfunction @ 0x472C00\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472DD3\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472D49\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472DC8\n      or:\n        api: WriteFile @ 0x472C68, 0x472DF2, 0x472E5A\nfunction @ 0x472E90\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472F14\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472F0E\n      or:\n        api: WriteFile @ 0x472F30, 0x472F8C\nfunction @ 0x472FB0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472FF4\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4730D3\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473133\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4730C8\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x472FFA\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47312C\n      or:\n        api: WriteFile @ 0x47301B, 0x473058, 0x4730EB, 0x47314F, and 2 more...\nfunction @ 0x4737C0\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473933\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473843\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473998\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473849\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47392A\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4738E7\n      or:\n        api: WriteFile @ 0x473862, 0x47394B, 0x4739A0, 0x4739F8\nfunction @ 0x473A20\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473B93\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473AA3\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473BF8\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473AA9\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473B8A\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x473B47\n      or:\n        api: WriteFile @ 0x473AC2, 0x473BAB, 0x473C00, 0x473C58\nfunction @ 0x474520\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x40000000 = GENERIC_WRITE @ 0x474587\n            number: 0x2 = FILE_WRITE_DATA @ 0x474582\n            match: create or open file @ 0x47458D\n              or:\n                api: CreateFile @ 0x47458D\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474620\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47454B\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4745CC\n      or:\n        api: WriteFile @ 0x4745D4\nfunction @ 0x474770\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47488D\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474822\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47479D\n          or:\n            number: 0x40000000 = GENERIC_WRITE @ 0x4747D5\n            number: 0x2 = FILE_WRITE_DATA @ 0x4747D0\n            match: create or open file @ 0x4747DB\n              or:\n                api: CreateFile @ 0x4747DB\n      or:\n        api: WriteFile @ 0x47482A\nfunction @ 0x474960\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x40000000 = GENERIC_WRITE @ 0x4749B7\n            number: 0x2 = FILE_WRITE_DATA @ 0x4749B2\n            match: create or open file @ 0x4749BD\n              or:\n                api: CreateFile @ 0x4749BD\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474A60\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474AA8\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474B17\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474A0C\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x474B89\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x47497E\n      or:\n        api: WriteFile @ 0x474A14\nfunction @ 0x477380\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x4774D6\n      or:\n        api: WriteFile @ 0x477513\nfunction @ 0x48113A\n  or:\n    and:\n      os: windows\n      optional:\n        basic block:\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x48121F\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x481294\n          or:\n            number: 0x2 = FILE_WRITE_DATA @ 0x48128E\n      or:\n        api: WriteFile @ 0x48116D, 0x4812B0\n\nenumerate gui resources\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ 0x46F2B0\n  or:\n    api: EnumResourceTypes @ 0x46F328\n\nget graphical window text (2 matches)\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ 0x4761B0\n  or:\n    and:\n      api: GetWindowText @ 0x4761FB\nfunction @ 0x4764B0\n  or:\n    and:\n      api: GetWindowText @ 0x4765C6\n\nhide graphical window (4 matches)\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ 0x46CA70 in function 0x46CA70\n  and:\n    number: 0x0 = SW_HIDE @ 0x46CA9F\n    api: ShowWindow @ 0x46CA8E\nbasic block @ 0x46E543 in function 0x46E500\n  and:\n    number: 0x0 = SW_HIDE @ 0x46E549\n    api: ShowWindow @ 0x46E54C\nbasic block @ 0x46F135 in function 0x46ED80\n  and:\n    number: 0x0 = SW_HIDE @ 0x46F164, 0x46F166, 0x46F174, 0x46F185, and 5 more...\n    api: ShowWindow @ 0x46F258\nbasic block @ 0x487EB7 in function 0x487E80\n  and:\n    number: 0x0 = SW_HIDE @ 0x487EC0, 0x487ED6\n    api: ShowWindow @ 0x487ED1, 0x487EE1\n\nget disk information\nnamespace  host-interaction/hardware/storage                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \natt&ck     Discovery::System Information Discovery [T1082]           \nmbc        Discovery::System Information Discovery [E1082]           \nfunction @ 0x477380\n  or:\n    api: GetDriveType @ 0x477405\n\nenumerate internet cache\nnamespace  host-interaction/internet/cache\nauthor     michael.hunhoff@mandiant.com   \nscope      function                       \nfunction @ 0x476ED0\n  and:\n    api: FindFirstUrlCacheEntry @ 0x476EF6\n    optional:\n      api: FindNextUrlCacheEntry @ 0x476F95, 0x476FCC\n      api: FindCloseUrlCache @ 0x476FE5\n      match: contain loop @ 0x476ED0\n        or:\n          characteristic: loop @ 0x476ED0\n\ncheck OS version\nnamespace  host-interaction/os/version                    \nauthor     michael.hunhoff@mandiant.com, johnk3r          \nscope      function                                       \natt&ck     Discovery::System Information Discovery [T1082]\nmbc        Discovery::System Information Discovery [E1082]\nfunction @ 0x485840\n  and:\n    match: get OS version @ 0x485840\n      or:\n        api: GetVersionEx @ 0x485B1A\n    or:\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x485A82\n            number: 0x5 = Windows 2000 @ 0x485A82\n        optional:\n          instruction:\n            and:\n              mnemonic: cmp @ 0x485995\n              or:\n                number: 0x1 = Windows XP @ 0x485995\n            and:\n              mnemonic: cmp @ 0x485BA7\n              or:\n                number: 0x2 = Windows XP 64-bit / Windows Server 2003 / Windows Server 2003 R2 @ 0x485BA7\n      and:\n        instruction:\n          and:\n            mnemonic: cmp @ 0x4858D2\n            number: 0x6 = Windows Vista / Windows Server 2008 @ 0x4858D2\n        optional:\n          instruction:\n            and:\n              mnemonic: cmp @ 0x485BA7\n              or:\n                number: 0x2 = Windows Server 2012 / Windows 8 @ 0x485BA7\n            and:\n              mnemonic: cmp @ 0x48598C\n              or:\n                number: 0x3 = Windows Server 2012 R2 / Windows 8.1 @ 0x48598C\n            and:\n              mnemonic: cmp @ 0x485995\n              or:\n                number: 0x1 = Windows Server 2008 R2 / Windows 7 @ 0x485995\n            and:\n              mnemonic: cmp @ 0x48593F\n              or:\n                number: 0x3 = Windows Server 2012 R2 / Windows 8.1 @ 0x48593F\n\ncreate process on Windows (5 matches)\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x46E32C in function 0x46E2E0\n  or:\n    api: ShellExecute @ 0x46E33C\nbasic block @ 0x46F5BD in function 0x46F590\n  or:\n    api: ShellExecute @ 0x46F605\nbasic block @ 0x470344 in function 0x46FEB0\n  or:\n    api: ShellExecute @ 0x47035D\nbasic block @ 0x470395 in function 0x46FEB0\n  or:\n    api: ShellExecute @ 0x4703AE\nbasic block @ 0x479A00 in function 0x479A00\n  or:\n    api: ShellExecute @ 0x479A13\n\nenumerate processes\nnamespace  host-interaction/process/list                                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com              \nscope      function                                                             \natt&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery  \n           [T1518]                                                              \nfunction @ 0x46A230\n  or:\n    and:\n      api: Process32First @ 0x46A293\n      api: Process32Next @ 0x46A2A1, 0x46A51C\n      optional:\n        basic block:\n          and:\n            api: CreateToolhelp32Snapshot @ 0x46A25E\n            or:\n              number: 0x2 = TH32CS_SNAPPROCESS @ 0x46A253\n\nterminate process\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x40193E\n  or:\n    api: exit @ 0x401AE1\n\nquery or enumerate registry value (4 matches)\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x4667E0\n  and:\n    or:\n      api: RegQueryValueEx @ 0x466832\nfunction @ 0x4781D0\n  and:\n    optional:\n      match: create or open registry key @ 0x478260\n        or:\n          api: RegOpenKeyEx @ 0x478293\n    or:\n      api: RegQueryValueEx @ 0x4782C2\nfunction @ 0x485840\n  and:\n    optional:\n      match: create or open registry key @ 0x485B34\n        or:\n          api: RegOpenKeyEx @ 0x485B67\n    or:\n      api: RegQueryValueEx @ 0x485B99\nfunction @ 0x4890E0\n  and:\n    optional:\n      match: create or open registry key @ 0x489191, 0x4892AF, 0x4893DC, 0x4894F9\n        or:\n          api: RegOpenKeyEx @ 0x4891BE\n        or:\n          api: RegOpenKeyEx @ 0x489409\n        or:\n          api: RegOpenKeyEx @ 0x489526\n        or:\n          api: RegOpenKeyEx @ 0x4892DC\n    or:\n      api: RegQueryValueEx @ 0x4891EA, 0x489326, 0x489435, 0x489552\n\nset registry value\nnamespace  host-interaction/registry/create                        \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com \nscope      function                                                \nmbc        Operating System::Registry::Set Registry Key [C0036.001]\nfunction @ 0x4667E0\n  or:\n    and:\n      or:\n        api: RegSetValueEx @ 0x46680E\n\ncreate thread\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x41154B in function 0x4114D0\n  or:\n    and:\n      os: windows\n      or:\n        api: _beginthreadex @ 0x411561\n\nlink function at runtime on Windows (36 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x469E68\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x469E68\ninstruction @ 0x469E79\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x469E79\ninstruction @ 0x469E8A\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x469E8A\ninstruction @ 0x469E9B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x469E9B\ninstruction @ 0x469EAC\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x469EAC\ninstruction @ 0x46A359\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A359\ninstruction @ 0x46A367\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A367\ninstruction @ 0x46A375\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A375\ninstruction @ 0x46A383\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A383\ninstruction @ 0x46A391\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A391\ninstruction @ 0x46A3F1\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A3F1\ninstruction @ 0x46A44C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A44C\ninstruction @ 0x46A87C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A87C\ninstruction @ 0x46A88D\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A88D\ninstruction @ 0x46A89E\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A89E\ninstruction @ 0x46A8AF\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A8AF\ninstruction @ 0x46A8C0\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46A8C0\ninstruction @ 0x46AABA\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AABA\ninstruction @ 0x46AACC\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AACC\ninstruction @ 0x46AADF\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AADF\ninstruction @ 0x46AAF2\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AAF2\ninstruction @ 0x46AB04\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AB04\ninstruction @ 0x46AB17\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AB17\ninstruction @ 0x46AB2A\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AB2A\ninstruction @ 0x46AB3C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46AB3C\ninstruction @ 0x46F2F6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x46F2F6\ninstruction @ 0x47821C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x47821C\ninstruction @ 0x47A90F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x47A90F\ninstruction @ 0x47A96F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x47A96F\ninstruction @ 0x47FBA1\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x47FBA1\ninstruction @ 0x485920\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x485920\ninstruction @ 0x485AF0\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x485AF0\ninstruction @ 0x48914A\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48914A\ninstruction @ 0x48926F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x48926F\ninstruction @ 0x489390\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x489390\ninstruction @ 0x4894A6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x4894A6\n\nlink many functions at runtime (4 matches)\nnamespace  linking/runtime-linking                      \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com\nscope      function                                     \natt&ck     Execution::Shared Modules [T1129]            \nfunction @ 0x469E40\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x469E68, 0x469E79, 0x469E8A, 0x469E9B, and 1 more...\nfunction @ 0x46A230\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x46A359, 0x46A367, 0x46A375, 0x46A383, and 3 more...\nfunction @ 0x46A850\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x46A87C, 0x46A88D, 0x46A89E, 0x46A8AF, and 1 more...\nfunction @ 0x46AA90\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x46AABA, 0x46AACC, 0x46AADF, 0x46AAF2, and 4 more...\n\nlinked against sqlite3\nnamespace  linking/static/sqlite3\nauthor     still@teamt5.org      \nscope      file                  \nor:\n  3 or more:\n    string: \"database corruption\" @ file+0x92F44\n    string: \"SQLite format 3\" @ file+0x8C508\n    substring: qualified table names are not allowed on\n      - \"qualified table names are not allowed on INSERT, UPDATE, and DELETE statements \nwithin triggers\" @ file+0x92C10\n\nenumerate PE sections (3 matches)\nnamespace   load-code/pe                                                        \nauthor      @Ana06, @mr-tz                                                      \nscope       function                                                            \nmbc         Discovery::Code Discovery::Enumerate PE Sections [B0046.001]        \nreferences  https://0x00sec.org/t/reflective-dll-injection/3080,                \n            https://www.ired.team/offensive-security/code-injection-process-inj…\nfunction @ 0x42DF60\n  and:\n    os: windows\n    instruction:\n      and:\n        operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections @ 0x42E185\n        or:\n          mnemonic: movzx @ 0x42E185\n    basic block:\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x42E0BA\n              or:\n                mnemonic: mov @ 0x42E0BA\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x42E0AA\n    count(basic block): 3 or more @ 0x42DF60, 0x42DFA7, 0x42DFB8, 0x42DFC4, and 51 more...\n    not:\n      characteristic: nzxor\n    2 or more:\n      operand[1].offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress @ 0x42DFD3, 0x42DFDA, 0x42E02A, 0x42E054, and 3 more...\n      operand[1].offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData @ 0x42DFAE, 0x42E0BA, 0x42E0F2, 0x42E104, and 6 more...\n      operand[1].offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData @ 0x42DFAA, 0x42DFC7, 0x42E050, 0x42E072, and 6 more...\nfunction @ 0x4484F0\n  and:\n    os: windows\n    instruction:\n      and:\n        operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections @ 0x448507\n        or:\n          mnemonic: movzx @ 0x448507\n    basic block:\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x448520\n              or:\n                mnemonic: mov @ 0x448520\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x448523\n    count(basic block): 3 or more @ 0x4484F0, 0x44851D, 0x44853B, 0x448548, and 33 more...\n    not:\n      characteristic: nzxor\n    2 or more:\n      operand[1].offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress @ 0x448561, 0x4485E6\n      operand[1].offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData @ 0x448520, 0x44869D, 0x448727\n      operand[1].offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData @ 0x448526, 0x448603, 0x44861C, 0x44867A, and 2 more...\nfunction @ 0x449830\n  and:\n    os: windows\n    instruction:\n      and:\n        operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections @ 0x449C03\n        or:\n          mnemonic: mov @ 0x449C03\n      and:\n        operand[1].offset: 0x6 = IMAGE_NT_HEADERS.FileHeader.NumberOfSections @ 0x449B3C\n        or:\n          mnemonic: mov @ 0x449B3C\n    basic block:\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x44AE04\n              or:\n                mnemonic: mov @ 0x44AE04\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x44AE00\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x44ADC0\n              or:\n                mnemonic: mov @ 0x44ADC0\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x44ADCB\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x44ACC8\n              or:\n                mnemonic: mov @ 0x44ACC8\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x44ACCF\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x44AB4D\n              or:\n                mnemonic: add @ 0x44AB4D\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x44AB42\n      or:\n        and: = IMAGE_FIRST_SECTION(nt_header)\n          instruction:\n            and:\n              operand[1].offset: 0x14 = IMAGE_NT_HEADERS.FileHeader.SizeOfOptionalHeader @ 0x44AC36\n              or:\n                mnemonic: mov @ 0x44AC36\n          operand[1].offset: 0x18 = FileHeader.SizeOfOptionalHeader @ 0x44AC44\n    count(basic block): 3 or more @ 0x449830, 0x44985C, 0x449866, 0x449870, and 375 more...\n    optional:\n      offset: 0x3C = IMAGE_DOS_HEADER.e_lfanew @ 0x449B38, 0x449BFC, 0x44A382, 0x44A3A9, and 9 more...\n    not:\n      characteristic: nzxor\n    2 or more:\n      operand[1].offset: 0xC = IMAGE_SECTION_HEADER.VirtualAddress @ 0x449C15, 0x44A06D, 0x44A2A9, 0x44A36D, and 41 more...\n      operand[1].offset: 0x14 = IMAGE_SECTION_HEADER.PointerToRawData @ 0x449A2F, 0x44A21A, 0x44A862, 0x44A8B5, and 19 more...\n      operand[1].offset: 0x10 = IMAGE_SECTION_HEADER.SizeOfRawData @ 0x449949, 0x44995B, 0x449B40, 0x449C00, and 13 more...\n\nparse PE header\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x40193E\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x401953, 0x40195F, 0x40196B, 0x401972, and 14 more...\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x40195F\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x401953\n\nresolve function by parsing PE exports (28 matches)\nnamespace  load-code/pe\nauthor     sara-rn     \nscope      function    \nfunction @ 0x4274A0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4274A0\n      mnemonic: movzx @ 0x42762D, 0x427630, 0x427639, 0x42763C, and 28 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4274C9, 0x427C07, 0x427C15, 0x427C35\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x427860, 0x427895, 0x4278C2\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4274F5, 0x427576, 0x4276A8, 0x4277A0, and 8 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4274D5, 0x427529, 0x42760B, 0x42772E, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4274C1, 0x4275D2, 0x4275DE, 0x427684, and 10 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4274CD, 0x4275DA, 0x4275E5, 0x427699, and 8 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4274DD, 0x4274E9, 0x42756C, 0x4275C1, and 12 more...\nfunction @ 0x42D080\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x42D080\n      mnemonic: movzx @ 0x42D091\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x42D2BE, 0x42D380\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x42D0AC\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x42D146, 0x42D195, 0x42D1BB, 0x42D217, and 5 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x42D0E0, 0x42D19D, 0x42D1F9, 0x42D234, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x42D0A3, 0x42D13E, 0x42D1B3, 0x42D230, and 4 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x42D166, 0x42D1E6, 0x42D2E9, 0x42D2F6, and 3 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x42D0D6, 0x42D0EB, 0x42D1B7, 0x42D21A, and 6 more...\nfunction @ 0x43A8C0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x43A8C0\n      mnemonic: movzx @ 0x43A8D6, 0x43A908, 0x43A98E, 0x43A9F3, and 10 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x43A960, 0x43A996, 0x43AE28, 0x43AFB5\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x43A8F5, 0x43AFE1\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x43AD03\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x43A9E6, 0x43AA12, 0x43AB45, 0x43AB55, and 9 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x43AA82, 0x43AADD, 0x43AB87, 0x43AC65, and 2 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x43A8ED, 0x43A980, 0x43A9C9, 0x43AA34, and 12 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x43A8F1, 0x43A970, 0x43AA3C, 0x43AA69, and 9 more...\nfunction @ 0x43B060\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x43B060\n      mnemonic: movzx @ 0x43B07D, 0x43B152, 0x43B180, 0x43B320, and 10 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x43B3ED\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x43B101, 0x43B13C\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x43B1DD, 0x43B1EB, 0x43B27D, 0x43B2B3, and 10 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x43B0A8, 0x43B140, 0x43B201, 0x43B281, and 8 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x43B0AC, 0x43B1FE, 0x43B20E, 0x43B242, and 6 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x43B0BA, 0x43B14E, 0x43B1A3, 0x43B233, and 6 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x43B0B0, 0x43B144, 0x43B187, 0x43B24B, and 4 more...\nfunction @ 0x43C8A0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x43C8A0\n      mnemonic: movzx @ 0x43C8AB, 0x43CA7B, 0x43CA85, 0x43CA88, and 38 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x43C8EF, 0x43CD33, 0x43CD9B\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x43CA00, 0x43CF2F, 0x43CF33, 0x43CF68, and 2 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x43C955, 0x43CA7E, 0x43CAAB, 0x43CAC1, and 14 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x43C8D0, 0x43CA60, 0x43CE92, 0x43CF29, and 4 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x43C941, 0x43C97A, 0x43CCF5, 0x43CD22, and 10 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x43C958, 0x43C972, 0x43C9F7, 0x43CA13, and 13 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x43C95B, 0x43C9E2, 0x43CCFB, 0x43CD25, and 5 more...\nfunction @ 0x43D170\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x43D170\n      mnemonic: movzx @ 0x43D1B7, 0x43D374, 0x43D3AF, 0x43D3C8, and 23 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x43D23E\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x43D383, 0x43D51F\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x43D186, 0x43D226, 0x43D259, 0x43D41D, and 2 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x43D3EC, 0x43D54A, 0x43D562, 0x43D59B\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x43D3F0, 0x43D55D, 0x43D5B0\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x43D1D8, 0x43D587, 0x43D5AA, 0x43D603, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x43D1A2, 0x43D1FA, 0x43D402, 0x43D540, and 1 more...\nfunction @ 0x43E5D0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x43E5D0\n      mnemonic: movzx @ 0x43DC1D, 0x43DC29\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x43DAB3, 0x43DC3F, 0x43DCB2, 0x43DCCA, and 6 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x43DD41\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x43DA11, 0x43DA5E, 0x43DA70, 0x43DC16, and 5 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x43D9ED, 0x43DB7A, 0x43DC89, 0x43DC90\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x43D91B, 0x43D94D, 0x43DA5A, 0x43DB8A, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x43D8F1, 0x43D905, 0x43D99D, 0x43D9F2, and 8 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x43D923, 0x43DB20, 0x43DB30, 0x43DBD8, and 1 more...\nfunction @ 0x445080\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x445080\n      mnemonic: movzx @ 0x4450B0, 0x4452C2, 0x445492, 0x4456F3, and 32 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x445458, 0x44564B, 0x4457EF, 0x445802, and 13 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4450A2, 0x445917, 0x4459E6, 0x445A15, and 4 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x445FF8, 0x44613C, 0x446179, 0x4462B8, and 1 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x44513D, 0x44519D, 0x4451FD, 0x445231, and 33 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4450D8, 0x445199, 0x445204, 0x44532D, and 13 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x445175, 0x4451DB, 0x445228, 0x445259, and 24 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4450DC, 0x445262, 0x445357, 0x445381, and 23 more...\nfunction @ 0x4471E0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4471E0\n      mnemonic: movzx @ 0x447235, 0x447239, 0x447288, 0x4472A4, and 56 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4473D1, 0x447505, 0x447D04\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x44831D\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4472A7, 0x44737B, 0x447400, 0x44742E, and 30 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x447202, 0x44744E, 0x447654, 0x447679, and 26 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4472C2, 0x447395, 0x4473B3, 0x4473BE, and 27 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x44754F, 0x4475A5, 0x447618, 0x4477DC, and 24 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4471FA, 0x447391, 0x4473A5, 0x44746B, and 19 more...\nfunction @ 0x448790\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x448790\n      mnemonic: movzx @ 0x448858, 0x44888C, 0x44888F, 0x4488FE, and 10 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4487BF, 0x4487DE, 0x4488A3, 0x4488D0\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x448854\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4487BA, 0x448809, 0x448813, 0x448865, and 4 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x4488C3, 0x4488D6\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x44884A, 0x44899F, 0x4489D1, 0x448A42, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x44885F, 0x4488E7, 0x448931, 0x448937, and 2 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x44886A, 0x448AA4\nfunction @ 0x449830\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x449830\n      mnemonic: movzx @ 0x449F14, 0x449F42, 0x44A63E, 0x44A78F, and 16 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x449B38, 0x449BFC, 0x44A382, 0x44A3A9, and 9 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x449F23, 0x44B525\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x449A2F, 0x44A21A, 0x44A234, 0x44A450, and 22 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x449866, 0x4498F1, 0x449A84, 0x449C8A, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x449A90, 0x449B58, 0x449B88, 0x449C83, and 18 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x449A3E, 0x449AF9, 0x449BA6, 0x449FF4, and 25 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4498EB, 0x44993F, 0x449999, 0x449A4F, and 28 more...\nfunction @ 0x44FAD0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x44FAD0\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x44FB21, 0x44FB82\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x44FB97\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x44FB9A, 0x44FBD2, 0x44FC68\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x44FBF8\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x44FAF5, 0x44FBAD, 0x44FC77\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x44FAE3, 0x44FB4A, 0x44FC81\nfunction @ 0x451A00\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x451A07\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x451A16\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x451A12\n      3 or more:\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x451A07\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x451A1A\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x451A42\nfunction @ 0x451C10\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x451C2D, 0x451C57, 0x451C5B, 0x451C74, and 8 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x451C51, 0x451EBD\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x451C28, 0x451D5F, 0x451E56\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x451C57, 0x451D17, 0x451D89, 0x451DC7, and 2 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x451C49, 0x451C78, 0x451C94, 0x451D43, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x451C32, 0x451CB9, 0x451D36, 0x451D63, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x451CB3, 0x451CF8, 0x451D25, 0x451D2D, and 3 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x451C3F, 0x451D32, 0x451E85\nfunction @ 0x452260\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x452260\n      mnemonic: movzx @ 0x452299, 0x4522AE, 0x452321, 0x45264B, and 4 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45231E, 0x4525E0, 0x4525E6, 0x452BBF, and 3 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x452C93, 0x452E05\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x452285, 0x4524E4, 0x452503, 0x45254F, and 20 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x452279, 0x4523A4, 0x4523C7, 0x4524EC, and 4 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x452311, 0x452329, 0x45243D, 0x45245D, and 9 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x45227D, 0x452526, 0x45254B, 0x452579, and 16 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4522C6, 0x452303, 0x4524D2, 0x4525AC, and 22 more...\nfunction @ 0x453200\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x453232, 0x45327D, 0x4532A6, 0x4532C5\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45322F, 0x4532EA\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x45322B\n      3 or more:\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x453232, 0x453246, 0x45326F\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x453216, 0x453222, 0x45324A, 0x453306\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x453219, 0x453251, 0x45325B, 0x453273\nfunction @ 0x453BB0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x453BB0\n      mnemonic: movzx @ 0x453DA6, 0x453DB6, 0x453EB2, 0x453F54, and 2 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45499B, 0x4549B8, 0x4549D4, 0x454A04, and 1 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x453CC1\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x453C88, 0x453CAA, 0x453DC4, 0x453E30, and 41 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x453D2D, 0x453EF6, 0x454331, 0x45461B, and 11 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x453DDA, 0x453FE0, 0x454111, 0x4543A0, and 8 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x453C1D, 0x453C96, 0x453DCA, 0x453E29, and 23 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x453C02, 0x453E9D, 0x453EC5, 0x454030, and 13 more...\nfunction @ 0x456FA0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x456FA0\n      mnemonic: movzx @ 0x457258, 0x45725B, 0x457262, 0x457265, and 14 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x457226, 0x4572A6, 0x457382, 0x4573D9, and 10 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x457132, 0x457140, 0x45747F, 0x4576DE, and 8 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4570E1, 0x457222, 0x45729C, 0x4572AA, and 24 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x456FB4, 0x45741F, 0x45749F, 0x4574AC, and 10 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x45709F, 0x4570B0, 0x4570CC, 0x4572BA, and 21 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x457360, 0x4573D0, 0x457627, 0x457643, and 8 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4571CB, 0x4572F6, 0x45735C, 0x45736A, and 15 more...\nfunction @ 0x458770\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x458770\n      mnemonic: movzx @ 0x458CD7, 0x459452\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4587A2, 0x458817, 0x458B44, 0x458BBB, and 7 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4587C0, 0x458E1A, 0x459499, 0x45964B, and 1 more...\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4588F4, 0x458906, 0x458FD0, 0x459626, and 1 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45878B, 0x4589A5, 0x4589B6, 0x458A7A, and 12 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4587C8, 0x45884A, 0x4589EE, 0x458AD7, and 9 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x458968, 0x458990, 0x4589D6, 0x458A0B, and 24 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x45903B, 0x459044\nfunction @ 0x45A790\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x45A9EF, 0x45AA35, 0x45AAB6, 0x45AB73\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45A7D1, 0x45AC32, 0x45AC75, 0x45ACDA, and 4 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x45A947, 0x45AC0A, 0x45AF64\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x45A7F5, 0x45A8D6, 0x45A9D8, 0x45AAAC, and 9 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45A7A6, 0x45A8BF, 0x45AA7E, 0x45AC1A, and 4 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x45AAE4, 0x45AB04, 0x45AB86, 0x45AC52, and 7 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x45A7D5, 0x45A829, 0x45A89B, 0x45A999, and 10 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x45AA57, 0x45AB36, 0x45AB5D, 0x45AC6D, and 3 more...\nfunction @ 0x45B320\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x45B320\n      mnemonic: movzx @ 0x45B3D2, 0x45BD67, 0x45C4BB, 0x45C617, and 11 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45B4B2, 0x45B5FD, 0x45B761, 0x45BC89, and 13 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x45BC1F, 0x45C7DE\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x45B34A, 0x45B3C6, 0x45B475, 0x45B53D, and 50 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45B4B6, 0x45B66C, 0x45B6D3, 0x45D205\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x45B59A, 0x45B5A7, 0x45BBCF, 0x45C4C2, and 5 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x45B465, 0x45B533, 0x45B541, 0x45B555, and 31 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x45B4CA, 0x45B4E6, 0x45B6E4, 0x45BC85, and 8 more...\nfunction @ 0x45EE50\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x45EE50\n      mnemonic: movzx @ 0x45EEE1, 0x45F172, 0x45F1D0, 0x45F3FF, and 49 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x45EEB4, 0x462368, 0x462971, 0x462A40, and 1 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4602C1, 0x460306, 0x4603D5, 0x4603D9\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x45EE69, 0x45EE8D, 0x45EF59, 0x45EF8E, and 254 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x45EE7E, 0x45EECE, 0x45F08B, 0x45F2C8, and 74 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x45EE6D, 0x45F088, 0x45F1D3, 0x45F1FA, and 82 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x45EEFD, 0x45EF32, 0x45EF67, 0x45EF99, and 95 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x45F858, 0x45F86D, 0x45F8C7, 0x45F8EC, and 83 more...\nfunction @ 0x4693D0\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4693D0\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4693EE, 0x4695A4, 0x4696A9, 0x4696BB, and 1 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46947A\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x469685, 0x469722, 0x469728, 0x469733, and 5 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x469425, 0x4696D6, 0x469792, 0x469A68\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x469549, 0x469689, 0x46972C, 0x469741, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x46962E, 0x4697E7, 0x469830, 0x46990F, and 3 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x46965E, 0x469704, 0x4697D1, 0x4698B0, and 1 more...\nfunction @ 0x46B010\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x46B010\n      mnemonic: movzx @ 0x46B19D, 0x46B277, 0x46B34A, 0x46B42B, and 1 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x46B095, 0x46B09E, 0x46B13E\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46B184, 0x46B5D7\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x46B35B, 0x46B36E, 0x46B3A2, 0x46B3AC, and 1 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x46B1B0, 0x46B1C3, 0x46B1F7, 0x46B201\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x46B1AC, 0x46B1BF, 0x46B1F3, 0x46B1FD, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x46B519, 0x46B52C, 0x46B560, 0x46B56A, and 2 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x46B51D, 0x46B530, 0x46B564, 0x46B56E\nfunction @ 0x46DA50\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x46DB56\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x46DB12, 0x46DB4C\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x46DB01, 0x46DB50\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x46DA74\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x46DAF9, 0x46DB06\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x46DAFD\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x46DA88\nfunction @ 0x481F50\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x481F50\n      mnemonic: movzx @ 0x481F90, 0x481FDD, 0x481FEF, 0x48225C, and 7 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x482446, 0x482457\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4821F6\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x482269, 0x482278, 0x4822A8, 0x4822B0, and 20 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x482290, 0x4822A1\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x482285\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x482148, 0x482170, 0x482194, 0x482341, and 4 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x482345, 0x482358, 0x48238C, 0x482396, and 1 more...\nfunction @ 0x482C10\n  and:\n    os: windows\n    or:\n      mnemonic: movzx @ 0x482C79, 0x482C7E, 0x482C83, 0x482C93, and 2 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x482CBB\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x482D26, 0x482D32\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x482D7C, 0x482D8F, 0x482DAE\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x482D01, 0x482D16, 0x482D2B, 0x482DB3, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x482C1C\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x482D6B, 0x482D77, 0x482DBF, 0x482DE8, and 3 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x482DF8, 0x482E13\nfunction @ 0x484310\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x484310\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x484ECF, 0x484EDB, 0x484F2A, 0x484FDA, and 6 more...\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x484BB7, 0x484BD2\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x485050, 0x48513D, 0x485146, 0x4853F1, and 2 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x484D56, 0x484F1E, 0x484F6B, 0x4852BF, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4843CF, 0x484633, 0x484F1A, 0x4852BB, and 1 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4843BE, 0x484A73, 0x484F05, 0x4852A6\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x4845E3, 0x484B2B, 0x484B72, 0x484D09, and 2 more...\n\npersist via Run registry key (3 matches)\nnamespace  persistence/registry/run                                             \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com                      \nscope      function                                                             \natt&ck     Persistence::Boot or Logon Autostart Execution::Registry Run Keys /  \n           Startup Folder [T1547.001]                                           \nmbc        Persistence::Registry Run Keys / Startup Folder [F0012]              \nfunction @ 0x4781D0\n  and:\n    or:\n      number: 0x80000001 = HKEY_CURRENT_USER @ 0x47828E\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\" @ 0x478289\nfunction @ 0x485840\n  and:\n    or:\n      number: 0x80000001 = HKEY_CURRENT_USER @ 0x485B62\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\" @ 0x485B5D\nfunction @ 0x4890E0\n  and:\n    or:\n      number: 0x80000001 = HKEY_CURRENT_USER @ 0x4891B9, 0x4892D7, 0x489404, 0x489521\n    or:\n      regex: /Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders/i\n        - \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\" @ 0x4891B4, 0x4892D2, 0x4893FF, 0x48951C\n\n\n\n"},"hashes":{"md5":"0f5aba101aa4d94be74690aa60bf7840","sha1":"40557e751e76b1f9608c2d0c12ce0cccd2588e11","sha256":"a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee88f252ca0"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 1623</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 118065</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"Browsin\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"0f5aba101aa4d94be74690aa60bf7840\",\n        \"sha256\": \"a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_library_rule_\",\n      \"label\": \"library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Modulo [C0058]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contain_loop__747_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (747 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4014A0\",\n      \"label\": \"Function 0x4014A0\",\n      \"type\": \"function\",\n      \"address\": \"0x4014A0\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__12_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (12 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_rule_\",\n      \"label\": \"rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Create Registry Key [C0036.004]\",\n        \"Operating\",\n        \"System::Registry::Open Registry Key [C0036.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x478260\",\n      \"label\": \"Block 0x478260\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x478260\"\n    },\n    {\n      \"id\": \"api_RegOpenKeyEx\",\n      \"label\": \"RegOpenKeyEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_get_os_version__5_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"get OS version (5 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x46A5E0\",\n      \"label\": \"Function 0x46A5E0\",\n      \"type\": \"function\",\n      \"address\": \"0x46A5E0\"\n    },\n    {\n      \"id\": \"api_GetVersionEx\",\n      \"label\": \"GetVersionEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_process__4_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"open process (4 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Open Process [C0065]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46A2B0\",\n      \"label\": \"Block 0x46A2B0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46A2B0\"\n    },\n    {\n      \"id\": \"api_OpenProcess\",\n      \"label\": \"OpenProcess\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_check_for_time_delay_via_gettickcount\",\n      \"label\": \"check for time delay via GetTickCount\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"GetTickCount [B0001.032]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4750E0\",\n      \"label\": \"Function 0x4750E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4750E0\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check\",\n        \"GetTickCount [B0001.032]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_credit_card_information\",\n      \"label\": \"parse credit card information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Check String [C0019]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x439DD0\",\n      \"label\": \"Function 0x439DD0\",\n      \"type\": \"function\",\n      \"address\": \"0x439DD0\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox\",\n      \"label\": \"author     @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Data::Check String [C0019]\"\n      ]\n    },\n    {\n      \"id\": \"cap_reference_sql_statements__2_matches_\",\n      \"label\": \"reference SQL statements (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x45E8B0\",\n      \"label\": \"Function 0x45E8B0\",\n      \"type\": \"function\",\n      \"address\": \"0x45E8B0\"\n    },\n    {\n      \"id\": \"func_0x45EE50\",\n      \"label\": \"Function 0x45EE50\",\n      \"type\": \"function\",\n      \"address\": \"0x45EE50\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Data from Information Repositories [T1213]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"label\": \"log keystrokes via polling (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46F590\",\n      \"label\": \"Function 0x46F590\",\n      \"type\": \"function\",\n      \"address\": \"0x46F590\"\n    },\n    {\n      \"id\": \"func_0x4741C0\",\n      \"label\": \"Function 0x4741C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4741C0\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_encrypt_data_using_speck\",\n      \"label\": \"encrypt data using speck\",\n      \"type\": \"capability\",\n      \"severity\": \"high\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or\",\n        \"Information::Encryption-Standard Algorithm [E1027.m05]\"\n      ]\n    },\n    {\n      \"id\": \"cap_author______still_teamt5_org\",\n      \"label\": \"author      still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Obfuscated Files or\",\n        \"Information::Encryption-Standard Algorithm [E1027.m05]\"\n      ]\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x465A20\",\n      \"label\": \"Function 0x465A20\",\n      \"type\": \"function\",\n      \"address\": \"0x465A20\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_open_clipboard__3_matches_\",\n      \"label\": \"open clipboard (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x476940\",\n      \"label\": \"Function 0x476940\",\n      \"type\": \"function\",\n      \"address\": \"0x476940\"\n    },\n    {\n      \"id\": \"func_0x46ECC0\",\n      \"label\": \"Function 0x46ECC0\",\n      \"type\": \"function\",\n      \"address\": \"0x46ECC0\"\n    },\n    {\n      \"id\": \"func_0x46E560\",\n      \"label\": \"Function 0x46E560\",\n      \"type\": \"function\",\n      \"address\": \"0x46E560\"\n    },\n    {\n      \"id\": \"api_CloseClipboard\",\n      \"label\": \"CloseClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_OpenClipboard\",\n      \"label\": \"OpenClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_write_clipboard_data__3_matches_\",\n      \"label\": \"write clipboard data (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x47B5A0\",\n      \"label\": \"Function 0x47B5A0\",\n      \"type\": \"function\",\n      \"address\": \"0x47B5A0\"\n    },\n    {\n      \"id\": \"func_0x47A390\",\n      \"label\": \"Function 0x47A390\",\n      \"type\": \"function\",\n      \"address\": \"0x47A390\"\n    },\n    {\n      \"id\": \"api_EmptyClipboard\",\n      \"label\": \"EmptyClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetClipboardData\",\n      \"label\": \"SetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"cap_query_environment_variable__2_matches_\",\n      \"label\": \"query environment variable (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46E0B0\",\n      \"label\": \"Function 0x46E0B0\",\n      \"type\": \"function\",\n      \"address\": \"0x46E0B0\"\n    },\n    {\n      \"id\": \"func_0x482B00\",\n      \"label\": \"Function 0x482B00\",\n      \"type\": \"function\",\n      \"address\": \"0x482B00\"\n    },\n    {\n      \"id\": \"api_ExpandEnvironmentStrings\",\n      \"label\": \"ExpandEnvironmentStrings\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, @_re_fox\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_common_file_path__9_matches_\",\n      \"label\": \"get common file path (9 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x471C90\",\n      \"label\": \"Function 0x471C90\",\n      \"type\": \"function\",\n      \"address\": \"0x471C90\"\n    },\n    {\n      \"id\": \"func_0x46B6F0\",\n      \"label\": \"Function 0x46B6F0\",\n      \"type\": \"function\",\n      \"address\": \"0x46B6F0\"\n    },\n    {\n      \"id\": \"func_0x46ED80\",\n      \"label\": \"Function 0x46ED80\",\n      \"type\": \"function\",\n      \"address\": \"0x46ED80\"\n    },\n    {\n      \"id\": \"func_0x47A0E0\",\n      \"label\": \"Function 0x47A0E0\",\n      \"type\": \"function\",\n      \"address\": \"0x47A0E0\"\n    },\n    {\n      \"id\": \"func_0x481F50\",\n      \"label\": \"Function 0x481F50\",\n      \"type\": \"function\",\n      \"address\": \"0x481F50\"\n    },\n    {\n      \"id\": \"func_0x479DC0\",\n      \"label\": \"Function 0x479DC0\",\n      \"type\": \"function\",\n      \"address\": \"0x479DC0\"\n    },\n    {\n      \"id\": \"func_0x479D70\",\n      \"label\": \"Function 0x479D70\",\n      \"type\": \"function\",\n      \"address\": \"0x479D70\"\n    },\n    {\n      \"id\": \"api_GetCurrentDirectory\",\n      \"label\": \"GetCurrentDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempFileName\",\n      \"label\": \"GetTempFileName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetSystemDirectory\",\n      \"label\": \"GetSystemDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_system_object_information\",\n      \"label\": \"get file system object information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x471CBE\",\n      \"label\": \"Block 0x471CBE\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x471CBE\"\n    },\n    {\n      \"id\": \"api_SHGetFileInfo\",\n      \"label\": \"SHGetFileInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_copy_file__2_matches_\",\n      \"label\": \"copy file (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"api_CopyFile\",\n      \"label\": \"CopyFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Copy File [C0045]\"\n      ]\n    },\n    {\n      \"id\": \"cap_delete_file__5_matches_\",\n      \"label\": \"delete file (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46EA60\",\n      \"label\": \"Function 0x46EA60\",\n      \"type\": \"function\",\n      \"address\": \"0x46EA60\"\n    },\n    {\n      \"id\": \"func_0x477A20\",\n      \"label\": \"Function 0x477A20\",\n      \"type\": \"function\",\n      \"address\": \"0x477A20\"\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_check_if_file_exists__7_matches_\",\n      \"label\": \"check if file exists (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4841A0\",\n      \"label\": \"Function 0x4841A0\",\n      \"type\": \"function\",\n      \"address\": \"0x4841A0\"\n    },\n    {\n      \"id\": \"func_0x46BA40\",\n      \"label\": \"Function 0x46BA40\",\n      \"type\": \"function\",\n      \"address\": \"0x46BA40\"\n    },\n    {\n      \"id\": \"func_0x4890E0\",\n      \"label\": \"Function 0x4890E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4890E0\"\n    },\n    {\n      \"id\": \"func_0x475A80\",\n      \"label\": \"Function 0x475A80\",\n      \"type\": \"function\",\n      \"address\": \"0x475A80\"\n    },\n    {\n      \"id\": \"func_0x479FC0\",\n      \"label\": \"Function 0x479FC0\",\n      \"type\": \"function\",\n      \"address\": \"0x479FC0\"\n    },\n    {\n      \"id\": \"func_0x47E0B0\",\n      \"label\": \"Function 0x47E0B0\",\n      \"type\": \"function\",\n      \"address\": \"0x47E0B0\"\n    },\n    {\n      \"id\": \"func_0x484310\",\n      \"label\": \"Function 0x484310\",\n      \"type\": \"function\",\n      \"address\": \"0x484310\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_enumerate_files_on_windows\",\n      \"label\": \"enumerate files on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x478A40\",\n      \"label\": \"Function 0x478A40\",\n      \"type\": \"function\",\n      \"address\": \"0x478A40\"\n    },\n    {\n      \"id\": \"api_FindClose\",\n      \"label\": \"FindClose\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextFile\",\n      \"label\": \"FindNextFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindFirstFile\",\n      \"label\": \"FindFirstFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_attributes__23_matches_\",\n      \"label\": \"get file attributes (23 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4846E4\",\n      \"label\": \"Block 0x4846E4\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4846E4\"\n    },\n    {\n      \"id\": \"bb_0x4845A4\",\n      \"label\": \"Block 0x4845A4\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4845A4\"\n    },\n    {\n      \"id\": \"bb_0x4844C8\",\n      \"label\": \"Block 0x4844C8\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4844C8\"\n    },\n    {\n      \"id\": \"bb_0x4855FA\",\n      \"label\": \"Block 0x4855FA\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4855FA\"\n    },\n    {\n      \"id\": \"bb_0x489776\",\n      \"label\": \"Block 0x489776\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x489776\"\n    },\n    {\n      \"id\": \"bb_0x485092\",\n      \"label\": \"Block 0x485092\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x485092\"\n    },\n    {\n      \"id\": \"bb_0x484407\",\n      \"label\": \"Block 0x484407\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484407\"\n    },\n    {\n      \"id\": \"bb_0x4896E2\",\n      \"label\": \"Block 0x4896E2\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4896E2\"\n    },\n    {\n      \"id\": \"bb_0x484618\",\n      \"label\": \"Block 0x484618\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484618\"\n    },\n    {\n      \"id\": \"bb_0x46F114\",\n      \"label\": \"Block 0x46F114\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46F114\"\n    },\n    {\n      \"id\": \"bb_0x479FC0\",\n      \"label\": \"Block 0x479FC0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x479FC0\"\n    },\n    {\n      \"id\": \"bb_0x48422E\",\n      \"label\": \"Block 0x48422E\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48422E\"\n    },\n    {\n      \"id\": \"bb_0x46BA40\",\n      \"label\": \"Block 0x46BA40\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46BA40\"\n    },\n    {\n      \"id\": \"bb_0x484D68\",\n      \"label\": \"Block 0x484D68\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484D68\"\n    },\n    {\n      \"id\": \"bb_0x47E16A\",\n      \"label\": \"Block 0x47E16A\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x47E16A\"\n    },\n    {\n      \"id\": \"bb_0x484750\",\n      \"label\": \"Block 0x484750\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484750\"\n    },\n    {\n      \"id\": \"bb_0x4848A0\",\n      \"label\": \"Block 0x4848A0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4848A0\"\n    },\n    {\n      \"id\": \"bb_0x48445C\",\n      \"label\": \"Block 0x48445C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x48445C\"\n    },\n    {\n      \"id\": \"bb_0x484534\",\n      \"label\": \"Block 0x484534\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484534\"\n    },\n    {\n      \"id\": \"bb_0x475A80\",\n      \"label\": \"Block 0x475A80\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x475A80\"\n    },\n    {\n      \"id\": \"bb_0x485433\",\n      \"label\": \"Block 0x485433\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x485433\"\n    },\n    {\n      \"id\": \"bb_0x484CD3\",\n      \"label\": \"Block 0x484CD3\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484CD3\"\n    },\n    {\n      \"id\": \"bb_0x484678\",\n      \"label\": \"Block 0x484678\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x484678\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_size__5_matches_\",\n      \"label\": \"get file size (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x465EB0\",\n      \"label\": \"Function 0x465EB0\",\n      \"type\": \"function\",\n      \"address\": \"0x465EB0\"\n    },\n    {\n      \"id\": \"func_0x486890\",\n      \"label\": \"Function 0x486890\",\n      \"type\": \"function\",\n      \"address\": \"0x486890\"\n    },\n    {\n      \"id\": \"func_0x477380\",\n      \"label\": \"Function 0x477380\",\n      \"type\": \"function\",\n      \"address\": \"0x477380\"\n    },\n    {\n      \"id\": \"func_0x477E40\",\n      \"label\": \"Function 0x477E40\",\n      \"type\": \"function\",\n      \"address\": \"0x477E40\"\n    },\n    {\n      \"id\": \"api_GetFileSize\",\n      \"label\": \"GetFileSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_file_version_info\",\n      \"label\": \"get file version info\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x488410\",\n      \"label\": \"Function 0x488410\",\n      \"type\": \"function\",\n      \"address\": \"0x488410\"\n    },\n    {\n      \"id\": \"api_VerQueryValue\",\n      \"label\": \"VerQueryValue\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfoSize\",\n      \"label\": \"GetFileVersionInfoSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetFileVersionInfo\",\n      \"label\": \"GetFileVersionInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read__ini_file__5_matches_\",\n      \"label\": \"read .ini file (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x466940\",\n      \"label\": \"Function 0x466940\",\n      \"type\": \"function\",\n      \"address\": \"0x466940\"\n    },\n    {\n      \"id\": \"func_0x475630\",\n      \"label\": \"Function 0x475630\",\n      \"type\": \"function\",\n      \"address\": \"0x475630\"\n    },\n    {\n      \"id\": \"func_0x4756B0\",\n      \"label\": \"Function 0x4756B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4756B0\"\n    },\n    {\n      \"id\": \"func_0x466A20\",\n      \"label\": \"Function 0x466A20\",\n      \"type\": \"function\",\n      \"address\": \"0x466A20\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileString\",\n      \"label\": \"GetPrivateProfileString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileInt\",\n      \"label\": \"GetPrivateProfileInt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__13_matches_\",\n      \"label\": \"read file on Windows (13 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x477590\",\n      \"label\": \"Function 0x477590\",\n      \"type\": \"function\",\n      \"address\": \"0x477590\"\n    },\n    {\n      \"id\": \"func_0x47CA10\",\n      \"label\": \"Function 0x47CA10\",\n      \"type\": \"function\",\n      \"address\": \"0x47CA10\"\n    },\n    {\n      \"id\": \"func_0x47CC50\",\n      \"label\": \"Function 0x47CC50\",\n      \"type\": \"function\",\n      \"address\": \"0x47CC50\"\n    },\n    {\n      \"id\": \"func_0x47C640\",\n      \"label\": \"Function 0x47C640\",\n      \"type\": \"function\",\n      \"address\": \"0x47C640\"\n    },\n    {\n      \"id\": \"func_0x47CB10\",\n      \"label\": \"Function 0x47CB10\",\n      \"type\": \"function\",\n      \"address\": \"0x47CB10\"\n    },\n    {\n      \"id\": \"func_0x477850\",\n      \"label\": \"Function 0x477850\",\n      \"type\": \"function\",\n      \"address\": \"0x477850\"\n    },\n    {\n      \"id\": \"func_0x47C090\",\n      \"label\": \"Function 0x47C090\",\n      \"type\": \"function\",\n      \"address\": \"0x47C090\"\n    },\n    {\n      \"id\": \"func_0x477CA0\",\n      \"label\": \"Function 0x477CA0\",\n      \"type\": \"function\",\n      \"address\": \"0x477CA0\"\n    },\n    {\n      \"id\": \"func_0x47C1A0\",\n      \"label\": \"Function 0x47C1A0\",\n      \"type\": \"function\",\n      \"address\": \"0x47C1A0\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_via_mapping\",\n      \"label\": \"read file via mapping\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFileMapping\",\n      \"label\": \"CreateFileMapping\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"api_MapViewOfFile\",\n      \"label\": \"MapViewOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_UnmapViewOfFile\",\n      \"label\": \"UnmapViewOfFile\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__17_matches_\",\n      \"label\": \"write file on Windows (17 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x470860\",\n      \"label\": \"Function 0x470860\",\n      \"type\": \"function\",\n      \"address\": \"0x470860\"\n    },\n    {\n      \"id\": \"func_0x472640\",\n      \"label\": \"Function 0x472640\",\n      \"type\": \"function\",\n      \"address\": \"0x472640\"\n    },\n    {\n      \"id\": \"func_0x472FB0\",\n      \"label\": \"Function 0x472FB0\",\n      \"type\": \"function\",\n      \"address\": \"0x472FB0\"\n    },\n    {\n      \"id\": \"func_0x472570\",\n      \"label\": \"Function 0x472570\",\n      \"type\": \"function\",\n      \"address\": \"0x472570\"\n    },\n    {\n      \"id\": \"func_0x474960\",\n      \"label\": \"Function 0x474960\",\n      \"type\": \"function\",\n      \"address\": \"0x474960\"\n    },\n    {\n      \"id\": \"func_0x472E90\",\n      \"label\": \"Function 0x472E90\",\n      \"type\": \"function\",\n      \"address\": \"0x472E90\"\n    },\n    {\n      \"id\": \"func_0x474770\",\n      \"label\": \"Function 0x474770\",\n      \"type\": \"function\",\n      \"address\": \"0x474770\"\n    },\n    {\n      \"id\": \"func_0x474520\",\n      \"label\": \"Function 0x474520\",\n      \"type\": \"function\",\n      \"address\": \"0x474520\"\n    },\n    {\n      \"id\": \"func_0x4737C0\",\n      \"label\": \"Function 0x4737C0\",\n      \"type\": \"function\",\n      \"address\": \"0x4737C0\"\n    },\n    {\n      \"id\": \"func_0x473A20\",\n      \"label\": \"Function 0x473A20\",\n      \"type\": \"function\",\n      \"address\": \"0x473A20\"\n    },\n    {\n      \"id\": \"func_0x472C00\",\n      \"label\": \"Function 0x472C00\",\n      \"type\": \"function\",\n      \"address\": \"0x472C00\"\n    },\n    {\n      \"id\": \"func_0x470F80\",\n      \"label\": \"Function 0x470F80\",\n      \"type\": \"function\",\n      \"address\": \"0x470F80\"\n    },\n    {\n      \"id\": \"func_0x4708E0\",\n      \"label\": \"Function 0x4708E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4708E0\"\n    },\n    {\n      \"id\": \"func_0x4727D0\",\n      \"label\": \"Function 0x4727D0\",\n      \"type\": \"function\",\n      \"address\": \"0x4727D0\"\n    },\n    {\n      \"id\": \"func_0x48113A\",\n      \"label\": \"Function 0x48113A\",\n      \"type\": \"function\",\n      \"address\": \"0x48113A\"\n    },\n    {\n      \"id\": \"func_0x472220\",\n      \"label\": \"Function 0x472220\",\n      \"type\": \"function\",\n      \"address\": \"0x472220\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources\",\n      \"label\": \"enumerate gui resources\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46F2B0\",\n      \"label\": \"Function 0x46F2B0\",\n      \"type\": \"function\",\n      \"address\": \"0x46F2B0\"\n    },\n    {\n      \"id\": \"api_EnumResourceTypes\",\n      \"label\": \"EnumResourceTypes\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text__2_matches_\",\n      \"label\": \"get graphical window text (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4761B0\",\n      \"label\": \"Function 0x4761B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4761B0\"\n    },\n    {\n      \"id\": \"func_0x4764B0\",\n      \"label\": \"Function 0x4764B0\",\n      \"type\": \"function\",\n      \"address\": \"0x4764B0\"\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_hide_graphical_window__4_matches_\",\n      \"label\": \"hide graphical window (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x487EB7\",\n      \"label\": \"Block 0x487EB7\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x487EB7\"\n    },\n    {\n      \"id\": \"bb_0x46CA70\",\n      \"label\": \"Block 0x46CA70\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46CA70\"\n    },\n    {\n      \"id\": \"bb_0x46E543\",\n      \"label\": \"Block 0x46E543\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E543\"\n    },\n    {\n      \"id\": \"bb_0x46F135\",\n      \"label\": \"Block 0x46F135\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46F135\"\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_disk_information\",\n      \"label\": \"get disk information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetDriveType\",\n      \"label\": \"GetDriveType\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_enumerate_internet_cache\",\n      \"label\": \"enumerate internet cache\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x476ED0\",\n      \"label\": \"Function 0x476ED0\",\n      \"type\": \"function\",\n      \"address\": \"0x476ED0\"\n    },\n    {\n      \"id\": \"api_FindFirstUrlCacheEntry\",\n      \"label\": \"FindFirstUrlCacheEntry\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindCloseUrlCache\",\n      \"label\": \"FindCloseUrlCache\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindNextUrlCacheEntry\",\n      \"label\": \"FindNextUrlCacheEntry\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_check_os_version\",\n      \"label\": \"check OS version\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x485840\",\n      \"label\": \"Function 0x485840\",\n      \"type\": \"function\",\n      \"address\": \"0x485840\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, johnk3r\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Information Discovery [E1082]\"\n      ]\n    },\n    {\n      \"id\": \"cap_create_process_on_windows__5_matches_\",\n      \"label\": \"create process on Windows (5 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x46F5BD\",\n      \"label\": \"Block 0x46F5BD\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46F5BD\"\n    },\n    {\n      \"id\": \"bb_0x46E32C\",\n      \"label\": \"Block 0x46E32C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x46E32C\"\n    },\n    {\n      \"id\": \"bb_0x470344\",\n      \"label\": \"Block 0x470344\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x470344\"\n    },\n    {\n      \"id\": \"bb_0x470395\",\n      \"label\": \"Block 0x470395\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x470395\"\n    },\n    {\n      \"id\": \"bb_0x479A00\",\n      \"label\": \"Block 0x479A00\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x479A00\"\n    },\n    {\n      \"id\": \"api_ShellExecute\",\n      \"label\": \"ShellExecute\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_enumerate_processes\",\n      \"label\": \"enumerate processes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Process Discovery [T1057]\",\n        \"Discovery::Software Discovery\",\n        \"[T1518]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x46A230\",\n      \"label\": \"Function 0x46A230\",\n      \"type\": \"function\",\n      \"address\": \"0x46A230\"\n    },\n    {\n      \"id\": \"api_Process32Next\",\n      \"label\": \"Process32Next\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_CreateToolhelp32Snapshot\",\n      \"label\": \"CreateToolhelp32Snapshot\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_Process32First\",\n      \"label\": \"Process32First\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_terminate_process\",\n      \"label\": \"terminate process\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40193E\",\n      \"label\": \"Function 0x40193E\",\n      \"type\": \"function\",\n      \"address\": \"0x40193E\"\n    },\n    {\n      \"id\": \"api_exit\",\n      \"label\": \"exit\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"label\": \"query or enumerate registry value (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4667E0\",\n      \"label\": \"Function 0x4667E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4667E0\"\n    },\n    {\n      \"id\": \"func_0x4781D0\",\n      \"label\": \"Function 0x4781D0\",\n      \"type\": \"function\",\n      \"address\": \"0x4781D0\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_set_registry_value\",\n      \"label\": \"set registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Set Registry Key [C0036.001]\"\n      ]\n    },\n    {\n      \"id\": \"api_RegSetValueEx\",\n      \"label\": \"RegSetValueEx\",\n      \"type\": \"api\",\n      \"category\": \"registry\"\n    },\n    {\n      \"id\": \"cap_create_thread\",\n      \"label\": \"create thread\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x41154B\",\n      \"label\": \"Block 0x41154B\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x41154B\"\n    },\n    {\n      \"id\": \"api__beginthreadex\",\n      \"label\": \"_beginthreadex\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__36_matches_\",\n      \"label\": \"link function at runtime on Windows (36 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"label\": \"link many functions at runtime (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x469E40\",\n      \"label\": \"Function 0x469E40\",\n      \"type\": \"function\",\n      \"address\": \"0x469E40\"\n    },\n    {\n      \"id\": \"func_0x46AA90\",\n      \"label\": \"Function 0x46AA90\",\n      \"type\": \"function\",\n      \"address\": \"0x46AA90\"\n    },\n    {\n      \"id\": \"func_0x46A850\",\n      \"label\": \"Function 0x46A850\",\n      \"type\": \"function\",\n      \"address\": \"0x46A850\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_linked_against_sqlite3\",\n      \"label\": \"linked against sqlite3\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____still_teamt5_org\",\n      \"label\": \"author     still@teamt5.org\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_enumerate_pe_sections__3_matches_\",\n      \"label\": \"enumerate PE sections (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Code Discovery::Enumerate PE Sections [B0046.001]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x449830\",\n      \"label\": \"Function 0x449830\",\n      \"type\": \"function\",\n      \"address\": \"0x449830\"\n    },\n    {\n      \"id\": \"func_0x42DF60\",\n      \"label\": \"Function 0x42DF60\",\n      \"type\": \"function\",\n      \"address\": \"0x42DF60\"\n    },\n    {\n      \"id\": \"func_0x4484F0\",\n      \"label\": \"Function 0x4484F0\",\n      \"type\": \"function\",\n      \"address\": \"0x4484F0\"\n    },\n    {\n      \"id\": \"cap_author_______ana06___mr_tz\",\n      \"label\": \"author      @Ana06, @mr-tz\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Code Discovery::Enumerate PE Sections [B0046.001]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_pe_header\",\n      \"label\": \"parse PE header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"label\": \"resolve function by parsing PE exports (28 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x4274A0\",\n      \"label\": \"Function 0x4274A0\",\n      \"type\": \"function\",\n      \"address\": \"0x4274A0\"\n    },\n    {\n      \"id\": \"func_0x43A8C0\",\n      \"label\": \"Function 0x43A8C0\",\n      \"type\": \"function\",\n      \"address\": \"0x43A8C0\"\n    },\n    {\n      \"id\": \"func_0x445080\",\n      \"label\": \"Function 0x445080\",\n      \"type\": \"function\",\n      \"address\": \"0x445080\"\n    },\n    {\n      \"id\": \"func_0x46B010\",\n      \"label\": \"Function 0x46B010\",\n      \"type\": \"function\",\n      \"address\": \"0x46B010\"\n    },\n    {\n      \"id\": \"func_0x458770\",\n      \"label\": \"Function 0x458770\",\n      \"type\": \"function\",\n      \"address\": \"0x458770\"\n    },\n    {\n      \"id\": \"func_0x42D080\",\n      \"label\": \"Function 0x42D080\",\n      \"type\": \"function\",\n      \"address\": \"0x42D080\"\n    },\n    {\n      \"id\": \"func_0x43D170\",\n      \"label\": \"Function 0x43D170\",\n      \"type\": \"function\",\n      \"address\": \"0x43D170\"\n    },\n    {\n      \"id\": \"func_0x43C8A0\",\n      \"label\": \"Function 0x43C8A0\",\n      \"type\": \"function\",\n      \"address\": \"0x43C8A0\"\n    },\n    {\n      \"id\": \"func_0x482C10\",\n      \"label\": \"Function 0x482C10\",\n      \"type\": \"function\",\n      \"address\": \"0x482C10\"\n    },\n    {\n      \"id\": \"func_0x453200\",\n      \"label\": \"Function 0x453200\",\n      \"type\": \"function\",\n      \"address\": \"0x453200\"\n    },\n    {\n      \"id\": \"func_0x448790\",\n      \"label\": \"Function 0x448790\",\n      \"type\": \"function\",\n      \"address\": \"0x448790\"\n    },\n    {\n      \"id\": \"func_0x45A790\",\n      \"label\": \"Function 0x45A790\",\n      \"type\": \"function\",\n      \"address\": \"0x45A790\"\n    },\n    {\n      \"id\": \"func_0x456FA0\",\n      \"label\": \"Function 0x456FA0\",\n      \"type\": \"function\",\n      \"address\": \"0x456FA0\"\n    },\n    {\n      \"id\": \"func_0x451C10\",\n      \"label\": \"Function 0x451C10\",\n      \"type\": \"function\",\n      \"address\": \"0x451C10\"\n    },\n    {\n      \"id\": \"func_0x43E5D0\",\n      \"label\": \"Function 0x43E5D0\",\n      \"type\": \"function\",\n      \"address\": \"0x43E5D0\"\n    },\n    {\n      \"id\": \"func_0x453BB0\",\n      \"label\": \"Function 0x453BB0\",\n      \"type\": \"function\",\n      \"address\": \"0x453BB0\"\n    },\n    {\n      \"id\": \"func_0x43B060\",\n      \"label\": \"Function 0x43B060\",\n      \"type\": \"function\",\n      \"address\": \"0x43B060\"\n    },\n    {\n      \"id\": \"func_0x4693D0\",\n      \"label\": \"Function 0x4693D0\",\n      \"type\": \"function\",\n      \"address\": \"0x4693D0\"\n    },\n    {\n      \"id\": \"func_0x46DA50\",\n      \"label\": \"Function 0x46DA50\",\n      \"type\": \"function\",\n      \"address\": \"0x46DA50\"\n    },\n    {\n      \"id\": \"func_0x44FAD0\",\n      \"label\": \"Function 0x44FAD0\",\n      \"type\": \"function\",\n      \"address\": \"0x44FAD0\"\n    },\n    {\n      \"id\": \"func_0x45B320\",\n      \"label\": \"Function 0x45B320\",\n      \"type\": \"function\",\n      \"address\": \"0x45B320\"\n    },\n    {\n      \"id\": \"func_0x452260\",\n      \"label\": \"Function 0x452260\",\n      \"type\": \"function\",\n      \"address\": \"0x452260\"\n    },\n    {\n      \"id\": \"func_0x4471E0\",\n      \"label\": \"Function 0x4471E0\",\n      \"type\": \"function\",\n      \"address\": \"0x4471E0\"\n    },\n    {\n      \"id\": \"func_0x451A00\",\n      \"label\": \"Function 0x451A00\",\n      \"type\": \"function\",\n      \"address\": \"0x451A00\"\n    },\n    {\n      \"id\": \"cap_author_____sara_rn\",\n      \"label\": \"author     sara-rn\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_persist_via_run_registry_key__3_matches_\",\n      \"label\": \"persist via Run registry key (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Persistence::Registry Run Keys / Startup Folder [F0012]\"\n      ]\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__747_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__747_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x4014A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__12_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_rule_\",\n      \"target\": \"bb_0x478260\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_os_version__5_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_os_version__5_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x46A5E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46A5E0\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_process__4_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_process__4_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x46A2B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_for_time_delay_via_gettickcount\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_for_time_delay_via_gettickcount\",\n      \"target\": \"func_0x4750E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4750E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_credit_card_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_credit_card_information\",\n      \"target\": \"func_0x439DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox\",\n      \"target\": \"func_0x439DD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_reference_sql_statements__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_reference_sql_statements__2_matches_\",\n      \"target\": \"func_0x45E8B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_reference_sql_statements__2_matches_\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x45E8B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"target\": \"func_0x46F590\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__2_matches_\",\n      \"target\": \"func_0x4741C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46F590\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4741C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46F590\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4741C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46F590\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4741C0\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_encrypt_data_using_speck\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_encrypt_data_using_speck\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______still_teamt5_org\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions\",\n      \"target\": \"func_0x465A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x465A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465A20\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_clipboard__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__3_matches_\",\n      \"target\": \"func_0x476940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__3_matches_\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_open_clipboard__3_matches_\",\n      \"target\": \"func_0x46E560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E560\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E560\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x476940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46E560\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E560\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E560\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_clipboard_data__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data__3_matches_\",\n      \"target\": \"func_0x476940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data__3_matches_\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data__3_matches_\",\n      \"target\": \"func_0x47A390\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x476940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47A390\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_CloseClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476940\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A390\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_environment_variable__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__2_matches_\",\n      \"target\": \"func_0x46E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_environment_variable__2_matches_\",\n      \"target\": \"func_0x482B00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482B00\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x46E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com____re_fox\",\n      \"target\": \"func_0x482B00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x482B00\",\n      \"target\": \"api_ExpandEnvironmentStrings\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__9_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x471C90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46ED80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x46E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x47A0E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x479DC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__9_matches_\",\n      \"target\": \"func_0x479D70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x471C90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46ED80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47A0E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479DC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x479D70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetCurrentDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x471C90\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ED80\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46E0B0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47A0E0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479DC0\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479D70\",\n      \"target\": \"api_GetSystemDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_system_object_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_system_object_information\",\n      \"target\": \"bb_0x471CBE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x471CBE\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_copy_file__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_copy_file__2_matches_\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_copy_file__2_matches_\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_CopyFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file__5_matches_\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__5_matches_\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__5_matches_\",\n      \"target\": \"func_0x46EA60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__5_matches_\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_delete_file__5_matches_\",\n      \"target\": \"func_0x477A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA60\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477A20\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46B6F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46ECC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46EA60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x477A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46B6F0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46ECC0\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46EA60\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x481F50\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477A20\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x4841A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x46BA40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x479FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x47E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists__7_matches_\",\n      \"target\": \"func_0x484310\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4841A0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46BA40\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479FC0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E0B0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x484310\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4841A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46BA40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x479FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x47E0B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x484310\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4841A0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46BA40\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x479FC0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47E0B0\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x484310\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_files_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_files_on_windows\",\n      \"target\": \"func_0x478A40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x478A40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindClose\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindNextFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x478A40\",\n      \"target\": \"api_FindFirstFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes__23_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4846E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4845A4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4844C8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4855FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x489776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x485092\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484407\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4896E2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484618\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x46F114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x479FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x48422E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x46BA40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484D68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x47E16A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484750\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x4848A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x48445C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484534\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x485433\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484CD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes__23_matches_\",\n      \"target\": \"bb_0x484678\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4846E4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4845A4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4844C8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4855FA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x489776\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x485092\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484407\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4896E2\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484618\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46F114\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x479FC0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x48422E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x46BA40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484D68\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x47E16A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484750\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4848A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x48445C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484534\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x485433\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484CD3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x484678\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_size__5_matches_\",\n      \"target\": \"func_0x465EB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__5_matches_\",\n      \"target\": \"func_0x486890\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__5_matches_\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__5_matches_\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__5_matches_\",\n      \"target\": \"func_0x477E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x465EB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x486890\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_version_info\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_version_info\",\n      \"target\": \"func_0x488410\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x488410\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_VerQueryValue\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_GetFileVersionInfoSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x488410\",\n      \"target\": \"api_GetFileVersionInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read__ini_file__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__5_matches_\",\n      \"target\": \"func_0x466940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__5_matches_\",\n      \"target\": \"func_0x475630\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__5_matches_\",\n      \"target\": \"func_0x4756B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__5_matches_\",\n      \"target\": \"func_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__5_matches_\",\n      \"target\": \"func_0x466A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x466940\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475630\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4756B0\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466A20\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466940\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475630\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4756B0\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466A20\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x466940\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x475630\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4756B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x475A80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x466A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x466940\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475630\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4756B0\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466A20\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466940\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475630\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4756B0\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x475A80\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x466A20\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__13_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x477590\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x465EB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47CA10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x486890\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47CC50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47C640\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47CB10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x477850\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47C090\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x477CA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x47C1A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__13_matches_\",\n      \"target\": \"func_0x477E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477590\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CA10\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CC50\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C640\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CB10\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477850\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C090\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477CA0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C1A0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477590\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CA10\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CC50\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C640\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CB10\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477850\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C090\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477CA0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C1A0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477590\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x465EB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CA10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x486890\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CC50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47C640\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47B5A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47CB10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477850\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47C090\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477CA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x47C1A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477590\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CA10\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CC50\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C640\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CB10\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477850\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C090\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477CA0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C1A0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477590\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x465EB0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CA10\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x486890\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CC50\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C640\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47B5A0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47CB10\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477850\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C090\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477CA0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x47C1A0\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477E40\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_via_mapping\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_via_mapping\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_CreateFileMapping\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_MapViewOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_UnmapViewOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_CreateFileMapping\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_MapViewOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_UnmapViewOfFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__17_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x470860\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472640\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472FB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472570\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x474960\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472E90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x474770\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x474520\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x4737C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x473A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472C00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x470F80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x4708E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x4727D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x48113A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__17_matches_\",\n      \"target\": \"func_0x472220\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x470860\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472640\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472FB0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472570\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474960\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472E90\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474770\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474520\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4737C0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473A20\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472C00\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470F80\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4708E0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4727D0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48113A\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472220\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470860\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472640\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472FB0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472570\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474960\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472E90\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474770\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474520\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4737C0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473A20\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472C00\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470F80\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4708E0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4727D0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48113A\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472220\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x470860\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472640\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472FB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472570\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474960\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472E90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474770\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x474520\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4737C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x473A20\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472C00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x470F80\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4708E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4727D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x48113A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x472220\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x470860\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472640\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472FB0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472570\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474960\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472E90\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474770\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474520\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4737C0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473A20\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472C00\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470F80\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4708E0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4727D0\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48113A\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472220\",\n      \"target\": \"api_CreateFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470860\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472640\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472FB0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472570\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474960\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472E90\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474770\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x474520\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4737C0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x473A20\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472C00\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x470F80\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4708E0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4727D0\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x48113A\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x472220\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_gui_resources\",\n      \"target\": \"func_0x46F2B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46F2B0\",\n      \"target\": \"api_EnumResourceTypes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x46F2B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46F2B0\",\n      \"target\": \"api_EnumResourceTypes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__2_matches_\",\n      \"target\": \"func_0x4761B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__2_matches_\",\n      \"target\": \"func_0x4764B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4761B0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4764B0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4761B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4764B0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4761B0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4764B0\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__4_matches_\",\n      \"target\": \"bb_0x487EB7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__4_matches_\",\n      \"target\": \"bb_0x46CA70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__4_matches_\",\n      \"target\": \"bb_0x46E543\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__4_matches_\",\n      \"target\": \"bb_0x46F135\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x487EB7\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x46CA70\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x46E543\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x46F135\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_disk_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_disk_information\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x477380\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x477380\",\n      \"target\": \"api_GetDriveType\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_internet_cache\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_internet_cache\",\n      \"target\": \"func_0x476ED0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindFirstUrlCacheEntry\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindCloseUrlCache\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindNextUrlCacheEntry\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x476ED0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindFirstUrlCacheEntry\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindCloseUrlCache\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x476ED0\",\n      \"target\": \"api_FindNextUrlCacheEntry\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_os_version\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_os_version\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__johnk3r\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_GetVersionEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows__5_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__5_matches_\",\n      \"target\": \"bb_0x46F5BD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__5_matches_\",\n      \"target\": \"bb_0x46E32C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__5_matches_\",\n      \"target\": \"bb_0x470344\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__5_matches_\",\n      \"target\": \"bb_0x470395\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows__5_matches_\",\n      \"target\": \"bb_0x479A00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x46F5BD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x46E32C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x470344\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x470395\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x479A00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_processes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_processes\",\n      \"target\": \"func_0x46A230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x46A230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_Process32Next\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_CreateToolhelp32Snapshot\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x46A230\",\n      \"target\": \"api_Process32First\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process\",\n      \"target\": \"func_0x40193E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40193E\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40193E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40193E\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x4667E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value__4_matches_\",\n      \"target\": \"func_0x4781D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4781D0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4781D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4667E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4781D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4781D0\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4890E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x485840\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4781D0\",\n      \"target\": \"api_RegOpenKeyEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_set_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_set_registry_value\",\n      \"target\": \"func_0x4667E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4667E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4667E0\",\n      \"target\": \"api_RegSetValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread\",\n      \"target\": \"bb_0x41154B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x41154B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__36_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x46A230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x469E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x46AA90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x46A850\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x46A230\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x469E40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x46AA90\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x46A850\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_linked_against_sqlite3\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____still_teamt5_org\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_pe_sections__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_pe_sections__3_matches_\",\n      \"target\": \"func_0x449830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_pe_sections__3_matches_\",\n      \"target\": \"func_0x42DF60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_enumerate_pe_sections__3_matches_\",\n      \"target\": \"func_0x4484F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______ana06___mr_tz\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______ana06___mr_tz\",\n      \"target\": \"func_0x449830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______ana06___mr_tz\",\n      \"target\": \"func_0x42DF60\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______ana06___mr_tz\",\n      \"target\": \"func_0x4484F0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header\",\n      \"target\": \"func_0x40193E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40193E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x4274A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x449830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x43A8C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x445080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x46B010\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x458770\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x42D080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x43C8A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x482C10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x453200\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x448790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x45A790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x456FA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x451C10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x43E5D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x453BB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x43B060\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x4693D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x46DA50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x44FAD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x45B320\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x452260\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x484310\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x4471E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__28_matches_\",\n      \"target\": \"func_0x451A00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____sara_rn\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4274A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x449830\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x43A8C0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x445080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x46B010\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x458770\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x481F50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x42D080\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x43D170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x43C8A0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x482C10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x45EE50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x453200\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x448790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x45A790\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x456FA0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x451C10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x43E5D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x453BB0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x43B060\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4693D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x46DA50\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x44FAD0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x45B320\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x452260\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x484310\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4471E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x451A00\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_persist_via_run_registry_key__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__3_matches_\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__3_matches_\",\n      \"target\": \"func_0x4781D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_persist_via_run_registry_key__3_matches_\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x4890E0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x4781D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"target\": \"func_0x485840\",\n      \"relationship\": \"implemented_by\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-24 21:09:20.973471\",\n    \"total_functions\": \"1623\",\n    \"total_features\": \"118065\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-24 21:09:24"}
{"_id":{"$oid":"6a13e5ba32de6bb6782baac6"},"sha256":"637175bedfe6852886341e15c4d48241d7a58083a45272df0aac35469c653f6f","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_50chlbjt/001_upx_unpacked.exe_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_50chlbjt/001_upx_unpacked.exe_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_50chlbjt/001_upx_unpacked.exe_very_verbose.txt"}},"outputs":{"normal":"┌──────────┬───────────────────────────────────────────────────────────────────┐\n│ md5      │ 8f293fe4c3cfcbc2e5981327e228d80a                                  │\n│ sha1     │ d47b85ee7ed12c5a32dd9409fdd805359f3f82e8                          │\n│ sha256   │ ce8b3d8414576a20ee60cfabc560360f602ac6715ffd1e546b508cd5be5394aa  │\n│ analysis │ static                                                            │\n│ os       │ windows                                                           │\n│ format   │ pe                                                                │\n│ arch     │ i386                                                              │\n│ path     │ /tmp/sdm_unpack_5820llhr/WirelessNetView-019e5db7803a7fb0825cc53… │\n└──────────┴───────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic             ┃ ATT&CK Technique                                 ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION                │ Clipboard Data [T1115]                           │\n│                           │ Input Capture::Keylogging [T1056.001]            │\n│ DEFENSE EVASION           │ Hide Artifacts::Hidden Window [T1564.003]        │\n│                           │ Obfuscated Files or Information [T1027]          │\n│ DISCOVERY                 │ Application Window Discovery [T1010]             │\n│                           │ File and Directory Discovery [T1083]             │\n│                           │ Query Registry [T1012]                           │\n│                           │ System Location Discovery [T1614]                │\n│ EXECUTION                 │ Shared Modules [T1129]                           │\n└───────────────────────────┴──────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective        ┃ MBC Behavior                                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ COLLECTION           │ Keylogging::Polling [F0002.002]                       │\n│ DATA                 │ Encode Data::XOR [C0026.002]                          │\n│ DEFENSE EVASION      │ Obfuscated Files or Information::Encoding-Standard    │\n│                      │ Algorithm [E1027.m02]                                 │\n│ DISCOVERY            │ Application Window Discovery [E1010]                  │\n│                      │ File and Directory Discovery [E1083]                  │\n│ FILE SYSTEM          │ Delete File [C0047]                                   │\n│                      │ Get File Attributes [C0049]                           │\n│                      │ Read File [C0051]                                     │\n│                      │ Writes File [C0052]                                   │\n│ IMPACT               │ Clipboard Modification [E1510]                        │\n│ OPERATING SYSTEM     │ Registry::Query Registry Value [C0036.006]            │\n│ PROCESS              │ Create Process [C0017]                                │\n│                      │ Create Thread [C0038]                                 │\n│                      │ Terminate Process [C0018]                             │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                            ┃ Namespace                            ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ get geographical location             │ collection                           │\n│ log keystrokes via polling (3         │ collection/keylog                    │\n│ matches)                              │                                      │\n│ encode data using XOR                 │ data-manipulation/encoding/xor       │\n│ contains PDB path                     │ executable/pe/pdb                    │\n│ extract resource via kernel32         │ executable/resource                  │\n│ functions                             │                                      │\n│ open clipboard                        │ host-interaction/clipboard           │\n│ write clipboard data                  │ host-interaction/clipboard           │\n│ get common file path (2 matches)      │ host-interaction/file-system         │\n│ get file system object information    │ host-interaction/file-system         │\n│ delete file                           │ host-interaction/file-system/delete  │\n│ check if file exists                  │ host-interaction/file-system/exists  │\n│ get file attributes                   │ host-interaction/file-system/meta    │\n│ get file size (3 matches)             │ host-interaction/file-system/meta    │\n│ read .ini file (7 matches)            │ host-interaction/file-system/read    │\n│ read file on Windows (2 matches)      │ host-interaction/file-system/read    │\n│ write file on Windows (3 matches)     │ host-interaction/file-system/write   │\n│ enumerate gui resources               │ host-interaction/gui                 │\n│ find graphical window                 │ host-interaction/gui/window/find     │\n│ get graphical window text (2 matches) │ host-interaction/gui/window/get-text │\n│ hide graphical window (2 matches)     │ host-interaction/gui/window/hide     │\n│ create process on Windows             │ host-interaction/process/create      │\n│ terminate process (2 matches)         │ host-interaction/process/terminate   │\n│ query or enumerate registry value     │ host-interaction/registry            │\n│ create thread (2 matches)             │ host-interaction/thread/create       │\n│ link function at runtime on Windows   │ linking/runtime-linking              │\n│ (35 matches)                          │                                      │\n│ link many functions at runtime (4     │ linking/runtime-linking              │\n│ matches)                              │                                      │\n│ parse PE header                       │ load-code/pe                         │\n│ resolve function by parsing PE        │ load-code/pe                         │\n│ exports (2 matches)                   │                                      │\n└───────────────────────────────────────┴──────────────────────────────────────┘\n\n","verbose":"md5                     8f293fe4c3cfcbc2e5981327e228d80a                        \nsha1                    d47b85ee7ed12c5a32dd9409fdd805359f3f82e8                \nsha256                  ce8b3d8414576a20ee60cfabc560360f602ac6715ffd1e546b508cd…\npath                    /tmp/sdm_unpack_5820llhr/WirelessNetView-019e5db7803a7f…\ntimestamp               2026-05-25 11:31:19.421276                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIdI6Zur/rules                                   \nfunction count          367                                                     \nlibrary function count  2                                                       \ntotal feature count     17372                                                   \n\nget geographical location\nnamespace  collection\nscope      function  \nmatches    0x405023  \n\nlog keystrokes via polling (3 matches)\nnamespace  collection/keylog\nscope      function         \nmatches    0x4044BC         \n           0x4044CF         \n           0x40AF40         \n\nencode data using XOR\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x40C929                      \n\ncontains PDB path\nnamespace  executable/pe/pdb\nscope      file             \n\nextract resource via kernel32 functions\nnamespace  executable/resource\nscope      function           \nmatches    0x40C8D5           \n\nopen clipboard\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x409DB4                  \n\nwrite clipboard data\nnamespace  host-interaction/clipboard\nscope      function                  \nmatches    0x404949                  \n\nget common file path (2 matches)\nnamespace  host-interaction/file-system\nscope      function                    \nmatches    0x404D61                    \n           0x409DB4                    \n\nget file system object information\nnamespace  host-interaction/file-system\nscope      basic block                 \nmatches    0x4083D0                    \n\ndelete file\nnamespace  host-interaction/file-system/delete\nscope      function                           \nmatches    0x409DB4                           \n\ncheck if file exists\nnamespace  host-interaction/file-system/exists\nscope      function                           \nmatches    0x404B74                           \n\nget file attributes\nnamespace  host-interaction/file-system/meta\nscope      basic block                      \nmatches    0x404B74                         \n\nget file size (3 matches)\nnamespace  host-interaction/file-system/meta\nscope      function                         \nmatches    0x404949                         \n           0x4087D8                         \n           0x408E1D                         \n\nread .ini file (7 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x4060D8                         \n           0x4060FD                         \n           0x406170                         \n           0x40652E                         \n           0x40C62F                         \n           0x40C6D5                         \n           0x40C853                         \n\nread file on Windows (2 matches)\nnamespace  host-interaction/file-system/read\nscope      function                         \nmatches    0x404949                         \n           0x405317                         \n\nwrite file on Windows (3 matches)\nnamespace  host-interaction/file-system/write\nscope      function                          \nmatches    0x404783                          \n           0x405336                          \n           0x40756E                          \n\nenumerate gui resources\nnamespace  host-interaction/gui\nscope      function            \nmatches    0x40B84A            \n\nfind graphical window\nnamespace  host-interaction/gui/window/find\nscope      instruction                     \nmatches    0x40B943                        \n\nget graphical window text (2 matches)\nnamespace  host-interaction/gui/window/get-text\nscope      function                            \nmatches    0x40630B                            \n           0x4063CA                            \n\nhide graphical window (2 matches)\nnamespace  host-interaction/gui/window/hide\nscope      basic block                     \nmatches    0x40127C                        \n           0x40B2AA                        \n\ncreate process on Windows\nnamespace  host-interaction/process/create\nscope      basic block                    \nmatches    0x4051A5                       \n\nterminate process (2 matches)\nnamespace  host-interaction/process/terminate\nscope      function                          \nmatches    0x401801                          \n           0x40D3D0                          \n\nquery or enumerate registry value\nnamespace  host-interaction/registry\nscope      function                 \nmatches    0x40C721                 \n\ncreate thread (2 matches)\nnamespace  host-interaction/thread/create\nscope      basic block                   \nmatches    0x4095D1                      \n           0x40A9DA                      \n\nlink function at runtime on Windows (35 matches)\nnamespace  linking/runtime-linking\nscope      instruction            \nmatches    0x403339               \n           0x40BDB4               \n           0x40BDC5               \n           0x40BDD6               \n           0x40BDE7               \n           0x40BDF8               \n           0x40BE3C               \n           0x40BE4D               \n           0x40BE5E               \n           0x40BE6F               \n           0x40BE80               \n           0x40C99E               \n           0x40C9B0               \n           0x40C9C2               \n           0x40C9D4               \n           0x40C9E6               \n           0x40C9F8               \n           0x40CA0A               \n           0x40CA1C               \n           0x40CA2E               \n           0x40CA40               \n           0x40CB8B               \n           0x40D0DF               \n           0x40D0EB               \n           0x40D0F7               \n           0x40D103               \n           0x40D10F               \n           0x40D11B               \n           0x40D127               \n           0x40D133               \n           0x40D13F               \n           0x40D14B               \n           0x40D1F2               \n           0x40D1FE               \n           0x40D20A               \n\nlink many functions at runtime (4 matches)\nnamespace  linking/runtime-linking\nscope      function               \nmatches    0x40BD8C               \n           0x40BE10               \n           0x40C976               \n           0x40D0B8               \n\nparse PE header\nnamespace  load-code/pe\nscope      function    \nmatches    0x40D3D0    \n\nresolve function by parsing PE exports (2 matches)\nnamespace  load-code/pe\nscope      function    \nmatches    0x4024E9    \n           0x40C1F3    \n\n\n\n","very_verbose":"md5                     8f293fe4c3cfcbc2e5981327e228d80a                        \nsha1                    d47b85ee7ed12c5a32dd9409fdd805359f3f82e8                \nsha256                  ce8b3d8414576a20ee60cfabc560360f602ac6715ffd1e546b508cd…\npath                    /tmp/sdm_unpack_5820llhr/WirelessNetView-019e5db7803a7f…\ntimestamp               2026-05-25 11:31:29.560369                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    i386                                                    \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x400000                                                \nrules                   /tmp/_MEIAwryS5/rules                                   \nfunction count          367                                                     \nlibrary function count  2                                                       \ntotal feature count     17372                                                   \n\ncontain loop (90 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x401000\n  or:\n    characteristic: loop @ 0x401000\n\ncreate or open file (3 matches, only showing first match of library rule)\nauthor  michael.hunhoff@mandiant.com, joakim@intezer.com\nscope   instruction                                     \nmbc     File System::Create File [C0016]                \ninstruction @ 0x404763\n  or:\n    api: CreateFile @ 0x404763\n\ncreate or open registry key (library rule)\nauthor  michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com           \nscope   basic block                                                             \nmbc     Operating System::Registry::Create Registry Key [C0036.004], Operating  \n        System::Registry::Open Registry Key [C0036.003]                         \nbasic block @ 0x40C706 in function 0x40C706\n  or:\n    api: RegOpenKeyEx @ 0x40C71A\n\ndelay execution (2 matches, only showing first match of library rule)\nauthor      michael.hunhoff@mandiant.com, @ramen0x3f                            \nscope       basic block                                                         \nmbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed         \n            Execution [B0003.003]                                               \nreferences  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, \n            https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/T…\nbasic block @ 0x4095D1 in function 0x4094FF\n  or:\n    and:\n      os: windows\n      or:\n        api: WaitForSingleObject @ 0x409603\n\nget OS version (library rule)\nauthor  @mr-tz  \nscope   function\nfunction @ 0x404CA1\n  or:\n    api: GetVersionEx @ 0x404CBB\n\nopen process (library rule)\nauthor  0x534a@mailbox.org           \nscope   basic block                  \nmbc     Process::Open Process [C0065]\nbasic block @ 0x40BFC0 in function 0x40BF8E\n  or:\n    api: OpenProcess @ 0x40BFC9\n\nget geographical location\nnamespace  collection                                  \nauthor     moritz.raabe, michael.hunhoff@mandiant.com  \nscope      function                                    \natt&ck     Discovery::System Location Discovery [T1614]\nfunction @ 0x405023\n  or:\n    api: GetLocaleInfo @ 0x40504C, 0x40505E, 0x405076, 0x405089, and 1 more...\n\nlog keystrokes via polling (3 matches)\nnamespace  collection/keylog                                \nauthor     michael.hunhoff@mandiant.com                     \nscope      function                                         \natt&ck     Collection::Input Capture::Keylogging [T1056.001]\nmbc        Collection::Keylogging::Polling [F0002.002]      \nfunction @ 0x4044BC\n  or:\n    api: GetKeyState @ 0x4044C0\nfunction @ 0x4044CF\n  or:\n    api: GetKeyState @ 0x4044E8\nfunction @ 0x40AF40\n  or:\n    api: GetKeyState @ 0x40B039\n\nencode data using XOR\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x40C929 in function 0x40C8D5\n  and:\n    characteristic: tight loop @ 0x40C929\n    characteristic: nzxor @ 0x40C939\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\ncontains PDB path\nnamespace  executable/pe/pdb        \nauthor     moritz.raabe@mandiant.com\nscope      file                     \nregex: /:\\\\.*\\.pdb/\n  - \"c:\\\\Projects\\\\VS2005\\\\WirelessNetView\\\\Release\\\\WirelessNetView.pdb\" @ file+0xE7B0\n\nextract resource via kernel32 functions\nnamespace  executable/resource            \nauthor     william.ballenthin@mandiant.com\nscope      function                       \nfunction @ 0x40C8D5\n  or:\n    and:\n      or:\n        api: LoadResource @ 0x40C903\n        api: LockResource @ 0x40C90E\n      optional:\n        or:\n          api: FindResource @ 0x40C8E2\n        api: SizeofResource @ 0x40C8F3\n\nopen clipboard\nnamespace  host-interaction/clipboard        \nauthor     michael.hunhoff@mandiant.com      \nscope      function                          \natt&ck     Collection::Clipboard Data [T1115]\nfunction @ 0x409DB4\n  and:\n    api: OpenClipboard @ 0x409E2C\n\nwrite clipboard data\nnamespace   host-interaction/clipboard                                          \nauthor      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com       \nscope       function                                                            \nmbc         Impact::Clipboard Modification [E1510]                              \nreferences  https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-…\nfunction @ 0x404949\n  and:\n    optional:\n      api: EmptyClipboard @ 0x404953\n    or:\n      api: SetClipboardData @ 0x4049BC\n\nget common file path (2 matches)\nnamespace  host-interaction/file-system                                         \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::File and Directory Discovery [T1083]                      \nmbc        Discovery::File and Directory Discovery [E1083]                      \nfunction @ 0x404D61\n  or:\n    api: GetWindowsDirectory @ 0x404D77\nfunction @ 0x409DB4\n  or:\n    api: GetTempPath @ 0x409DCE\n    api: GetTempFileName @ 0x409E03\n    api: GetWindowsDirectory @ 0x409DE0\n\nget file system object information\nnamespace  host-interaction/file-system                   \nauthor     michael.hunhoff@mandiant.com                   \nscope      basic block                                    \natt&ck     Discovery::File and Directory Discovery [T1083]\nbasic block @ 0x4083D0 in function 0x4083A2\n  or:\n    api: SHGetFileInfo @ 0x4083FC\n\ndelete file\nnamespace  host-interaction/file-system/delete                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \nmbc        File System::Delete File [C0047]                       \nfunction @ 0x409DB4\n  or:\n    api: DeleteFile @ 0x409E64\n\ncheck if file exists\nnamespace  host-interaction/file-system/exists                    \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\nscope      function                                               \natt&ck     Discovery::File and Directory Discovery [T1083]        \nmbc        Discovery::File and Directory Discovery [E1083]        \nfunction @ 0x404B74\n  or:\n    basic block:\n      and:\n        api: GetFileAttributes @ 0x404B78\n        instruction:\n          and:\n            mnemonic: cmp @ 0x404B80\n            number: 0xFFFFFFFF = INVALID_FILE_ATTRIBUTES @ 0x404B80\n\nget file attributes\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      basic block                                                  \nmbc        File System::Get File Attributes [C0049]                     \nbasic block @ 0x404B74 in function 0x404B74\n  or:\n    api: GetFileAttributes @ 0x404B78\n\nget file size (3 matches)\nnamespace  host-interaction/file-system/meta                            \nauthor     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                     \natt&ck     Discovery::File and Directory Discovery [T1083]              \nmbc        Discovery::File and Directory Discovery [E1083]              \nfunction @ 0x404949\n  or:\n    api: GetFileSize @ 0x404970\nfunction @ 0x4087D8\n  or:\n    api: GetFileSize @ 0x4087FD\nfunction @ 0x408E1D\n  or:\n    api: GetFileSize @ 0x408E3D\n\nread .ini file (7 matches)\nnamespace  host-interaction/file-system/read     \nauthor     @_re_fox, michael.hunhoff@mandiant.com\nscope      function                              \nmbc        File System::Read File [C0051]        \nfunction @ 0x4060D8\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x4060F4\nfunction @ 0x4060FD\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x406146\nfunction @ 0x406170\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x4061BD\nfunction @ 0x40652E\n  and:\n    or:\n      api: GetPrivateProfileInt @ 0x406569\nfunction @ 0x40C62F\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x40C6B0\nfunction @ 0x40C6D5\n  and:\n    or:\n      api: GetPrivateProfileInt @ 0x40C6FC\nfunction @ 0x40C853\n  and:\n    or:\n      api: GetPrivateProfileString @ 0x40C882\n\nread file on Windows (2 matches)\nnamespace  host-interaction/file-system/read                         \nauthor     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                  \nmbc        File System::Read File [C0051]                            \nfunction @ 0x404949\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x4049A1\nfunction @ 0x405317\n  or:\n    and:\n      os: windows\n      or:\n        api: ReadFile @ 0x40532E\n\nwrite file on Windows (3 matches)\nnamespace  host-interaction/file-system/write                              \nauthor     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\nscope      function                                                        \nmbc        File System::Writes File [C0052]                                \nfunction @ 0x404783\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x40479F\nfunction @ 0x405336\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x40534D\nfunction @ 0x40756E\n  or:\n    and:\n      os: windows\n      or:\n        api: WriteFile @ 0x4075CF\n\nenumerate gui resources\nnamespace  host-interaction/gui                           \nauthor     johnk3r, anushka.virgaonkar@mandiant.com       \nscope      function                                       \natt&ck     Discovery::Application Window Discovery [T1010]\nfunction @ 0x40B84A\n  or:\n    api: EnumResourceTypes @ 0x40B88F\n\nfind graphical window\nnamespace  host-interaction/gui/window/find               \nauthor     moritz.raabe@mandiant.com                      \nscope      instruction                                    \natt&ck     Discovery::Application Window Discovery [T1010]\ninstruction @ 0x40B943\n  or:\n    api: FindWindow @ 0x40B943\n\nget graphical window text (2 matches)\nnamespace  host-interaction/gui/window/get-text           \nauthor     moritz.raabe@mandiant.com                      \nscope      function                                       \nmbc        Discovery::Application Window Discovery [E1010]\nfunction @ 0x40630B\n  or:\n    and:\n      api: GetWindowText @ 0x406352\nfunction @ 0x4063CA\n  or:\n    and:\n      api: GetWindowText @ 0x40648E\n\nhide graphical window (2 matches)\nnamespace  host-interaction/gui/window/hide                          \nauthor     michael.hunhoff@mandiant.com                              \nscope      basic block                                               \natt&ck     Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\nbasic block @ 0x40127C in function 0x40109F\n  and:\n    number: 0x0 = SW_HIDE @ 0x401282, 0x401297\n    api: ShowWindow @ 0x401295, 0x4012A4\nbasic block @ 0x40B2AA in function 0x40B0C6\n  and:\n    number: 0x0 = SW_HIDE @ 0x40B2AA\n    api: ShowWindow @ 0x40B2B2\n\ncreate process on Windows\nnamespace  host-interaction/process/create\nauthor     moritz.raabe@mandiant.com      \nscope      basic block                    \nmbc        Process::Create Process [C0017]\nbasic block @ 0x4051A5 in function 0x4051A5\n  or:\n    api: ShellExecute @ 0x4051BB\n\nterminate process (2 matches)\nnamespace  host-interaction/process/terminate                                   \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \nmbc        Process::Terminate Process [C0018]                                   \nfunction @ 0x401801\n  or:\n    and:\n      or:\n        api: ExitProcess @ 0x40180F\nfunction @ 0x40D3D0\n  or:\n    api: exit @ 0x40D573\n\nquery or enumerate registry value\nnamespace  host-interaction/registry                                            \nauthor     william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com,       \n           anushka.virgaonkar@mandiant.com                                      \nscope      function                                                             \natt&ck     Discovery::Query Registry [T1012]                                    \nmbc        Operating System::Registry::Query Registry Value [C0036.006]         \nfunction @ 0x40C721\n  and:\n    or:\n      api: RegQueryValueEx @ 0x40C73C\n\ncreate thread (2 matches)\nnamespace  host-interaction/thread/create                                       \nauthor     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com,             \n           joakim@intezer.com, anushka.virgaonkar@mandiant.com                  \nscope      basic block                                                          \nmbc        Process::Create Thread [C0038]                                       \nbasic block @ 0x4095D1 in function 0x4094FF\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x4095FA\nbasic block @ 0x40A9DA in function 0x40A9CC\n  or:\n    and:\n      os: windows\n      or:\n        api: CreateThread @ 0x40A9EA\n\nlink function at runtime on Windows (35 matches)\nnamespace  linking/runtime-linking                        \nauthor     moritz.raabe@mandiant.com, mehunhoff@google.com\nscope      instruction                                    \natt&ck     Execution::Shared Modules [T1129]              \ninstruction @ 0x403339\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x403339\ninstruction @ 0x40BDB4\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BDB4\ninstruction @ 0x40BDC5\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BDC5\ninstruction @ 0x40BDD6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BDD6\ninstruction @ 0x40BDE7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BDE7\ninstruction @ 0x40BDF8\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BDF8\ninstruction @ 0x40BE3C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BE3C\ninstruction @ 0x40BE4D\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BE4D\ninstruction @ 0x40BE5E\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BE5E\ninstruction @ 0x40BE6F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BE6F\ninstruction @ 0x40BE80\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40BE80\ninstruction @ 0x40C99E\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C99E\ninstruction @ 0x40C9B0\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C9B0\ninstruction @ 0x40C9C2\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C9C2\ninstruction @ 0x40C9D4\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C9D4\ninstruction @ 0x40C9E6\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C9E6\ninstruction @ 0x40C9F8\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40C9F8\ninstruction @ 0x40CA0A\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40CA0A\ninstruction @ 0x40CA1C\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40CA1C\ninstruction @ 0x40CA2E\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40CA2E\ninstruction @ 0x40CA40\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40CA40\ninstruction @ 0x40CB8B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40CB8B\ninstruction @ 0x40D0DF\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D0DF\ninstruction @ 0x40D0EB\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D0EB\ninstruction @ 0x40D0F7\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D0F7\ninstruction @ 0x40D103\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D103\ninstruction @ 0x40D10F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D10F\ninstruction @ 0x40D11B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D11B\ninstruction @ 0x40D127\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D127\ninstruction @ 0x40D133\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D133\ninstruction @ 0x40D13F\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D13F\ninstruction @ 0x40D14B\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D14B\ninstruction @ 0x40D1F2\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D1F2\ninstruction @ 0x40D1FE\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D1FE\ninstruction @ 0x40D20A\n  and:\n    os: windows\n    or:\n      api: GetProcAddress @ 0x40D20A\n\nlink many functions at runtime (4 matches)\nnamespace  linking/runtime-linking                      \nauthor     moritz.raabe@mandiant.com, joakim@intezer.com\nscope      function                                     \natt&ck     Execution::Shared Modules [T1129]            \nfunction @ 0x40BD8C\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x40BDB4, 0x40BDC5, 0x40BDD6, 0x40BDE7, and 1 more...\nfunction @ 0x40BE10\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x40BE3C, 0x40BE4D, 0x40BE5E, 0x40BE6F, and 1 more...\nfunction @ 0x40C976\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x40C99E, 0x40C9B0, 0x40C9C2, 0x40C9D4, and 6 more...\nfunction @ 0x40D0B8\n  or:\n    count(match(link function at runtime on Windows)): 5 or more @ 0x40D0DF, 0x40D0EB, 0x40D0F7, 0x40D103, and 6 more...\n\nparse PE header\nnamespace  load-code/pe                     \nauthor     moritz.raabe@mandiant.com        \nscope      function                         \natt&ck     Execution::Shared Modules [T1129]\nfunction @ 0x40D3D0\n  and:\n    os: windows\n    and:\n      mnemonic: cmp @ 0x40D3E5, 0x40D3F1, 0x40D3FD, 0x40D404, and 14 more...\n      or:\n        number: 0x4550 = IMAGE_NT_SIGNATURE (PE) @ 0x40D3F1\n      or:\n        number: 0x5A4D = IMAGE_DOS_SIGNATURE (MZ) @ 0x40D3E5\n\nresolve function by parsing PE exports (2 matches)\nnamespace  load-code/pe\nauthor     sara-rn     \nscope      function    \nfunction @ 0x4024E9\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x4024E9\n      mnemonic: movzx @ 0x4027F8, 0x402822, 0x40294A, 0x40294E, and 7 more...\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x402802\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4025C2, 0x4026ED, 0x402A70\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x4028E2, 0x402A78\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40270C, 0x402743, 0x402783, 0x402854, and 3 more...\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x4028B6, 0x402966, 0x40296A, 0x402AA5, and 3 more...\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x4026B4, 0x402986, 0x402A21, 0x402A2B, and 6 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40277D, 0x40295A, 0x402A01, 0x402AE3, and 5 more...\nfunction @ 0x40C1F3\n  and:\n    os: windows\n    or:\n      characteristic: loop @ 0x40C1F3\n    and:\n      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x40C4B1, 0x40C4F0, 0x40C52E\n      or:\n        and:\n          arch: i386\n          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40C2A5, 0x40C2C0, 0x40C3C0\n      3 or more:\n        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40C23F, 0x40C254, 0x40C275, 0x40C2B0, and 12 more...\n        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x40C39C, 0x40C3A9\n        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x40C21C, 0x40C38D, 0x40C398, 0x40C463\n        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40C237, 0x40C2FB, 0x40C3A2, 0x40C3EA, and 1 more...\n        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40C2DC, 0x40C35F, 0x40C3B9, 0x40C419, and 1 more...\n\n\n\n"},"hashes":{"md5":"8f293fe4c3cfcbc2e5981327e228d80a","sha1":"d47b85ee7ed12c5a32dd9409fdd805359f3f82e8","sha256":"ce8b3d8414576a20ee60cfabc560360f602ac6715ffd1e546b508cd5be5394aa"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 367</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 17372</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"WirelessNetView-019e5db7803a7f\\u2026\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"8f293fe4c3cfcbc2e5981327e228d80a\",\n        \"sha256\": \"ce8b3d8414576a20ee60cfabc560360f602ac6715ffd1e546b508cd\",\n        \"arch\": \"i386\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_contain_loop__90_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (90 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x401000\",\n      \"label\": \"Function 0x401000\",\n      \"type\": \"function\",\n      \"address\": \"0x401000\"\n    },\n    {\n      \"id\": \"cap_create_or_open_file__3_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"create or open file (3 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Create File [C0016]\"\n      ]\n    },\n    {\n      \"id\": \"api_CreateFile\",\n      \"label\": \"CreateFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_delay_execution__2_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"delay execution (2 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed\",\n        \"Execution [B0003.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4095D1\",\n      \"label\": \"Block 0x4095D1\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4095D1\"\n    },\n    {\n      \"id\": \"api_WaitForSingleObject\",\n      \"label\": \"WaitForSingleObject\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_geographical_location\",\n      \"label\": \"get geographical location\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x405023\",\n      \"label\": \"Function 0x405023\",\n      \"type\": \"function\",\n      \"address\": \"0x405023\"\n    },\n    {\n      \"id\": \"api_GetLocaleInfo\",\n      \"label\": \"GetLocaleInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::System Location Discovery [T1614]\"\n      ]\n    },\n    {\n      \"id\": \"cap_log_keystrokes_via_polling__3_matches_\",\n      \"label\": \"log keystrokes via polling (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40AF40\",\n      \"label\": \"Function 0x40AF40\",\n      \"type\": \"function\",\n      \"address\": \"0x40AF40\"\n    },\n    {\n      \"id\": \"func_0x4044CF\",\n      \"label\": \"Function 0x4044CF\",\n      \"type\": \"function\",\n      \"address\": \"0x4044CF\"\n    },\n    {\n      \"id\": \"func_0x4044BC\",\n      \"label\": \"Function 0x4044BC\",\n      \"type\": \"function\",\n      \"address\": \"0x4044BC\"\n    },\n    {\n      \"id\": \"api_GetKeyState\",\n      \"label\": \"GetKeyState\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Keylogging::Polling [F0002.002]\"\n      ]\n    },\n    {\n      \"id\": \"cap_contains_pdb_path\",\n      \"label\": \"contains PDB path\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_extract_resource_via_kernel32_functions\",\n      \"label\": \"extract resource via kernel32 functions\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40C8D5\",\n      \"label\": \"Function 0x40C8D5\",\n      \"type\": \"function\",\n      \"address\": \"0x40C8D5\"\n    },\n    {\n      \"id\": \"api_LockResource\",\n      \"label\": \"LockResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_LoadResource\",\n      \"label\": \"LoadResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_FindResource\",\n      \"label\": \"FindResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SizeofResource\",\n      \"label\": \"SizeofResource\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"cap_open_clipboard\",\n      \"label\": \"open clipboard\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Collection::Clipboard Data [T1115]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x409DB4\",\n      \"label\": \"Function 0x409DB4\",\n      \"type\": \"function\",\n      \"address\": \"0x409DB4\"\n    },\n    {\n      \"id\": \"api_OpenClipboard\",\n      \"label\": \"OpenClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_write_clipboard_data\",\n      \"label\": \"write clipboard data\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x404949\",\n      \"label\": \"Function 0x404949\",\n      \"type\": \"function\",\n      \"address\": \"0x404949\"\n    },\n    {\n      \"id\": \"api_EmptyClipboard\",\n      \"label\": \"EmptyClipboard\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_SetClipboardData\",\n      \"label\": \"SetClipboardData\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author      michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Impact::Clipboard Modification [E1510]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_common_file_path__2_matches_\",\n      \"label\": \"get common file path (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x404D61\",\n      \"label\": \"Function 0x404D61\",\n      \"type\": \"function\",\n      \"address\": \"0x404D61\"\n    },\n    {\n      \"id\": \"api_GetTempPath\",\n      \"label\": \"GetTempPath\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetWindowsDirectory\",\n      \"label\": \"GetWindowsDirectory\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetTempFileName\",\n      \"label\": \"GetTempFileName\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"label\": \"anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_system_object_information\",\n      \"label\": \"get file system object information\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [T1083]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4083D0\",\n      \"label\": \"Block 0x4083D0\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4083D0\"\n    },\n    {\n      \"id\": \"api_SHGetFileInfo\",\n      \"label\": \"SHGetFileInfo\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_delete_file\",\n      \"label\": \"delete file\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"api_DeleteFile\",\n      \"label\": \"DeleteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Delete File [C0047]\"\n      ]\n    },\n    {\n      \"id\": \"cap_check_if_file_exists\",\n      \"label\": \"check if file exists\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x404B74\",\n      \"label\": \"Function 0x404B74\",\n      \"type\": \"function\",\n      \"address\": \"0x404B74\"\n    },\n    {\n      \"id\": \"api_GetFileAttributes\",\n      \"label\": \"GetFileAttributes\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_get_file_attributes\",\n      \"label\": \"get file attributes\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x404B74\",\n      \"label\": \"Block 0x404B74\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x404B74\"\n    },\n    {\n      \"id\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Get File Attributes [C0049]\"\n      ]\n    },\n    {\n      \"id\": \"cap_get_file_size__3_matches_\",\n      \"label\": \"get file size (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::File and Directory Discovery [E1083]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x408E1D\",\n      \"label\": \"Function 0x408E1D\",\n      \"type\": \"function\",\n      \"address\": \"0x408E1D\"\n    },\n    {\n      \"id\": \"func_0x4087D8\",\n      \"label\": \"Function 0x4087D8\",\n      \"type\": \"function\",\n      \"address\": \"0x4087D8\"\n    },\n    {\n      \"id\": \"api_GetFileSize\",\n      \"label\": \"GetFileSize\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_read__ini_file__7_matches_\",\n      \"label\": \"read .ini file (7 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x4060D8\",\n      \"label\": \"Function 0x4060D8\",\n      \"type\": \"function\",\n      \"address\": \"0x4060D8\"\n    },\n    {\n      \"id\": \"func_0x40652E\",\n      \"label\": \"Function 0x40652E\",\n      \"type\": \"function\",\n      \"address\": \"0x40652E\"\n    },\n    {\n      \"id\": \"func_0x40C6D5\",\n      \"label\": \"Function 0x40C6D5\",\n      \"type\": \"function\",\n      \"address\": \"0x40C6D5\"\n    },\n    {\n      \"id\": \"func_0x40C62F\",\n      \"label\": \"Function 0x40C62F\",\n      \"type\": \"function\",\n      \"address\": \"0x40C62F\"\n    },\n    {\n      \"id\": \"func_0x4060FD\",\n      \"label\": \"Function 0x4060FD\",\n      \"type\": \"function\",\n      \"address\": \"0x4060FD\"\n    },\n    {\n      \"id\": \"func_0x40C853\",\n      \"label\": \"Function 0x40C853\",\n      \"type\": \"function\",\n      \"address\": \"0x40C853\"\n    },\n    {\n      \"id\": \"func_0x406170\",\n      \"label\": \"Function 0x406170\",\n      \"type\": \"function\",\n      \"address\": \"0x406170\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileInt\",\n      \"label\": \"GetPrivateProfileInt\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_GetPrivateProfileString\",\n      \"label\": \"GetPrivateProfileString\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"label\": \"author     @_re_fox, michael.hunhoff@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_read_file_on_windows__2_matches_\",\n      \"label\": \"read file on Windows (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x405317\",\n      \"label\": \"Function 0x405317\",\n      \"type\": \"function\",\n      \"address\": \"0x405317\"\n    },\n    {\n      \"id\": \"api_ReadFile\",\n      \"label\": \"ReadFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Read File [C0051]\"\n      ]\n    },\n    {\n      \"id\": \"cap_write_file_on_windows__3_matches_\",\n      \"label\": \"write file on Windows (3 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x404783\",\n      \"label\": \"Function 0x404783\",\n      \"type\": \"function\",\n      \"address\": \"0x404783\"\n    },\n    {\n      \"id\": \"func_0x40756E\",\n      \"label\": \"Function 0x40756E\",\n      \"type\": \"function\",\n      \"address\": \"0x40756E\"\n    },\n    {\n      \"id\": \"func_0x405336\",\n      \"label\": \"Function 0x405336\",\n      \"type\": \"function\",\n      \"address\": \"0x405336\"\n    },\n    {\n      \"id\": \"api_WriteFile\",\n      \"label\": \"WriteFile\",\n      \"type\": \"api\",\n      \"category\": \"file_system\"\n    },\n    {\n      \"id\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"File System::Writes File [C0052]\"\n      ]\n    },\n    {\n      \"id\": \"cap_enumerate_gui_resources\",\n      \"label\": \"enumerate gui resources\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40B84A\",\n      \"label\": \"Function 0x40B84A\",\n      \"type\": \"function\",\n      \"address\": \"0x40B84A\"\n    },\n    {\n      \"id\": \"api_EnumResourceTypes\",\n      \"label\": \"EnumResourceTypes\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"author     johnk3r, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"cap_find_graphical_window\",\n      \"label\": \"find graphical window\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [T1010]\"\n      ]\n    },\n    {\n      \"id\": \"api_FindWindow\",\n      \"label\": \"FindWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_get_graphical_window_text__2_matches_\",\n      \"label\": \"get graphical window text (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Discovery::Application Window Discovery [E1010]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40630B\",\n      \"label\": \"Function 0x40630B\",\n      \"type\": \"function\",\n      \"address\": \"0x40630B\"\n    },\n    {\n      \"id\": \"func_0x4063CA\",\n      \"label\": \"Function 0x4063CA\",\n      \"type\": \"function\",\n      \"address\": \"0x4063CA\"\n    },\n    {\n      \"id\": \"api_GetWindowText\",\n      \"label\": \"GetWindowText\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_hide_graphical_window__2_matches_\",\n      \"label\": \"hide graphical window (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Defense Evasion::Hide Artifacts::Hidden Window [T1564.003]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40127C\",\n      \"label\": \"Block 0x40127C\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40127C\"\n    },\n    {\n      \"id\": \"bb_0x40B2AA\",\n      \"label\": \"Block 0x40B2AA\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40B2AA\"\n    },\n    {\n      \"id\": \"api_ShowWindow\",\n      \"label\": \"ShowWindow\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_process_on_windows\",\n      \"label\": \"create process on Windows\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Process [C0017]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x4051A5\",\n      \"label\": \"Block 0x4051A5\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x4051A5\"\n    },\n    {\n      \"id\": \"api_ShellExecute\",\n      \"label\": \"ShellExecute\",\n      \"type\": \"api\",\n      \"category\": \"process\"\n    },\n    {\n      \"id\": \"cap_terminate_process__2_matches_\",\n      \"label\": \"terminate process (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Terminate Process [C0018]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40D3D0\",\n      \"label\": \"Function 0x40D3D0\",\n      \"type\": \"function\",\n      \"address\": \"0x40D3D0\"\n    },\n    {\n      \"id\": \"func_0x401801\",\n      \"label\": \"Function 0x401801\",\n      \"type\": \"function\",\n      \"address\": \"0x401801\"\n    },\n    {\n      \"id\": \"api_exit\",\n      \"label\": \"exit\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"api_ExitProcess\",\n      \"label\": \"ExitProcess\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_query_or_enumerate_registry_value\",\n      \"label\": \"query or enumerate registry value\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Operating System::Registry::Query Registry Value [C0036.006]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40C721\",\n      \"label\": \"Function 0x40C721\",\n      \"type\": \"function\",\n      \"address\": \"0x40C721\"\n    },\n    {\n      \"id\": \"api_RegQueryValueEx\",\n      \"label\": \"RegQueryValueEx\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_create_thread__2_matches_\",\n      \"label\": \"create thread (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"medium\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"bb_0x40A9DA\",\n      \"label\": \"Block 0x40A9DA\",\n      \"type\": \"basic_block\",\n      \"address\": \"0x40A9DA\"\n    },\n    {\n      \"id\": \"api_CreateThread\",\n      \"label\": \"CreateThread\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"label\": \"joakim@intezer.com, anushka.virgaonkar@mandiant.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Process::Create Thread [C0038]\"\n      ]\n    },\n    {\n      \"id\": \"cap_link_function_at_runtime_on_windows__35_matches_\",\n      \"label\": \"link function at runtime on Windows (35 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"api_GetProcAddress\",\n      \"label\": \"GetProcAddress\",\n      \"type\": \"api\",\n      \"category\": \"other\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, mehunhoff@google.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"label\": \"link many functions at runtime (4 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"func_0x40C976\",\n      \"label\": \"Function 0x40C976\",\n      \"type\": \"function\",\n      \"address\": \"0x40C976\"\n    },\n    {\n      \"id\": \"func_0x40D0B8\",\n      \"label\": \"Function 0x40D0B8\",\n      \"type\": \"function\",\n      \"address\": \"0x40D0B8\"\n    },\n    {\n      \"id\": \"func_0x40BE10\",\n      \"label\": \"Function 0x40BE10\",\n      \"type\": \"function\",\n      \"address\": \"0x40BE10\"\n    },\n    {\n      \"id\": \"func_0x40BD8C\",\n      \"label\": \"Function 0x40BD8C\",\n      \"type\": \"function\",\n      \"address\": \"0x40BD8C\"\n    },\n    {\n      \"id\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"label\": \"author     moritz.raabe@mandiant.com, joakim@intezer.com\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_parse_pe_header\",\n      \"label\": \"parse PE header\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\",\n      \"mitre\": [\n        \"Execution::Shared Modules [T1129]\"\n      ]\n    },\n    {\n      \"id\": \"cap_resolve_function_by_parsing_pe_exports__2_matches_\",\n      \"label\": \"resolve function by parsing PE exports (2 matches)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x40C1F3\",\n      \"label\": \"Function 0x40C1F3\",\n      \"type\": \"function\",\n      \"address\": \"0x40C1F3\"\n    },\n    {\n      \"id\": \"func_0x4024E9\",\n      \"label\": \"Function 0x4024E9\",\n      \"type\": \"function\",\n      \"address\": \"0x4024E9\"\n    },\n    {\n      \"id\": \"cap_author_____sara_rn\",\n      \"label\": \"author     sara-rn\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__90_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__90_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x401000\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_or_open_file__3_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delay_execution__2_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delay_execution__2_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"bb_0x4095D1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_geographical_location\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_geographical_location\",\n      \"target\": \"func_0x405023\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405023\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x405023\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405023\",\n      \"target\": \"api_GetLocaleInfo\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_log_keystrokes_via_polling__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__3_matches_\",\n      \"target\": \"func_0x40AF40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__3_matches_\",\n      \"target\": \"func_0x4044CF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_log_keystrokes_via_polling__3_matches_\",\n      \"target\": \"func_0x4044BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40AF40\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044CF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044BC\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40AF40\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4044CF\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4044BC\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40AF40\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044CF\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4044BC\",\n      \"target\": \"api_GetKeyState\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contains_pdb_path\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_extract_resource_via_kernel32_functions\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_extract_resource_via_kernel32_functions\",\n      \"target\": \"func_0x40C8D5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com\",\n      \"target\": \"func_0x40C8D5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_LockResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_LoadResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_FindResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C8D5\",\n      \"target\": \"api_SizeofResource\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_open_clipboard\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_open_clipboard\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_OpenClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_clipboard_data\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_clipboard_data\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author______michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_EmptyClipboard\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_SetClipboardData\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_common_file_path__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__2_matches_\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_common_file_path__2_matches_\",\n      \"target\": \"func_0x404D61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x404D61\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetTempPath\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetWindowsDirectory\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404D61\",\n      \"target\": \"api_GetTempFileName\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_system_object_information\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_system_object_information\",\n      \"target\": \"bb_0x4083D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x4083D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_delete_file\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_delete_file\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x409DB4\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x409DB4\",\n      \"target\": \"api_DeleteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_check_if_file_exists\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_check_if_file_exists\",\n      \"target\": \"func_0x404B74\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404B74\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x404B74\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404B74\",\n      \"target\": \"api_GetFileAttributes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_attributes\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_attributes\",\n      \"target\": \"bb_0x404B74\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x404B74\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_file_size__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_file_size__3_matches_\",\n      \"target\": \"func_0x408E1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__3_matches_\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_file_size__3_matches_\",\n      \"target\": \"func_0x4087D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E1D\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4087D8\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x408E1D\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x4087D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x408E1D\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4087D8\",\n      \"target\": \"api_GetFileSize\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read__ini_file__7_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x4060D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x40652E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x40C6D5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x40C62F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x4060FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x40C853\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read__ini_file__7_matches_\",\n      \"target\": \"func_0x406170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4060D8\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40652E\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C6D5\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C62F\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060FD\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C853\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406170\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060D8\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40652E\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C6D5\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C62F\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C853\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406170\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4060D8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40652E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C6D5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C62F\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x4060FD\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x40C853\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_______re_fox__michael_hunhoff_mandiant_com\",\n      \"target\": \"func_0x406170\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x4060D8\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40652E\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C6D5\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C62F\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060FD\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C853\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406170\",\n      \"target\": \"api_GetPrivateProfileInt\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060D8\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40652E\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C6D5\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C62F\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4060FD\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40C853\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x406170\",\n      \"target\": \"api_GetPrivateProfileString\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_read_file_on_windows__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__2_matches_\",\n      \"target\": \"func_0x405317\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_read_file_on_windows__2_matches_\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405317\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x405317\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x404949\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x405317\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x404949\",\n      \"target\": \"api_ReadFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_write_file_on_windows__3_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__3_matches_\",\n      \"target\": \"func_0x404783\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__3_matches_\",\n      \"target\": \"func_0x40756E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_write_file_on_windows__3_matches_\",\n      \"target\": \"func_0x405336\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404783\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40756E\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405336\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x404783\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40756E\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____william_ballenthin_mandiant_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x405336\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x404783\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40756E\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x405336\",\n      \"target\": \"api_WriteFile\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_enumerate_gui_resources\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_enumerate_gui_resources\",\n      \"target\": \"func_0x40B84A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B84A\",\n      \"target\": \"api_EnumResourceTypes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____johnk3r__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40B84A\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40B84A\",\n      \"target\": \"api_EnumResourceTypes\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_find_graphical_window\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_get_graphical_window_text__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__2_matches_\",\n      \"target\": \"func_0x40630B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_get_graphical_window_text__2_matches_\",\n      \"target\": \"func_0x4063CA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40630B\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4063CA\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40630B\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x4063CA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40630B\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x4063CA\",\n      \"target\": \"api_GetWindowText\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_hide_graphical_window__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__2_matches_\",\n      \"target\": \"bb_0x40127C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_hide_graphical_window__2_matches_\",\n      \"target\": \"bb_0x40B2AA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x40127C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____michael_hunhoff_mandiant_com\",\n      \"target\": \"bb_0x40B2AA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_process_on_windows\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_process_on_windows\",\n      \"target\": \"bb_0x4051A5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"bb_0x4051A5\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_terminate_process__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_terminate_process__2_matches_\",\n      \"target\": \"func_0x40D3D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_terminate_process__2_matches_\",\n      \"target\": \"func_0x401801\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40D3D0\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x401801\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D3D0\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x401801\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40D3D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x401801\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40D3D0\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x401801\",\n      \"target\": \"api_exit\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x40D3D0\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"func_0x401801\",\n      \"target\": \"api_ExitProcess\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_query_or_enumerate_registry_value\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_query_or_enumerate_registry_value\",\n      \"target\": \"func_0x40C721\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C721\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"cap_anushka_virgaonkar_mandiant_com\",\n      \"target\": \"func_0x40C721\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"func_0x40C721\",\n      \"target\": \"api_RegQueryValueEx\",\n      \"relationship\": \"calls\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_create_thread__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_create_thread__2_matches_\",\n      \"target\": \"bb_0x4095D1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_create_thread__2_matches_\",\n      \"target\": \"bb_0x40A9DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x4095D1\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_joakim_intezer_com__anushka_virgaonkar_mandiant_com\",\n      \"target\": \"bb_0x40A9DA\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_function_at_runtime_on_windows__35_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__mehunhoff_google_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x40C976\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x40D0B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x40BE10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_link_many_functions_at_runtime__4_matches_\",\n      \"target\": \"func_0x40BD8C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40C976\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40D0B8\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40BE10\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com__joakim_intezer_com\",\n      \"target\": \"func_0x40BD8C\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_parse_pe_header\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_parse_pe_header\",\n      \"target\": \"func_0x40D3D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____moritz_raabe_mandiant_com\",\n      \"target\": \"func_0x40D3D0\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_resolve_function_by_parsing_pe_exports__2_matches_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__2_matches_\",\n      \"target\": \"func_0x40C1F3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_resolve_function_by_parsing_pe_exports__2_matches_\",\n      \"target\": \"func_0x4024E9\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_author_____sara_rn\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x40C1F3\",\n      \"relationship\": \"implemented_by\"\n    },\n    {\n      \"source\": \"cap_author_____sara_rn\",\n      \"target\": \"func_0x4024E9\",\n      \"relationship\": \"implemented_by\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-25 11:31:29.560369\",\n    \"total_functions\": \"367\",\n    \"total_features\": \"17372\",\n    \"pdb_path\": \"c:\\\\\\\\Projects\\\\\\\\VS2005\\\\\\\\WirelessNetView\\\\\\\\Release\\\\\\\\WirelessNetView.pdb\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-25 11:31:30"}
{"_id":{"$oid":"6a14615f32de6bb6782baad6"},"sha256":"bc1363062c4f4aff514d71fd85fc9a5a08ad7fc2ea9a40298bb8865d041b8a3f","analysis_data":{"success":true,"results":{"normal":{"success":true,"path":"/tmp/sdm_capa_0i8nyn7z/zlib_offset_0x6aee8_7.bin_normal.txt"},"verbose":{"success":true,"path":"/tmp/sdm_capa_0i8nyn7z/zlib_offset_0x6aee8_7.bin_verbose.txt"},"very_verbose":{"success":true,"path":"/tmp/sdm_capa_0i8nyn7z/zlib_offset_0x6aee8_7.bin_very_verbose.txt"}},"outputs":{"normal":"┌───────────┬──────────────────────────────────────────────────────────────────┐\n│ md5       │ 2ff9d894ba5e8f7880f0031866203995                                 │\n│ sha1      │ dd594003fb744f4b2b944e1b10b78a7026e72104                         │\n│ sha256    │ ab64835b63093c31975df2692756c8008e7ec190e4aa86f15a713bcc62e1d432 │\n│ analysis  │ static                                                           │\n│ os        │ windows                                                          │\n│ format    │ pe                                                               │\n│ arch      │ amd64                                                            │\n│ path      │ /tmp/sdm_decoded_3fi8jo5f/zlib_offset_0x6aee8_7.bin              │\n└───────────┴──────────────────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ ATT&CK Tactic             ┃ ATT&CK Technique                                 ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ DEFENSE EVASION           │ Obfuscated Files or Information [T1027]          │\n└───────────────────────────┴──────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ MBC Objective        ┃ MBC Behavior                                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ DATA                 │ Encode Data::XOR [C0026.002]                          │\n│ DEFENSE EVASION      │ Obfuscated Files or Information::Encoding-Standard    │\n│                      │ Algorithm [E1027.m02]                                 │\n└──────────────────────┴───────────────────────────────────────────────────────┘\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓\n┃ Capability                              ┃ Namespace                          ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩\n│ encode data using XOR (2 matches)       │ data-manipulation/encoding/xor     │\n└─────────────────────────────────────────┴────────────────────────────────────┘\n\n","verbose":"md5                     2ff9d894ba5e8f7880f0031866203995                        \nsha1                    dd594003fb744f4b2b944e1b10b78a7026e72104                \nsha256                  ab64835b63093c31975df2692756c8008e7ec190e4aa86f15a713bc…\npath                    /tmp/sdm_decoded_3fi8jo5f/zlib_offset_0x6aee8_7.bin     \ntimestamp               2026-05-25 20:18:47.663722                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    amd64                                                   \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x180000000                                             \nrules                   /tmp/_MEIz75NWf/rules                                   \nfunction count          410                                                     \nlibrary function count  32                                                      \ntotal feature count     24175                                                   \n\nencode data using XOR (2 matches)\nnamespace  data-manipulation/encoding/xor\nscope      basic block                   \nmatches    0x1800039C0                   \n           0x180003A50                   \n\n\n\n","very_verbose":"md5                     2ff9d894ba5e8f7880f0031866203995                        \nsha1                    dd594003fb744f4b2b944e1b10b78a7026e72104                \nsha256                  ab64835b63093c31975df2692756c8008e7ec190e4aa86f15a713bc…\npath                    /tmp/sdm_decoded_3fi8jo5f/zlib_offset_0x6aee8_7.bin     \ntimestamp               2026-05-25 20:19:01.918327                              \ncapa version            9.2.1                                                   \nos                      windows                                                 \nformat                  pe                                                      \narch                    amd64                                                   \nanalysis                static                                                  \nextractor               VivisectFeatureExtractor                                \nbase address            0x180000000                                             \nrules                   /tmp/_MEIM49qV9/rules                                   \nfunction count          410                                                     \nlibrary function count  32                                                      \ntotal feature count     24175                                                   \n\ncontain loop (37 matches, only showing first match of library rule)\nauthor  moritz.raabe@mandiant.com\nscope   function                 \nfunction @ 0x1800010C0\n  or:\n    characteristic: loop @ 0x1800010C0\n\nencode data using XOR (2 matches)\nnamespace  data-manipulation/encoding/xor                                       \nauthor     moritz.raabe@mandiant.com                                            \nscope      basic block                                                          \natt&ck     Defense Evasion::Obfuscated Files or Information [T1027]             \nmbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard  \n           Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]            \nbasic block @ 0x1800039C0 in function 0x1800034D0\n  and:\n    characteristic: tight loop @ 0x1800039C0\n    characteristic: nzxor @ 0x1800039DA, 0x1800039E9, 0x1800039FF, 0x180003A15\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\nbasic block @ 0x180003A50 in function 0x1800034D0\n  and:\n    characteristic: tight loop @ 0x180003A50\n    characteristic: nzxor @ 0x180003A62\n    not: = filter for potential false positives\n      or:\n        or: = unsigned bitwise negation operation (~i)\n          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits\n          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits\n        or: = signed bitwise negation operation (~i)\n          number: 0xFFFFFFF = bitwise negation for signed 32 bits\n          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits\n        or: = Magic constants used in the implementation of strings functions.\n          number: 0x7EFEFEFF = optimized string constant for 32 bits\n          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF\n          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF\n          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits\n          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF\n          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF\n\n\n\n"},"hashes":{"md5":"2ff9d894ba5e8f7880f0031866203995","sha1":"dd594003fb744f4b2b944e1b10b78a7026e72104","sha256":"ab64835b63093c31975df2692756c8008e7ec190e4aa86f15a713bcc62e1d432"},"interactive_graph":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n    <title>Malware Analysis Network Graph</title>\n    <script src=\"https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js\"></script>\n    <style>\n        * {\n            margin: 0;\n            padding: 0;\n            box-sizing: border-box;\n        }\n\n        body {\n            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;\n            background: linear-gradient(135deg, #1a1a2e 0%, #0f0f1e 100%);\n            color: #fff;\n            overflow: hidden;\n        }\n\n        #container {\n            display: flex;\n            height: 100vh;\n        }\n\n        #graph {\n            flex: 1;\n            position: relative;\n        }\n\n        #sidebar {\n            width: 350px;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 20px;\n            overflow-y: auto;\n            border-left: 2px solid rgba(100, 100, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        h1 {\n            font-size: 20px;\n            margin-bottom: 10px;\n            color: #6c63ff;\n            text-shadow: 0 0 10px rgba(108, 99, 255, 0.5);\n        }\n\n        h2 {\n            font-size: 16px;\n            margin-top: 20px;\n            margin-bottom: 10px;\n            color: #00d9ff;\n        }\n\n        .info-section {\n            background: rgba(50, 50, 80, 0.5);\n            padding: 12px;\n            border-radius: 8px;\n            margin-bottom: 15px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n        }\n\n        .info-item {\n            margin: 8px 0;\n            font-size: 13px;\n            line-height: 1.6;\n            word-break: break-all;\n        }\n\n        .label {\n            color: #00d9ff;\n            font-weight: bold;\n        }\n\n        .legend {\n            margin-top: 20px;\n        }\n\n        .legend-item {\n            display: flex;\n            align-items: center;\n            margin: 8px 0;\n            font-size: 13px;\n        }\n\n        .legend-color {\n            width: 20px;\n            height: 20px;\n            border-radius: 50%;\n            margin-right: 10px;\n            border: 2px solid rgba(255, 255, 255, 0.3);\n        }\n\n        .controls {\n            position: absolute;\n            top: 20px;\n            left: 20px;\n            z-index: 1000;\n            background: rgba(30, 30, 50, 0.95);\n            padding: 15px;\n            border-radius: 10px;\n            border: 1px solid rgba(108, 99, 255, 0.3);\n            backdrop-filter: blur(10px);\n        }\n\n        button {\n            background: linear-gradient(135deg, #6c63ff 0%, #5848ff 100%);\n            color: white;\n            border: none;\n            padding: 8px 16px;\n            margin: 5px;\n            border-radius: 5px;\n            cursor: pointer;\n            font-size: 12px;\n            transition: all 0.3s;\n        }\n\n        button:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 5px 15px rgba(108, 99, 255, 0.5);\n        }\n\n        .node {\n            cursor: pointer;\n            transition: all 0.3s;\n        }\n\n        .node:hover {\n            filter: brightness(1.5);\n        }\n\n        .link {\n            stroke-opacity: 0.6;\n            transition: all 0.3s;\n        }\n\n        .link:hover {\n            stroke-opacity: 1;\n            stroke-width: 3px;\n        }\n\n        text {\n            font-size: 11px;\n            pointer-events: none;\n            text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);\n        }\n\n        .severity-high {\n            animation: pulse 2s infinite;\n        }\n\n        @keyframes pulse {\n            0%, 100% { opacity: 1; }\n            50% { opacity: 0.6; }\n        }\n\n        ::-webkit-scrollbar {\n            width: 8px;\n        }\n\n        ::-webkit-scrollbar-track {\n            background: rgba(30, 30, 50, 0.5);\n        }\n\n        ::-webkit-scrollbar-thumb {\n            background: rgba(108, 99, 255, 0.5);\n            border-radius: 4px;\n        }\n\n        ::-webkit-scrollbar-thumb:hover {\n            background: rgba(108, 99, 255, 0.8);\n        }\n    </style>\n</head>\n<body>\n    <div id=\"container\">\n        <div id=\"graph\">\n            <div class=\"controls\">\n                <button onclick=\"resetZoom()\">Reset View</button>\n                <button onclick=\"toggleLabels()\">Toggle Labels</button>\n                <button onclick=\"togglePhysics()\">Toggle Physics</button>\n            </div>\n        </div>\n        <div id=\"sidebar\">\n            <h1>🔍 Malware Analysis</h1>\n            <div id=\"node-info\" class=\"info-section\">\n                <p style=\"color: #888;\">Click on a node to see details</p>\n            </div>\n            \n            <div class=\"legend\">\n                <h2>Legend</h2>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff4757;\"></div>\n                    <span>File</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ff6348;\"></div>\n                    <span>Capability (High)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #ffa502;\"></div>\n                    <span>Capability (Medium)</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #5f27cd;\"></div>\n                    <span>Function</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #00d2d3;\"></div>\n                    <span>API Call</span>\n                </div>\n                <div class=\"legend-item\">\n                    <div class=\"legend-color\" style=\"background: #1dd1a1;\"></div>\n                    <span>Basic Block</span>\n                </div>\n            </div>\n\n            <div class=\"info-section\">\n                <h2>Analysis Info</h2>\n                <div class=\"info-item\"><span class=\"label\">Type:</span> static</div>\n                <div class=\"info-item\"><span class=\"label\">Functions:</span> 410</div>\n                <div class=\"info-item\"><span class=\"label\">Features:</span> 24175</div>\n            </div>\n        </div>\n    </div>\n\n    <script>\n        const graphData = {\n  \"nodes\": [\n    {\n      \"id\": \"malware_file\",\n      \"label\": \"zlib_offset_0x6aee8_7.bin\",\n      \"type\": \"file\",\n      \"properties\": {\n        \"md5\": \"2ff9d894ba5e8f7880f0031866203995\",\n        \"sha256\": \"ab64835b63093c31975df2692756c8008e7ec190e4aa86f15a713bc\",\n        \"arch\": \"amd64\",\n        \"os\": \"windows\",\n        \"format\": \"pe\"\n      }\n    },\n    {\n      \"id\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"label\": \"contain loop (37 matches, only showing first match of library rule)\",\n      \"type\": \"capability\",\n      \"severity\": \"low\",\n      \"category\": \"\"\n    },\n    {\n      \"id\": \"func_0x1800010C0\",\n      \"label\": \"Function 0x1800010C0\",\n      \"type\": \"function\",\n      \"address\": \"0x1800010C0\"\n    }\n  ],\n  \"edges\": [\n    {\n      \"source\": \"malware_file\",\n      \"target\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"relationship\": \"exhibits\"\n    },\n    {\n      \"source\": \"cap_contain_loop__37_matches__only_showing_first_match_of_library_rule_\",\n      \"target\": \"func_0x1800010C0\",\n      \"relationship\": \"implemented_by\"\n    }\n  ],\n  \"metadata\": {\n    \"analysis_type\": \"static\",\n    \"version\": \"9.2.1\",\n    \"timestamp\": \"2026-05-25 20:19:01.918327\",\n    \"total_functions\": \"410\",\n    \"total_features\": \"24175\",\n    \"pdb_path\": \"\"\n  }\n};\n\n        const width = window.innerWidth - 350;\n        const height = window.innerHeight;\n\n        const svg = d3.select(\"#graph\")\n            .append(\"svg\")\n            .attr(\"width\", width)\n            .attr(\"height\", height);\n\n        const g = svg.append(\"g\");\n\n        const zoom = d3.zoom()\n            .scaleExtent([0.1, 4])\n            .on(\"zoom\", (event) => {\n                g.attr(\"transform\", event.transform);\n            });\n\n        svg.call(zoom);\n\n        const colorMap = {\n            \"file\": \"#ff4757\",\n            \"capability\": \"#ff6348\",\n            \"function\": \"#5f27cd\",\n            \"api\": \"#00d2d3\",\n            \"basic_block\": \"#1dd1a1\"\n        };\n\n        const simulation = d3.forceSimulation(graphData.nodes)\n            .force(\"link\", d3.forceLink(graphData.edges).id(d => d.id).distance(100))\n            .force(\"charge\", d3.forceManyBody().strength(-300))\n            .force(\"center\", d3.forceCenter(width / 2, height / 2))\n            .force(\"collision\", d3.forceCollide().radius(40));\n\n        const linkColorMap = {\n            \"exhibits\": \"#ff6b6b\",\n            \"implemented_by\": \"#4ecdc4\",\n            \"calls\": \"#45b7d1\",\n            \"part_of\": \"#96ceb4\",\n            \"depends_on\": \"#ffeaa7\"\n        };\n\n        const link = g.append(\"g\")\n            .selectAll(\"line\")\n            .data(graphData.edges)\n            .enter()\n            .append(\"line\")\n            .attr(\"class\", \"link\")\n            .attr(\"stroke\", d => linkColorMap[d.relationship] || \"#999\")\n            .attr(\"stroke-width\", 2);\n\n        const node = g.append(\"g\")\n            .selectAll(\"circle\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"circle\")\n            .attr(\"class\", d => `node ${d.severity === \"high\" ? \"severity-high\" : \"\"}`)\n            .attr(\"r\", d => {\n                if (d.type === \"file\") return 20;\n                if (d.type === \"capability\") return d.severity === \"high\" ? 15 : 12;\n                if (d.type === \"function\") return 10;\n                return 8;\n            })\n            .attr(\"fill\", d => {\n                if (d.type === \"capability\" && d.severity === \"medium\") return \"#ffa502\";\n                if (d.type === \"capability\" && d.severity === \"low\") return \"#48dbfb\";\n                return colorMap[d.type] || \"#666\";\n            })\n            .attr(\"stroke\", \"#fff\")\n            .attr(\"stroke-width\", 2)\n            .on(\"click\", (event, d) => showNodeInfo(d))\n            .call(d3.drag()\n                .on(\"start\", dragstarted)\n                .on(\"drag\", dragged)\n                .on(\"end\", dragended));\n\n        let labelsVisible = true;\n        const labels = g.append(\"g\")\n            .selectAll(\"text\")\n            .data(graphData.nodes)\n            .enter()\n            .append(\"text\")\n            .text(d => d.label)\n            .attr(\"fill\", \"#fff\")\n            .attr(\"dx\", 15)\n            .attr(\"dy\", 4);\n\n        simulation.on(\"tick\", () => {\n            link\n                .attr(\"x1\", d => d.source.x)\n                .attr(\"y1\", d => d.source.y)\n                .attr(\"x2\", d => d.target.x)\n                .attr(\"y2\", d => d.target.y);\n\n            node\n                .attr(\"cx\", d => d.x)\n                .attr(\"cy\", d => d.y);\n\n            labels\n                .attr(\"x\", d => d.x)\n                .attr(\"y\", d => d.y);\n        });\n\n        function dragstarted(event, d) {\n            if (!event.active) simulation.alphaTarget(0.3).restart();\n            d.fx = d.x;\n            d.fy = d.y;\n        }\n\n        function dragged(event, d) {\n            d.fx = event.x;\n            d.fy = event.y;\n        }\n\n        function dragended(event, d) {\n            if (!event.active) simulation.alphaTarget(0);\n            d.fx = null;\n            d.fy = null;\n        }\n\n        function showNodeInfo(node) {\n            let html = `<h2>${node.label}</h2>`;\n            html += `<div class=\"info-item\"><span class=\"label\">Type:</span> ${node.type}</div>`;\n            \n            if (node.severity) {\n                html += `<div class=\"info-item\"><span class=\"label\">Severity:</span> ${node.severity.toUpperCase()}</div>`;\n            }\n            \n            if (node.category) {\n                html += `<div class=\"info-item\"><span class=\"label\">Category:</span> ${node.category}</div>`;\n            }\n            \n            if (node.mitre) {\n                html += `<div class=\"info-item\"><span class=\"label\">MITRE:</span> ${node.mitre.join(\", \")}</div>`;\n            }\n            \n            if (node.operations) {\n                html += `<div class=\"info-item\"><span class=\"label\">Operations:</span><br>${node.operations.join(\"<br>\")}</div>`;\n            }\n            \n            if (node.properties) {\n                html += `<div class=\"info-item\"><span class=\"label\">MD5:</span><br>${node.properties.md5}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">SHA256:</span><br>${node.properties.sha256}</div>`;\n                html += `<div class=\"info-item\"><span class=\"label\">Arch:</span> ${node.properties.arch}</div>`;\n            }\n            \n            if (node.address) {\n                html += `<div class=\"info-item\"><span class=\"label\">Address:</span> ${node.address}</div>`;\n            }\n            \n            document.getElementById(\"node-info\").innerHTML = html;\n        }\n\n        function resetZoom() {\n            svg.transition().duration(750).call(zoom.transform, d3.zoomIdentity);\n        }\n\n        function toggleLabels() {\n            labelsVisible = !labelsVisible;\n            labels.style(\"display\", labelsVisible ? \"block\" : \"none\");\n        }\n\n        let physicsEnabled = true;\n        function togglePhysics() {\n            physicsEnabled = !physicsEnabled;\n            if (physicsEnabled) {\n                simulation.alphaTarget(0.3).restart();\n                setTimeout(() => simulation.alphaTarget(0), 1000);\n            } else {\n                simulation.stop();\n            }\n        }\n\n        window.addEventListener(\"resize\", () => {\n            const w = window.innerWidth - 350;\n            const h = window.innerHeight;\n            svg.attr(\"width\", w).attr(\"height\", h);\n            simulation.force(\"center\", d3.forceCenter(w / 2, h / 2));\n            simulation.alpha(0.3).restart();\n        });\n    </script>\n</body>\n</html>"},"timestamp":"2026-05-25 20:19:03"}