Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PowerRat.exe

Overview

General Information

Sample name:PowerRat.exe
Analysis ID:1576449
MD5:f8a989ff9bf3894acb35c791d053cbec
SHA1:afb3cf59d939b5be709ed23d8b424987e618dbe4
SHA256:d417caa99ea8b4f00e4a6cc324a7901dbfddc0dbe19de513bcf4e84ceac90d21
Tags:AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PowerRat.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\PowerRat.exe" MD5: F8A989FF9BF3894ACB35C791D053CBEC)
    • cmd.exe (PID: 7780 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7860 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7796 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7888 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • DasHost.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Local\Temp\DasHost.exe" MD5: F8A989FF9BF3894ACB35C791D053CBEC)
  • DasHost.exe (PID: 7920 cmdline: C:\Users\user\AppData\Local\Temp\DasHost.exe MD5: F8A989FF9BF3894ACB35C791D053CBEC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "turn-bracket.at.ply.gg", "Ports": "1234,27373", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "DasHost.exe", "Install_File": "b0tkTTlESktrQUhTR2hYSkI4VE9mS2JKWE1sUnc2WjA="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PowerRat.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    PowerRat.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      PowerRat.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x70573:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\DasHost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Local\Temp\DasHost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\DasHost.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x70573:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x70c4b:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0x2bbfe:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.PowerRat.exe.435c6d8.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.PowerRat.exe.435c6d8.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.PowerRat.exe.435c6d8.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0x70573:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    0.0.PowerRat.exe.ea0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      0.0.PowerRat.exe.ea0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                      • 0xb2c7a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                      Click to see the 2 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\PowerRat.exe, ProcessId: 7620, TargetFilename: C:\Users\user\AppData\Local\Temp\DasHost.exe
                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\PowerRat.exe", ParentImage: C:\Users\user\Desktop\PowerRat.exe, ParentProcessId: 7620, ParentProcessName: PowerRat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, ProcessId: 7780, ProcessName: cmd.exe
                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\PowerRat.exe", ParentImage: C:\Users\user\Desktop\PowerRat.exe, ParentProcessId: 7620, ParentProcessName: PowerRat.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, ProcessId: 7780, ProcessName: cmd.exe
                      Sigma detected: System File Execution Location Anomaly
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Local\Temp\DasHost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\DasHost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\DasHost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\DasHost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\DasHost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\DasHost.exe, ProcessId: 7920, ProcessName: DasHost.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7780, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' , ProcessId: 7860, ProcessName: schtasks.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: PowerRat.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: PowerRat.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "turn-bracket.at.ply.gg", "Ports": "1234,27373", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "DasHost.exe", "Install_File": "b0tkTTlESktrQUhTR2hYSkI4VE9mS2JKWE1sUnc2WjA="}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeVirustotal: Detection: 70%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: PowerRat.exeReversingLabs: Detection: 78%
                      Source: PowerRat.exeVirustotal: Detection: 70%Perma Link
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: PowerRat.exeJoe Sandbox ML: detected
                      Source: PowerRat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PowerRat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: turn-bracket.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.211 ports 27373,1,2,3,4,1234
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: PowerRat.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49735 -> 147.185.221.211:1234
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: turn-bracket.at.ply.gg
                      Source: PowerRat.exe, 00000000.00000002.1850359273.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, DasHost.exe, 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: PowerRat.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPED

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: 00 00 00 00 Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: PowerRat.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3B00 NtSetInformationThread,0_2_032B3B00
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3BC0 NtClose,0_2_032B3BC0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3A38 NtQueryInformationProcess,0_2_032B3A38
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4800 NtQueryVolumeInformationFile,0_2_032B4800
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B48C8 NtDeviceIoControlFile,0_2_032B48C8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4710 NtMapViewOfSection,0_2_032B4710
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4648 NtQuerySystemInformation,0_2_032B4648
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4568 NtCreateSection,0_2_032B4568
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3D48 NtAllocateVirtualMemory,0_2_032B3D48
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3C70 NtProtectVirtualMemory,0_2_032B3C70
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4490 NtOpenFile,0_2_032B4490
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3BBF NtClose,0_2_032B3BBF
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3A30 NtQueryInformationProcess,0_2_032B3A30
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3AF9 NtSetInformationThread,0_2_032B3AF9
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B48C1 NtDeviceIoControlFile,0_2_032B48C1
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4708 NtMapViewOfSection,0_2_032B4708
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B47F8 NtQueryVolumeInformationFile,0_2_032B47F8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4640 NtQuerySystemInformation,0_2_032B4640
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4560 NtCreateSection,0_2_032B4560
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3D40 NtAllocateVirtualMemory,0_2_032B3D40
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B3C68 NtProtectVirtualMemory,0_2_032B3C68
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B448A NtOpenFile,0_2_032B448A
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184800 NtQueryVolumeInformationFile,7_2_01184800
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011848C8 NtDeviceIoControlFile,7_2_011848C8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183B00 NtSetInformationThread,7_2_01183B00
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183BC0 NtClose,7_2_01183BC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183A38 NtQueryInformationProcess,7_2_01183A38
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183D48 NtAllocateVirtualMemory,7_2_01183D48
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184568 NtCreateSection,7_2_01184568
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183C70 NtProtectVirtualMemory,7_2_01183C70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184490 NtOpenFile,7_2_01184490
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184710 NtMapViewOfSection,7_2_01184710
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184648 NtQuerySystemInformation,7_2_01184648
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011848C1 NtDeviceIoControlFile,7_2_011848C1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183BB9 NtClose,7_2_01183BB9
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183A30 NtQueryInformationProcess,7_2_01183A30
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183AF9 NtSetInformationThread,7_2_01183AF9
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183D40 NtAllocateVirtualMemory,7_2_01183D40
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184560 NtCreateSection,7_2_01184560
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01183C68 NtProtectVirtualMemory,7_2_01183C68
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_0118448B NtOpenFile,7_2_0118448B
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184708 NtMapViewOfSection,7_2_01184708
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011847F9 NtQueryVolumeInformationFile,7_2_011847F9
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184640 NtQuerySystemInformation,7_2_01184640
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4800 NtQueryVolumeInformationFile,9_2_012A4800
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A48C8 NtDeviceIoControlFile,9_2_012A48C8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3B00 NtSetInformationThread,9_2_012A3B00
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3BC0 NtClose,9_2_012A3BC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3A38 NtQueryInformationProcess,9_2_012A3A38
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4568 NtCreateSection,9_2_012A4568
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3D48 NtAllocateVirtualMemory,9_2_012A3D48
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3C70 NtProtectVirtualMemory,9_2_012A3C70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4490 NtOpenFile,9_2_012A4490
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4710 NtMapViewOfSection,9_2_012A4710
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4648 NtQuerySystemInformation,9_2_012A4648
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A48C1 NtDeviceIoControlFile,9_2_012A48C1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3BB9 NtClose,9_2_012A3BB9
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4560 NtCreateSection,9_2_012A4560
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3D40 NtAllocateVirtualMemory,9_2_012A3D40
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A3C68 NtProtectVirtualMemory,9_2_012A3C68
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A448A NtOpenFile,9_2_012A448A
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4708 NtMapViewOfSection,9_2_012A4708
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A47F9 NtQueryVolumeInformationFile,9_2_012A47F9
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4640 NtQuerySystemInformation,9_2_012A4640
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B48C8: NtDeviceIoControlFile,0_2_032B48C8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190A1F00_2_0190A1F0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_019010980_2_01901098
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190C0A00_2_0190C0A0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_019098C00_2_019098C0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190DD800_2_0190DD80
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01908DC00_2_01908DC0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01908F700_2_01908F70
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190BE200_2_0190BE20
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190D9980_2_0190D998
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190A0E00_2_0190A0E0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190DBE80_2_0190DBE8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190BAC00_2_0190BAC0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01900A050_2_01900A05
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01908DB00_2_01908DB0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_019094080_2_01909408
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01908F610_2_01908F61
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_01909EC80_2_01909EC8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_019096F00_2_019096F0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_0190BE110_2_0190BE11
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B6A300_2_032B6A30
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B07780_2_032B0778
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4B100_2_032B4B10
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B5BEA0_2_032B5BEA
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B8A780_2_032B8A78
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B8A880_2_032B8A88
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B4AFF0_2_032B4AFF
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B30600_2_032B3060
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B30700_2_032B3070
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B50480_2_032B5048
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B07680_2_032B0768
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B0E280_2_032B0E28
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B0E190_2_032B0E19
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B56A80_2_032B56A8
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B16C00_2_032B16C0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B25A00_2_032B25A0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B25B00_2_032B25B0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B94000_2_032B9400
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B94100_2_032B9410
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B1CE10_2_032B1CE1
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032B34D10_2_032B34D1
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_05B90DC00_2_05B90DC0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_05B904F00_2_05B904F0
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_05B901A80_2_05B901A8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C210987_2_00C21098
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2C0A07_2_00C2C0A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2E0A07_2_00C2E0A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2A1FB7_2_00C2A1FB
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C299487_2_00C29948
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C28DC07_2_00C28DC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2DD807_2_00C2DD80
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2BE207_2_00C2BE20
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C28F707_2_00C28F70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2A0E87_2_00C2A0E8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C210907_2_00C21090
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2E09C7_2_00C2E09C
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2080D7_2_00C2080D
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2993F7_2_00C2993F
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2BACC7_2_00C2BACC
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C20A627_2_00C20A62
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2DBF07_2_00C2DBF0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C294087_2_00C29408
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C28DBD7_2_00C28DBD
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C29EC87_2_00C29EC8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C296EB7_2_00C296EB
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C296F07_2_00C296F0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C2BE117_2_00C2BE11
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_00C28F687_2_00C28F68
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01186A307_2_01186A30
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01189DF87_2_01189DF8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011807787_2_01180778
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011850487_2_01185048
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011830707_2_01183070
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011830607_2_01183060
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184B107_2_01184B10
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01187B707_2_01187B70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01188A787_2_01188A78
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01188A887_2_01188A88
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01184AFF7_2_01184AFF
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011825B07_2_011825B0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011825A07_2_011825A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011894107_2_01189410
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011894007_2_01189400
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011834D17_2_011834D1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01181CED7_2_01181CED
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011807737_2_01180773
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01180E287_2_01180E28
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_01180E247_2_01180E24
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011856A87_2_011856A8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_011816CD7_2_011816CD
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEC0A09_2_00EEC0A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEE0A09_2_00EEE0A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE10989_2_00EE1098
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEA2039_2_00EEA203
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE8DC09_2_00EE8DC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEDD809_2_00EEDD80
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEBE209_2_00EEBE20
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE8F709_2_00EE8F70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEA0F19_2_00EEA0F1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EED9989_2_00EED998
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE0A209_2_00EE0A20
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEBAC09_2_00EEBAC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EEDBFB9_2_00EEDBFB
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE94089_2_00EE9408
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE8DB09_2_00EE8DB0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE96F09_2_00EE96F0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_00EE9EC89_2_00EE9EC8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A6A309_2_012A6A30
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A07789_2_012A0778
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A30709_2_012A3070
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A50489_2_012A5048
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4B109_2_012A4B10
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A7B709_2_012A7B70
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A8A889_2_012A8A88
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A4AFF9_2_012A4AFF
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012AC5589_2_012AC558
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A25A09_2_012A25A0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A25B09_2_012A25B0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A9DF89_2_012A9DF8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A94009_2_012A9400
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A94109_2_012A9410
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A1CE19_2_012A1CE1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A34D19_2_012A34D1
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012ABF759_2_012ABF75
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A0E289_2_012A0E28
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A0E199_2_012A0E19
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A56A89_2_012A56A8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012AB6A89_2_012AB6A8
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012A16D39_2_012A16D3
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_05510DC09_2_05510DC0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_055104F09_2_055104F0
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_055101A89_2_055101A8
                      Source: PowerRat.exe, 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PowerRat.exe
                      Source: PowerRat.exe, 00000000.00000000.1706395798.0000000000F5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PowerRat.exe
                      Source: PowerRat.exeBinary or memory string: OriginalFilenameStub.exe" vs PowerRat.exe
                      Source: PowerRat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PowerRat.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/5@1/1
                      Source: C:\Users\user\Desktop\PowerRat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerRat.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
                      Source: C:\Users\user\Desktop\PowerRat.exeFile created: C:\Users\user\AppData\Local\Temp\DasHost.exeJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat""
                      Source: PowerRat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\PowerRat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PowerRat.exeReversingLabs: Detection: 78%
                      Source: PowerRat.exeVirustotal: Detection: 70%
                      Source: C:\Users\user\Desktop\PowerRat.exeFile read: C:\Users\user\Desktop\PowerRat.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PowerRat.exe "C:\Users\user\Desktop\PowerRat.exe"
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\DasHost.exe C:\Users\user\AppData\Local\Temp\DasHost.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\DasHost.exe "C:\Users\user\AppData\Local\Temp\DasHost.exe"
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exitJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\DasHost.exe "C:\Users\user\AppData\Local\Temp\DasHost.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: napinsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: pnrpnsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: wshbth.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: nlaapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: winrnr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: PowerRat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PowerRat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .deta2
                      Source: PowerRat.exeStatic PE information: section name: .deta0
                      Source: PowerRat.exeStatic PE information: section name: .deta1
                      Source: PowerRat.exeStatic PE information: section name: .deta2
                      Source: DasHost.exe.0.drStatic PE information: section name: .deta0
                      Source: DasHost.exe.0.drStatic PE information: section name: .deta1
                      Source: DasHost.exe.0.drStatic PE information: section name: .deta2
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_032BAC44 pushfd ; ret 0_2_032BAC81
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 7_2_0118AC43 pushfd ; ret 7_2_0118AC81
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_012AAC45 pushfd ; ret 9_2_012AAC81
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_02AD155F push eax; mov dword ptr [esp], edx9_2_02AD1584
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_05514199 push eax; retf 9_2_055141DD
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeCode function: 9_2_0551200A push eax; retf 9_2_05512019
                      Source: PowerRat.exeStatic PE information: section name: .deta2 entropy: 7.539647911355704
                      Source: DasHost.exe.0.drStatic PE information: section name: .deta2 entropy: 7.539647911355704
                      Source: C:\Users\user\Desktop\PowerRat.exeFile created: C:\Users\user\AppData\Local\Temp\DasHost.exeJump to dropped file

                      Boot Survival

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: PowerRat.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPED
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"'
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: PowerRat.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPED
                      Query firmware table information (likely to detect VMs)
                      Source: C:\Users\user\Desktop\PowerRat.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeSystem information queried: FirmwareTableInformationJump to behavior
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: PowerRat.exe, 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLLR^Q(YT
                      Source: PowerRat.exe, DasHost.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 5730000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 7730000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 7970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: 9970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: C20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 4D80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 50C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeMemory allocated: 70C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeWindow / User API: threadDelayed 1678Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeWindow / User API: threadDelayed 421Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeWindow / User API: threadDelayed 7711Jump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exe TID: 7640Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exe TID: 7940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exe TID: 8024Thread sleep time: -1678000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exe TID: 8024Thread sleep time: -7711000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\PowerRat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: DasHost.exe.0.drBinary or memory string: vmware
                      Source: PowerRat.exe, 00000000.00000002.1849681000.00000000016A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
                      Source: DasHost.exe, 00000007.00000002.1950509735.0000000000A47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: DasHost.exe, 00000009.00000002.4168055960.0000000000F54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\PowerRat.exeCode function: 0_2_05B91380 CheckRemoteDebuggerPresent,0_2_05B91380
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\PowerRat.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugObjectHandleJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exitJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\DasHost.exe "C:\Users\user\AppData\Local\Temp\DasHost.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\Users\user\Desktop\PowerRat.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DasHost.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\DasHost.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\DasHost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PowerRat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: PowerRat.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.PowerRat.exe.ea0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PowerRat.exe.435c6d8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PowerRat.exe PID: 7620, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: DasHost.exe PID: 7980, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\DasHost.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		Valid Accounts1
                      Windows Management Instrumentation                      		2
                      Scheduled Task/Job                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping521
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Scheduled Task/Job                      		1
                      Scripting                      		2
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		251
                      Virtualization/Sandbox Evasion                      		Security Account Manager251
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                      Obfuscated Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Software Packing                      		Cached Domain Credentials23
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576449 Sample: PowerRat.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 35 turn-bracket.at.ply.gg 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 12 other signatures 2->47 8 PowerRat.exe 7 2->8         started        12 DasHost.exe 3 2->12         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\DasHost.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\PowerRat.exe.log, ASCII 8->33 dropped 55 Query firmware table information (likely to detect VMs) 8->55 57 Protects its processes via BreakOnTermination flag 8->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->59 67 2 other signatures 8->67 14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        61 Antivirus detection for dropped file 12->61 63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 signatures6 process7 signatures8 19 DasHost.exe 2 14->19         started        23 conhost.exe 14->23         started        25 timeout.exe 1 14->25         started        39 Uses schtasks.exe or at.exe to add and modify task schedules 16->39 27 conhost.exe 16->27         started        29 schtasks.exe 1 16->29         started        process9 dnsIp10 37 turn-bracket.at.ply.gg 147.185.221.211, 1234, 27373, 49735 SALSGIVERUS United States 19->37 49 Query firmware table information (likely to detect VMs) 19->49 51 Protects its processes via BreakOnTermination flag 19->51 53 Hides threads from debuggers 19->53 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PowerRat.exe79%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                      PowerRat.exe71%VirustotalBrowse
                      PowerRat.exe100%AviraTR/Dropper.Gen
                      PowerRat.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\DasHost.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Temp\DasHost.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\DasHost.exe79%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                      C:\Users\user\AppData\Local\Temp\DasHost.exe71%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      turn-bracket.at.ply.gg1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      turn-bracket.at.ply.gg0%Avira URL Cloudsafe
                      turn-bracket.at.ply.gg1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      turn-bracket.at.ply.gg
                      		147.185.221.211
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      turn-bracket.at.ply.ggtrue
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePowerRat.exe, 00000000.00000002.1850359273.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, DasHost.exe, 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        147.185.221.211
                        		turn-bracket.at.ply.ggUnited States
                        		12087SALSGIVERUStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1576449
                        Start date and time:2024-12-17 07:11:06 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 2s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:13
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:PowerRat.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@15/5@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 262
                        • Number of non-executed functions: 32
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        01:12:51API Interceptor584399x Sleep call for process: DasHost.exe modified
                        06:12:17Task SchedulerRun new task: DasHost path: "C:\Users\user\AppData\Local\Temp\DasHost.exe"

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        147.185.221.2119R0e205b3v.exeGet hashmaliciousNjratBrowse
                          MZBBGJ.exeGet hashmaliciousUnknownBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SALSGIVERUSfile.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                            • 147.185.221.24
                            msedge.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.22
                            imagelogger.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.229
                            NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.181
                            com surrogate.exeGet hashmaliciousXWormBrowse
                            • 147.185.221.22
                            lastest.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.20
                            Fast Download.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.229
                            cnct.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.20
                            Server1.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.17
                            njSilent.exeGet hashmaliciousNjratBrowse
                            • 147.185.221.19

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DasHost.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\DasHost.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1436
                            Entropy (8bit):5.350117172721964
                            Encrypted:false
                            SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzerLE4x84qpsXE4qdKqE4Kx1qE4j:MxHKlYHKh3oPtHo6hAHKzerLHxvpH8H5
                            MD5:DC85A7E59CDACB844A0F12744C2372B1
                            SHA1:6A64FDD5ED01D6EC17B7F3925E57F1F7DC9B0C92
                            SHA-256:B536DEFBE4958A112489AD2FB21F6CE7461D1DBF48DC01377D22ED925140D3D6
                            SHA-512:163DC75C8B3B4CDA69EC371AEFCA3948D7AEB15EBDFC8EBB53B3F48383752BD4D01508F8999D165AA083C70C456E9A6E66DE5ADB021E094822C0C5F2AACE73F5
                            Malicious:false
                            Reputation:low
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, P

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerRat.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\PowerRat.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1436
                            Entropy (8bit):5.350117172721964
                            Encrypted:false
                            SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzerLE4x84qpsXE4qdKqE4Kx1qE4j:MxHKlYHKh3oPtHo6hAHKzerLHxvpH8H5
                            MD5:DC85A7E59CDACB844A0F12744C2372B1
                            SHA1:6A64FDD5ED01D6EC17B7F3925E57F1F7DC9B0C92
                            SHA-256:B536DEFBE4958A112489AD2FB21F6CE7461D1DBF48DC01377D22ED925140D3D6
                            SHA-512:163DC75C8B3B4CDA69EC371AEFCA3948D7AEB15EBDFC8EBB53B3F48383752BD4D01508F8999D165AA083C70C456E9A6E66DE5ADB021E094822C0C5F2AACE73F5
                            Malicious:true
                            Reputation:low
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, P

                            C:\Users\user\AppData\Local\Temp\DasHost.exe

                            Download File
                            Process:C:\Users\user\Desktop\PowerRat.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):474112
                            Entropy (8bit):7.519388414063239
                            Encrypted:false
                            SSDEEP:12288:qB0qu1Lr160aR4DLurOZR4dq6hoQ3rffNwhYhdP1XEd:c0quVJ33ZZ6hh3rdthdP10d
                            MD5:F8A989FF9BF3894ACB35C791D053CBEC
                            SHA1:AFB3CF59D939B5BE709ED23D8B424987E618DBE4
                            SHA-256:D417CAA99EA8B4F00E4A6CC324A7901DBFDDC0DBE19DE513BCF4E84CEAC90D21
                            SHA-512:8DC32C1C7B408DCB8C95838D96EE711ACF6157AE54FB44C1F07834EEEC9618977EBDBB134E27C2663593B3372D4855146F5E24F4DF7FFDD6F5028C0818CDF01B
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 79%
                            • Antivirus: Virustotal, Detection: 71%, Browse
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................ ........@.. ....................................@.....................................(....................................................................................`..................H............text...4.... ...................... ..`.deta0.............................. ..`.deta1.......`......................@....deta2...+.......,.................. ..`.rsrc................2..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat

                            Download File
                            Process:C:\Users\user\Desktop\PowerRat.exe
                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):154
                            Entropy (8bit):4.969150772179667
                            Encrypted:false
                            SSDEEP:3:mKDDCMNqTtvL5ot+kiE2J5xAIjACSmqRDt+kiE2J5xAInTRI8GVZPy:hWKqTtT6wkn23fgmq1wkn23fTdGVk
                            MD5:2BA342703095ACED9DDE8A602AB57A61
                            SHA1:CB0D0DF27EA7703B279485797937EAA18E361CAA
                            SHA-256:7EEE6556AD10B2368D3049EFD7FADA7ABBB0BE3F7B7D8B9D81DB384E28582EAF
                            SHA-512:D7F8703CE8C06F4C05B6AF9C5D8A7EEC06E12458BF1E0077611021A91FD6C972D4022AD1DF49DAF2382103F892DC54EECBA0507FB5AC67334E73F93AEA9FA915
                            Malicious:false
                            Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\DasHost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp3DB4.tmp.bat" /f /q..

                            \Device\Null

                            Download File
                            Process:C:\Windows\SysWOW64\timeout.exe
                            File Type:ASCII text, with CRLF line terminators, with overstriking
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.41440934524794
                            Encrypted:false
                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                            Malicious:false
                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.519388414063239
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                            • Win32 Executable (generic) a (10002005/4) 49.96%
                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:PowerRat.exe
                            File size:474'112 bytes
                            MD5:f8a989ff9bf3894acb35c791d053cbec
                            SHA1:afb3cf59d939b5be709ed23d8b424987e618dbe4
                            SHA256:d417caa99ea8b4f00e4a6cc324a7901dbfddc0dbe19de513bcf4e84ceac90d21
                            SHA512:8dc32c1c7b408dcb8c95838d96ee711acf6157ae54fb44c1f07834eeec9618977ebdbb134e27c2663593b3372d4855146f5e24f4df7ffdd6f5028c0818cdf01b
                            SSDEEP:12288:qB0qu1Lr160aR4DLurOZR4dq6hoQ3rffNwhYhdP1XEd:c0quVJ33ZZ6hh3rdthdP10d
                            TLSH:44A4DF287BD86D9BD3C9337E90560860A7B6B912B65FE3DF34211EF42F43391881529B
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x44a3d1
                            Entrypoint Section:.deta2
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00446000h]
                            sbb al, A3h
                            sbb byte ptr [edi+63h], dl
                            lea ebp, edx
                            sbb eax, dword ptr [esi+0C8D0DCEh]
                            xchg eax, ebp
                            jno 00007F974493EDFEh
                            or byte ptr [ebp+1AB19DCEh], cl
                            sub eax, B7AAC8B6h
                            wait
                            popfd
                            xor byte ptr [esi], FFFFFFFDh
                            popfd
                            mov dword ptr [edi-757D9190h], esi
                            add dh, FFFFFF81h
                            popfd
                            mov dword ptr [edi-7662C4C6h], esi
                            aaa
                            test dword ptr [esi], 1037AF87h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x88aa80x28.deta2
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x7ff.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x460000x8.deta1
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xa16a00x48.deta2
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xa7340x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .deta00xe0000x37fd30x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .deta10x460000x80x20066ecca962045639f5243572ec1a189a2False0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .deta20x480000x72bc80x72c0095ca754912b3acb0b11c82f7f8c8c010False0.8020535471132898data7.539647911355704IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xbc0000x7ff0x80074f688ea12c9bbe434364ad865ca0335False0.41748046875data4.894395811204692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xbe0000xc0x20093b0859e557f77793bde13f8071cadbeFalse0.048828125data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xbc0a00x2ccdata0.43575418994413406
                            RT_MANIFEST0xbc36c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 17, 2024 07:12:26.049520969 CET497351234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:26.169529915 CET123449735147.185.221.211192.168.2.4
                            Dec 17, 2024 07:12:26.169687033 CET497351234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:26.187119007 CET497351234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:26.307202101 CET123449735147.185.221.211192.168.2.4
                            Dec 17, 2024 07:12:48.056229115 CET123449735147.185.221.211192.168.2.4
                            Dec 17, 2024 07:12:48.056305885 CET497351234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:53.071834087 CET4973727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:53.071841002 CET497351234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:53.191914082 CET123449735147.185.221.211192.168.2.4
                            Dec 17, 2024 07:12:53.191966057 CET2737349737147.185.221.211192.168.2.4
                            Dec 17, 2024 07:12:53.192492008 CET4973727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:53.192492008 CET4973727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:12:53.312725067 CET2737349737147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:15.103641987 CET2737349737147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:15.103718042 CET4973727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:20.116264105 CET4973727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:20.117186069 CET4979027373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:20.236224890 CET2737349737147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:20.237314939 CET2737349790147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:20.237504005 CET4979027373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:20.237792969 CET4979027373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:20.357686996 CET2737349790147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:42.151083946 CET2737349790147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:42.155402899 CET4979027373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:47.163434982 CET4979027373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:47.164233923 CET498511234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:47.283370972 CET2737349790147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:47.284092903 CET123449851147.185.221.211192.168.2.4
                            Dec 17, 2024 07:13:47.284287930 CET498511234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:47.284583092 CET498511234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:13:47.404686928 CET123449851147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:09.223445892 CET123449851147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:09.223515034 CET498511234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:14.227400064 CET498511234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:14.231436968 CET4991727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:14.347402096 CET123449851147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:14.351484060 CET2737349917147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:14.351758957 CET4991727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:14.352197886 CET4991727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:14.474627972 CET2737349917147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:36.261846066 CET2737349917147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:36.262042999 CET4991727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:41.273175955 CET4991727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:41.273921967 CET4997727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:41.393208981 CET2737349917147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:41.393976927 CET2737349977147.185.221.211192.168.2.4
                            Dec 17, 2024 07:14:41.394088030 CET4997727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:41.394391060 CET4997727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:14:41.514285088 CET2737349977147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:03.309499979 CET2737349977147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:03.309691906 CET4997727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:08.320183992 CET4997727373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:08.320883989 CET5000927373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:08.440392971 CET2737349977147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:08.440943003 CET2737350009147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:08.441135883 CET5000927373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:08.441600084 CET5000927373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:08.561661959 CET2737350009147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:30.356687069 CET2737350009147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:30.356915951 CET5000927373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:35.367603064 CET5000927373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:35.368598938 CET500101234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:35.487628937 CET2737350009147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:35.488564968 CET123450010147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:35.489010096 CET500101234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:35.489099979 CET500101234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:15:35.609030008 CET123450010147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:57.404594898 CET123450010147.185.221.211192.168.2.4
                            Dec 17, 2024 07:15:57.404716969 CET500101234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:16:02.417603970 CET500101234192.168.2.4147.185.221.211
                            Dec 17, 2024 07:16:02.418416977 CET5001127373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:16:02.537888050 CET123450010147.185.221.211192.168.2.4
                            Dec 17, 2024 07:16:02.538671017 CET2737350011147.185.221.211192.168.2.4
                            Dec 17, 2024 07:16:02.541177988 CET5001127373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:16:02.541503906 CET5001127373192.168.2.4147.185.221.211
                            Dec 17, 2024 07:16:02.661355019 CET2737350011147.185.221.211192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 17, 2024 07:12:25.773333073 CET6336153192.168.2.41.1.1.1
                            Dec 17, 2024 07:12:26.047477007 CET53633611.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Dec 17, 2024 07:12:25.773333073 CET192.168.2.41.1.1.10xfd18Standard query (0)turn-bracket.at.ply.ggA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 17, 2024 07:12:26.047477007 CET1.1.1.1192.168.2.40xfd18No error (0)turn-bracket.at.ply.gg147.185.221.211A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:01:12:01
                            Start date:17/12/2024
                            Path:C:\Users\user\Desktop\PowerRat.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\PowerRat.exe"
                            Imagebase:0xea0000
                            File size:474'112 bytes
                            MD5 hash:F8A989FF9BF3894ACB35C791D053CBEC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1851846457.000000000435C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1850359273.0000000003328000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1706295948.0000000000EE8000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1850359273.00000000033E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"' & exit
                            Imagebase:0x240000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:2
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3DB4.tmp.bat""
                            Imagebase:0x240000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn "DasHost" /tr '"C:\Users\user\AppData\Local\Temp\DasHost.exe"'
                            Imagebase:0xa10000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:01:12:15
                            Start date:17/12/2024
                            Path:C:\Windows\SysWOW64\timeout.exe
                            Wow64 process (32bit):true
                            Commandline:timeout 3
                            Imagebase:0x800000
                            File size:25'088 bytes
                            MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:01:12:17
                            Start date:17/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\DasHost.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Local\Temp\DasHost.exe
                            Imagebase:0x340000
                            File size:474'112 bytes
                            MD5 hash:F8A989FF9BF3894ACB35C791D053CBEC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\DasHost.exe, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 79%, ReversingLabs
                            • Detection: 71%, Virustotal, Browse
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:9
                            Start time:01:12:18
                            Start date:17/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\DasHost.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\DasHost.exe"
                            Imagebase:0x7f0000
                            File size:474'112 bytes
                            MD5 hash:F8A989FF9BF3894ACB35C791D053CBEC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.4169109164.0000000002C9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:23.3%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:67.9%
                              Total number of Nodes:53
                              Total number of Limit Nodes:0
                              execution_graph 17105 32b4568 17106 32b45b6 NtCreateSection 17105->17106 17108 32b4603 17106->17108 17140 32b3d48 17141 32b3d93 NtAllocateVirtualMemory 17140->17141 17143 32b3dda 17141->17143 17144 32b4648 17145 32b4690 NtQuerySystemInformation 17144->17145 17147 32b46cb 17145->17147 17148 32b48c8 17149 32b4910 NtDeviceIoControlFile 17148->17149 17151 32b495d 17149->17151 17152 32b3b00 17153 32b3b40 NtSetInformationThread 17152->17153 17155 32b3b7a 17153->17155 17156 32b4800 17157 32b4848 NtQueryVolumeInformationFile 17156->17157 17159 32b4886 17157->17159 17160 32b3bc0 17161 32b3c00 NtClose 17160->17161 17163 32b3c31 17161->17163 17109 32b3a38 17110 32b3a80 NtQueryInformationProcess 17109->17110 17112 32b3abe 17110->17112 17113 32bd6ff 17114 32bd700 17113->17114 17115 32bd72c 17114->17115 17118 5b912f8 17114->17118 17123 5b912b0 17114->17123 17119 5b912fd 17118->17119 17120 5b91350 17119->17120 17128 5b91378 17119->17128 17132 5b91380 17119->17132 17120->17115 17124 5b912bd 17123->17124 17125 5b91285 17124->17125 17126 5b91378 CheckRemoteDebuggerPresent 17124->17126 17127 5b91380 CheckRemoteDebuggerPresent 17124->17127 17125->17115 17126->17125 17127->17125 17129 5b91380 CheckRemoteDebuggerPresent 17128->17129 17131 5b91406 17129->17131 17131->17120 17133 5b91385 CheckRemoteDebuggerPresent 17132->17133 17135 5b91406 17133->17135 17135->17120 17164 5b93480 17165 5b93485 RtlSetProcessIsCritical 17164->17165 17167 5b934f4 17165->17167 17136 32b3c70 17137 32b3cbe NtProtectVirtualMemory 17136->17137 17139 32b3d08 17137->17139 17168 32b4710 17169 32b475b NtMapViewOfSection 17168->17169 17171 32b47bd 17169->17171 17172 32b4490 17173 32b44de NtOpenFile 17172->17173 17175 32b4528 17173->17175

                              Executed Functions

                              Function 0190DD80 Relevance: 15.9, Strings: 11, Instructions: 2153COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: yZ$(h<=$(o^q$(o^q$-=>1$Hbq$Hbq$\s^q$pbq$pbq$;^q
                              • API String ID: 0-3837931364
                              • Opcode ID: 8cd658cb809431ffdcda3bec948531a93cba5b396e33fbf23790abd1cdec7bc6
                              • Instruction ID: 66c39bad4cec6c6f3dbd114286052a56cbe6f8c81772b7a70366aec8ae55d298
                              • Opcode Fuzzy Hash: 8cd658cb809431ffdcda3bec948531a93cba5b396e33fbf23790abd1cdec7bc6
                              • Instruction Fuzzy Hash: 04038E75B002198FDB25DF69C884A99BBB6BF88300F1581E9E509EB361DB35DE85CF40
                              Function 01901098 Relevance: 14.8, Strings: 6, Instructions: 7304COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: #-N$%<3($'L:C$.;!$9*j$?G8U
                              • API String ID: 0-2982312951
                              • Opcode ID: f520a64d9eefe584a4f09b650ea8eb3ec971faf5113debe48bb343e3a00b48d0
                              • Instruction ID: 50d27a2724347805fd8a3dbaacb7fd3b9bdbf392b7a290c8eb0b9eb39e40a9ff
                              • Opcode Fuzzy Hash: f520a64d9eefe584a4f09b650ea8eb3ec971faf5113debe48bb343e3a00b48d0
                              • Instruction Fuzzy Hash: 55E33E75E002299FCB64DF68C840A9DB7B6FB89204F1585EAD80DE7350DB35AE81CF94
                              Function 032B6A30 Relevance: 2.0, Strings: 1, Instructions: 777COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1534 32b6a30-32b6a40 1535 32b6a42-32b6a45 1534->1535 1536 32b6a54-32b6a97 1534->1536 1535->1536 1537 32b6a47-32b6a4a 1535->1537 1541 32b6a99-32b6a9f 1536->1541 1542 32b6ac1-32b6ac6 1536->1542 1537->1536 1538 32b6a4c-32b6a51 1537->1538 1543 32b6ac9-32b6aea 1541->1543 1544 32b6aa1-32b6abf 1541->1544 1547 32b6b1a-32b6b5c 1543->1547 1548 32b6aec-32b6b19 1543->1548 1544->1541 1544->1542 1555 32b6bce-32b6bdb 1547->1555 1556 32b6b5e-32b6b7d 1547->1556 1558 32b6b7f-32b6bb2 1556->1558 1559 32b6bdc-32b6c16 1556->1559 1558->1559 1564 32b6bb4-32b6bcc 1558->1564 1565 32b6c1e-32b6c50 1559->1565 1564->1555 1564->1556 1566 32b6c62-32b6c6e 1565->1566 1567 32b6c52 1565->1567 1571 32b71c9-32b721e 1566->1571 1572 32b6c74-32b6c83 1566->1572 1569 32b6c58-32b6c5c 1567->1569 1570 32b7173-32b717c 1567->1570 1569->1566 1569->1570 1573 32b717e 1570->1573 1574 32b718d 1570->1574 1603 32b7220-32b7226 1571->1603 1581 32b6c89-32b6ca8 1572->1581 1582 32b718f-32b71a4 1572->1582 1575 32b6d1f-32b6d33 1573->1575 1576 32b7184-32b7187 1573->1576 1578 32b7120-32b714a 1574->1578 1575->1571 1580 32b6d39-32b6d48 1575->1580 1576->1574 1576->1575 1590 32b6d4e-32b6d58 1580->1590 1591 32b6eb4-32b6ebd 1580->1591 1581->1571 1598 32b6cae-32b6cba 1581->1598 1604 32b71ac-32b71c1 1582->1604 1594 32b6d5a 1590->1594 1595 32b6d5d-32b6d63 1590->1595 1591->1571 1592 32b6ec3-32b6ed3 1591->1592 1610 32b6ed9-32b6ee2 1592->1610 1611 32b7033-32b7060 1592->1611 1594->1595 1595->1571 1599 32b6d69-32b6d75 1595->1599 1605 32b6cbc-32b6cc4 1598->1605 1600 32b6de8-32b6e17 1599->1600 1601 32b6d77-32b6d8a 1599->1601 1600->1571 1609 32b6e1d-32b6e26 1600->1609 1607 32b6d8f-32b6d95 1601->1607 1608 32b6d8c 1601->1608 1612 32b7278-32b727e 1603->1612 1613 32b7228-32b7234 1603->1613 1604->1571 1605->1571 1606 32b6cca-32b6ce2 1605->1606 1606->1605 1629 32b6ce4-32b6d0e 1606->1629 1607->1571 1615 32b6d9b-32b6dcf 1607->1615 1608->1607 1618 32b6e28-32b6e2d 1609->1618 1610->1571 1619 32b6ee8-32b6ef7 1610->1619 1630 32b7069 1611->1630 1631 32b7062-32b7067 1611->1631 1616 32b7349-32b737e 1612->1616 1617 32b7284-32b7294 1612->1617 1620 32b7237-32b7249 1613->1620 1615->1571 1623 32b6dd5-32b6de6 1615->1623 1650 32b7380-32b739f 1616->1650 1617->1616 1625 32b729a-32b72aa 1617->1625 1618->1571 1626 32b6e33-32b6e4c 1618->1626 1635 32b6efd-32b6f0b 1619->1635 1636 32b6fa1-32b6faa 1619->1636 1620->1616 1621 32b724f-32b7262 1620->1621 1621->1616 1627 32b7268-32b7276 1621->1627 1644 32b6e56-32b6e68 1623->1644 1625->1616 1632 32b72b0-32b72c0 1625->1632 1626->1618 1647 32b6e4e-32b6e50 1626->1647 1627->1612 1627->1620 1629->1575 1648 32b6d10 1629->1648 1638 32b706e-32b707f 1630->1638 1631->1638 1632->1616 1639 32b72c6-32b72d4 1632->1639 1635->1571 1642 32b6f11-32b6f20 1635->1642 1636->1571 1641 32b6fb0-32b6fbf 1636->1641 1638->1571 1658 32b7085-32b7097 1638->1658 1639->1603 1645 32b72da-32b72e7 1639->1645 1661 32b6fc1-32b6fc4 1641->1661 1662 32b6fc6-32b6fcf 1641->1662 1663 32b7003-32b701e 1642->1663 1664 32b6f26-32b6f2d 1642->1664 1644->1571 1651 32b6e6e-32b6e78 1644->1651 1665 32b72ea-32b72f0 1645->1665 1647->1644 1648->1578 1656 32b6d16-32b6d19 1648->1656 1667 32b73a1-32b73a5 1650->1667 1652 32b6e7a 1651->1652 1653 32b6e80-32b6e84 1651->1653 1652->1653 1659 32b6e8d-32b6e91 1653->1659 1660 32b6e86-32b6e8b 1653->1660 1656->1575 1656->1578 1678 32b7099-32b70b3 1658->1678 1679 32b70f1 1658->1679 1670 32b6e99 1659->1670 1671 32b6e93-32b6e97 1659->1671 1668 32b6e9d-32b6eaf 1660->1668 1669 32b6ffa-32b7000 1661->1669 1662->1571 1672 32b6fd5-32b6fe4 1662->1672 1688 32b7020-32b7025 1663->1688 1689 32b7027 1663->1689 1673 32b6f2f-32b6f34 1664->1673 1674 32b6f36 1664->1674 1665->1616 1675 32b72f2-32b7300 1665->1675 1668->1570 1669->1663 1670->1668 1671->1668 1691 32b6feb-32b6ff1 1672->1691 1692 32b6fe6-32b6fe9 1672->1692 1677 32b6f3b-32b6f4d 1673->1677 1674->1677 1675->1665 1696 32b7302-32b7307 1675->1696 1683 32b6f4f 1677->1683 1684 32b6f52-32b6f58 1677->1684 1686 32b70cc-32b70ef 1678->1686 1687 32b70b5-32b70ca 1678->1687 1682 32b70f4-32b7109 1679->1682 1693 32b710b 1682->1693 1694 32b7111-32b7114 1682->1694 1683->1684 1684->1571 1695 32b6f5e-32b6f72 1684->1695 1686->1682 1687->1682 1690 32b702c-32b702e 1688->1690 1689->1690 1690->1682 1699 32b6ff4-32b6ff7 1691->1699 1692->1699 1700 32b710d-32b710f 1693->1700 1701 32b7116-32b711a 1693->1701 1694->1701 1702 32b714d-32b7170 1694->1702 1695->1571 1703 32b6f78-32b6f82 1695->1703 1704 32b730a-32b730c 1696->1704 1699->1669 1700->1694 1700->1701 1701->1578 1701->1604 1702->1570 1706 32b6f8a-32b6f9c 1703->1706 1707 32b6f84 1703->1707 1704->1616 1705 32b730e-32b731c 1704->1705 1705->1704 1708 32b731e-32b7346 1705->1708 1706->1570 1707->1706
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hbq
                              • API String ID: 0-1245868
                              • Opcode ID: c30ad7acbe13f23060e16c9eefdf169ee5eac7951720982f0675736cadc4fecb
                              • Instruction ID: f22b734d031a4123ba0f28270831d8c705c1b167107286796304a86591bc86bc
                              • Opcode Fuzzy Hash: c30ad7acbe13f23060e16c9eefdf169ee5eac7951720982f0675736cadc4fecb
                              • Instruction Fuzzy Hash: 84629A32A10606CFCB14CF68C884AAEBBF6FF88350B158A69D4569B755D730F885CF94
                              Function 032B4708 Relevance: 1.6, APIs: 1, Instructions: 72nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1714 32b4708-32b47bb NtMapViewOfSection 1717 32b47bd-32b47c3 1714->1717 1718 32b47c4-32b47e9 1714->1718 1717->1718
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 032B47AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 96bfe86ce56e6a0e5fdaf4f711345aec3cf3a099e092a2c79e6d6fec8e12ded8
                              • Instruction ID: 263ee5d8a53133349431837a2128d9d9aba466b20701e23eb972e6891eeeb8c2
                              • Opcode Fuzzy Hash: 96bfe86ce56e6a0e5fdaf4f711345aec3cf3a099e092a2c79e6d6fec8e12ded8
                              • Instruction Fuzzy Hash: E331E2B59002499FCF10DFA9D984ADEBFF5BF4C324F14841AE918A7210C7359950CFA4
                              Function 032B4710 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1722 32b4710-32b47bb NtMapViewOfSection 1725 32b47bd-32b47c3 1722->1725 1726 32b47c4-32b47e9 1722->1726 1725->1726
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 032B47AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 116bc8aea9ca0e40ba00f180e5a1e01fef20fa4e92de74412a7b7c0902d4ef84
                              • Instruction ID: 4cb9746c04c8c954695f5a2be87354e22908167dcd31ffea99b0e2464b5d4374
                              • Opcode Fuzzy Hash: 116bc8aea9ca0e40ba00f180e5a1e01fef20fa4e92de74412a7b7c0902d4ef84
                              • Instruction Fuzzy Hash: CA31B1B5900249AFDF10DFAAD884ADEBBF5FF48324F14842AE918A7210C7359954DFA4
                              Function 032B4560 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1738 32b4560-32b4601 NtCreateSection 1741 32b460a-32b462f 1738->1741 1742 32b4603-32b4609 1738->1742 1742->1741
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 032B45F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: 32efa5f38b4ef42b255ec2d7f2bb96963aaac7361cfcc7746adf4c65ba13e6b7
                              • Instruction ID: 6f1d19bb84f50618c22e68d46cd5f4e70acd91083bd142699c511ee047ed24dd
                              • Opcode Fuzzy Hash: 32efa5f38b4ef42b255ec2d7f2bb96963aaac7361cfcc7746adf4c65ba13e6b7
                              • Instruction Fuzzy Hash: 6121F3B1D0125AEBCB10DFAAD984ADEFFB5FF48310F10852AE918A7210C7359954CB95
                              Function 032B448A Relevance: 1.6, APIs: 1, Instructions: 66filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1746 32b448a-32b4526 NtOpenFile 1749 32b4528-32b452e 1746->1749 1750 32b452f-32b4554 1746->1750 1749->1750
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 032B4519
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: aa356c8daf9d6e9cda6c31cd522921dd9180107fb20eee9bbbc00c999761ff2a
                              • Instruction ID: c72e2d281e810fb437a6966e16547222907965b8c59f2e121af1500b315760f2
                              • Opcode Fuzzy Hash: aa356c8daf9d6e9cda6c31cd522921dd9180107fb20eee9bbbc00c999761ff2a
                              • Instruction Fuzzy Hash: BB2105B1D01219AFCB10DFAAD985ADEFBB4FF48310F20852AE518B7200C7759A54CFA1
                              Function 05B91380 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 05B913F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: f5c13ef991da4a0f76deaf78121270dd93318aedc14b2798a64ebed6ea99b7bf
                              • Instruction ID: fa48572e6a0938c416f00f9e64a70285a90dde62653cbddfaf6e2d795a87ec92
                              • Opcode Fuzzy Hash: f5c13ef991da4a0f76deaf78121270dd93318aedc14b2798a64ebed6ea99b7bf
                              • Instruction Fuzzy Hash: B32116B1900259CFCB14CF9AD844BEEBBF4AF49320F14846AE459A7250D778A944CF65
                              Function 01908F70 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0a:s
                              • API String ID: 0-1960802389
                              • Opcode ID: 0cc6b9b5ebb459a2e4d022798340038021c4ae2f84b406e444abed9fc4444d2e
                              • Instruction ID: 91929ddf5fd79f35c48be0cacdfbeda524567ac0bb7e2dee80de2323884ef392
                              • Opcode Fuzzy Hash: 0cc6b9b5ebb459a2e4d022798340038021c4ae2f84b406e444abed9fc4444d2e
                              • Instruction Fuzzy Hash: 9BE1E875E0020A8FCB45CFA9C8815AEBBF2FF89314F50816AD429E7355D7389A56CF90
                              Function 032B4568 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 032B45F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: c42f3781fa9a0027f3deab8dfc5c96289f58baf261e8763fc0235969898dbfe8
                              • Instruction ID: 6c13683588677db8af885be1c3ad13958b1b8cccbaf7ea5ccaa11bba37888f78
                              • Opcode Fuzzy Hash: c42f3781fa9a0027f3deab8dfc5c96289f58baf261e8763fc0235969898dbfe8
                              • Instruction Fuzzy Hash: B021F2B1D01259AFCB00DFAAD980ADEFBB4FF48310F10802AE918A7200C775A954CBA4
                              Function 032B3D40 Relevance: 1.6, APIs: 1, Instructions: 63memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 032B3DCB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 64e1f6df42d0e4b945ff480d310568b232279229f845a43fec20c12c5d5016f6
                              • Instruction ID: 539ca29aaf11c6e87bccecfc091afc45ef12cf65633b3d5a510f086951a24ed1
                              • Opcode Fuzzy Hash: 64e1f6df42d0e4b945ff480d310568b232279229f845a43fec20c12c5d5016f6
                              • Instruction Fuzzy Hash: 3C2114B5D002199FCB10DFAAC885ADEFBF5FF48350F10842AE919A7210C7359944CFA4
                              Function 032B3C68 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 032B3CF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 75d9954f7da4ea01ca00af38f61466d5b9cafe9361259a75c6bee216827f69dd
                              • Instruction ID: d4911407e54e5e2a5e1f0a77b323d84eff28711a09f10f218192de9c9d5aca61
                              • Opcode Fuzzy Hash: 75d9954f7da4ea01ca00af38f61466d5b9cafe9361259a75c6bee216827f69dd
                              • Instruction Fuzzy Hash: A6211EB5D002499FCB10CFAAD980ADEFBF5FF48314F20842AE559A7210C735A940CBA4
                              Function 032B3C70 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 032B3CF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: f6a6b41407317dad2d70423780f80e8fc0250d1b25bd62d77c50f76e4b90ecf5
                              • Instruction ID: 0cbb3c9592f00336c683c5eba7af904ae7aa9507d0b66b51a37cd7babc630ad1
                              • Opcode Fuzzy Hash: f6a6b41407317dad2d70423780f80e8fc0250d1b25bd62d77c50f76e4b90ecf5
                              • Instruction Fuzzy Hash: 5A2100B1D003499FCB10DFAAD980ADEFBF5FF48310F20842AE959A7210C775A944CBA4
                              Function 032B4490 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 032B4519
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: b81f43a6d5b2efa36514c0eedaafb8b35fdf7009da5ca4b3aad494b0f9e6b166
                              • Instruction ID: 2fa7bb97cb8ae5c4230bfac53b30240f0d78272cea109da196dd53e185ff7684
                              • Opcode Fuzzy Hash: b81f43a6d5b2efa36514c0eedaafb8b35fdf7009da5ca4b3aad494b0f9e6b166
                              • Instruction Fuzzy Hash: F421E4B1D0121DAFCB10DFAAD984ADEFBF4FF48314F10842AE918A7210C7759A54CBA5
                              Function 032B48C8 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 032B494E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: 5859bd3df257126a539da2abbaf151961f5c03f4e80d44a9d32a5204d1e513d0
                              • Instruction ID: 5fb8477e133b4b373f61140b72bfff9a01332a5e457268ac3b1f63aefee85a74
                              • Opcode Fuzzy Hash: 5859bd3df257126a539da2abbaf151961f5c03f4e80d44a9d32a5204d1e513d0
                              • Instruction Fuzzy Hash: 4921F5B19002499FCF10DFAAC844ADEFBF5FF88314F148429E959A7210C7759954CFA5
                              Function 032B48C1 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 032B494E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: 0a9ccee01340c2f8ad2972c8bd8b787546062968f6e81ba88bade74fdf80e16b
                              • Instruction ID: ac104778d5bb391e3b5cd13cd93a9b939f991b62adc4afa92289f78c08321678
                              • Opcode Fuzzy Hash: 0a9ccee01340c2f8ad2972c8bd8b787546062968f6e81ba88bade74fdf80e16b
                              • Instruction Fuzzy Hash: 302114B29002499FCF10DFAAD944ADEFBF5FF88314F14841AE559A7210C7359954CFA0
                              Function 032B3A30 Relevance: 1.6, APIs: 1, Instructions: 61nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 032B3AAF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: eb60e5d5fc8a8a9578ec9e2cb523d2ff76623aff0fb8097970610c4ba86e9fb8
                              • Instruction ID: 901ab78638c5b25a89138e38a767beba533b4d1425dfb69866fdf1688ffaafbb
                              • Opcode Fuzzy Hash: eb60e5d5fc8a8a9578ec9e2cb523d2ff76623aff0fb8097970610c4ba86e9fb8
                              • Instruction Fuzzy Hash: A82137B1900249DFCB10DFAAC844AEEFBF4FF48320F14842AE919A7250D7759944CFA1
                              Function 032B3D48 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 032B3DCB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 7cece752cf8b8e131038dde17a12e3532472c8f942caa9268f459bf643b1835b
                              • Instruction ID: 0c9d91cc631dde45228f81ed93d6ebac05eba0428fd232bc560380356c663199
                              • Opcode Fuzzy Hash: 7cece752cf8b8e131038dde17a12e3532472c8f942caa9268f459bf643b1835b
                              • Instruction Fuzzy Hash: 1C2123B19002199FCB10DFAAC884ADEFBF5FF48310F10842AE919A7210C735A944CBA4
                              Function 032B47F8 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 032B4877
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: 656f439da5361df0bfc6093cedf67a4e8730e8a7af508551805e440a1e6097ad
                              • Instruction ID: c2563356621d079ab0978930d3b03ee7fa33a4897aa39c1eb816ab0233f6b9c6
                              • Opcode Fuzzy Hash: 656f439da5361df0bfc6093cedf67a4e8730e8a7af508551805e440a1e6097ad
                              • Instruction Fuzzy Hash: 452115B19002498EDB20DFAAD984BDEFBF5AF88314F14842AD459A7250C779A544CFA1
                              Function 032B4640 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 032B46BC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 9b76abcf255a2498a7d335e5bacbf6da535542f3b73c7de550c23aede7f68200
                              • Instruction ID: 7970e7f16fe535215966022b6f777685d0c26cfad4741abbee0923075d5d1a21
                              • Opcode Fuzzy Hash: 9b76abcf255a2498a7d335e5bacbf6da535542f3b73c7de550c23aede7f68200
                              • Instruction Fuzzy Hash: F72147B19002499FCB10DFAAC984BDEFBF4EF88324F14842ED459A7250C7749544CFA5
                              Function 032B3A38 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 032B3AAF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: b1b553e2709d1d88e6066b9d9f2e6b4a77ac28f5283dc36062b5794890dc280f
                              • Instruction ID: 7aa2c70cfa70fdd8631afe113810fe598f0e13a935e6124372c43dd54fc1d3a9
                              • Opcode Fuzzy Hash: b1b553e2709d1d88e6066b9d9f2e6b4a77ac28f5283dc36062b5794890dc280f
                              • Instruction Fuzzy Hash: BD21F4B1900249DFCB10DFAAC844ADEFBF5EF88324F14842AE559A7250C775A944CFA5
                              Function 032B4800 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 032B4877
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: a96516dff0936629e2098a367cad5050c960d21ac70938ec86aaffb9432fc71e
                              • Instruction ID: 0d4de40eacb7c4ca52b4fc1f71e75cf82926c5542593cf433c4dd109b25fc9bf
                              • Opcode Fuzzy Hash: a96516dff0936629e2098a367cad5050c960d21ac70938ec86aaffb9432fc71e
                              • Instruction Fuzzy Hash: 2E2124B1D002499FDB10DFAAD884BDEFBF5EF88324F10842AE559A7250C775A944CFA1
                              Function 032B3AF9 Relevance: 1.6, APIs: 1, Instructions: 56nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationThread.NTDLL(?,?,?,?), ref: 032B3B6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationThread
                              • String ID:
                              • API String ID: 4046476035-0
                              • Opcode ID: ab95bcea5d87fe1edef004e2fece4da16b05042f8fa8e8d6bc1e78f2251c28a7
                              • Instruction ID: 1e2027d0b93ba4c96784387815501ccd6951971e3deb2252b216da4b31425ec8
                              • Opcode Fuzzy Hash: ab95bcea5d87fe1edef004e2fece4da16b05042f8fa8e8d6bc1e78f2251c28a7
                              • Instruction Fuzzy Hash: 52115675800249CBCB10DFAAC845BEEFFF5EF88324F24881AD559A7250C775A584CF94
                              Function 032B4648 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 032B46BC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 2fc4fdecadb3ecc747dc902dbea91c6f4ee606048ca6983c3d3cf631b85dc6fc
                              • Instruction ID: 068730941fc44a96e3aebe861eaa3d79a194431e221fa73f813f7e19b63b8d92
                              • Opcode Fuzzy Hash: 2fc4fdecadb3ecc747dc902dbea91c6f4ee606048ca6983c3d3cf631b85dc6fc
                              • Instruction Fuzzy Hash: 2B1106B1D002499FCB10DFAAC884BDEFBF4EF88324F14842AD559A7250CB75A944CFA5
                              Function 032B3B00 Relevance: 1.6, APIs: 1, Instructions: 52nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationThread.NTDLL(?,?,?,?), ref: 032B3B6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: InformationThread
                              • String ID:
                              • API String ID: 4046476035-0
                              • Opcode ID: 9c55ae7a5c4159bd37b06007b8c279bfd64895bf426c75bf9567003948c5fb89
                              • Instruction ID: 545094292441674473cf9ab0125032f2442d93b6b491ad8a6cb5fba3354be382
                              • Opcode Fuzzy Hash: 9c55ae7a5c4159bd37b06007b8c279bfd64895bf426c75bf9567003948c5fb89
                              • Instruction Fuzzy Hash: FC1134B59002498FCB10DFAAC845BDEFBF5EB88324F24881AD559A7250CB75A584CFA4
                              Function 032B3BBF Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: f22037dce5ce90a5927b70fc4adc8e8c261d70853800bb1f0727c27361575775
                              • Instruction ID: fa78979e830a11b364f2e3287de5463cce25d015097946baba834e1f9d5e9c9e
                              • Opcode Fuzzy Hash: f22037dce5ce90a5927b70fc4adc8e8c261d70853800bb1f0727c27361575775
                              • Instruction Fuzzy Hash: F11128B1D003498FCB20DFAAD4457EEFBF4AB88324F24842AD559A7250C7756944CF94
                              Function 032B3BC0 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: 1b578e66ec15f382358ba94c1e0cfd949cef3cd0134659b5c070cdc0fa2c8f9a
                              • Instruction ID: d0d6519e64824993a37cbce3d8fbb181068a64a4cb7946d8d7d58a0edf305ce1
                              • Opcode Fuzzy Hash: 1b578e66ec15f382358ba94c1e0cfd949cef3cd0134659b5c070cdc0fa2c8f9a
                              • Instruction Fuzzy Hash: A9113AB19003498FCB20DFAAC4457DEFBF4EB88324F248419D559A7250CB75A544CF94
                              Function 05B904F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: \VKm
                              • API String ID: 0-3894457903
                              • Opcode ID: 4e0b352143a578e66e199515eb20be3e482ef961a9fb04faf82f915c58addf3d
                              • Instruction ID: ea424faa56810f272d26e9b8db1d8d1bc5ba80830bc7f553aeb3d8a83f921c00
                              • Opcode Fuzzy Hash: 4e0b352143a578e66e199515eb20be3e482ef961a9fb04faf82f915c58addf3d
                              • Instruction Fuzzy Hash: 3EB12A70E0020DDFDF14DFA9C8897ADBBF2BB88314F148179D815A7254EB74A845CB91
                              Function 01908F61 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0a:s
                              • API String ID: 0-1960802389
                              • Opcode ID: a4e2e8406d94b3c0e9aa9d595232b14685dbafea48b3a8a3e8906dd99300b55e
                              • Instruction ID: b70afa0ae32a6cae31a6f5edc9ffa84f5791b0a594e56a5a615a09ee0d730d6c
                              • Opcode Fuzzy Hash: a4e2e8406d94b3c0e9aa9d595232b14685dbafea48b3a8a3e8906dd99300b55e
                              • Instruction Fuzzy Hash: 8AC1E874E0020A8FCB44CFAAC8815AEBBF2FF88314F50816AD429E7355D7389956CF91
                              Function 019098C0 Relevance: .4, Instructions: 422COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20390647d9f06dddb13d83cfda8f2d87f966ea217ef3742e29b1f53918a7d23a
                              • Instruction ID: 9720a9d867b464fb2de1c590a70d83ec2f9330bf8b8472ac3086640dac65006a
                              • Opcode Fuzzy Hash: 20390647d9f06dddb13d83cfda8f2d87f966ea217ef3742e29b1f53918a7d23a
                              • Instruction Fuzzy Hash: 74E1BD31B007058FDB15DEA9D8D069EB7B7AF98204B548129E51EEB392DB74EC06CB00
                              Function 0190C0A0 Relevance: .4, Instructions: 406COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0063d1dd5ff1c4503b6b68b2addb557fdec3aad7bea49fba6ddf374c02d56fee
                              • Instruction ID: b7d9dcc25cd3ac19ed6a018577e05724810f845a9f173d5f1231f5ac38901c78
                              • Opcode Fuzzy Hash: 0063d1dd5ff1c4503b6b68b2addb557fdec3aad7bea49fba6ddf374c02d56fee
                              • Instruction Fuzzy Hash: 54D1F431F005368FCB1AEAAC9C5417EB6F7BBC8640B050A69D81AEB3D4DE749C058BD5
                              Function 032B0778 Relevance: .3, Instructions: 297COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8128a5a8c4c02927d5f0790517ad56d67fa3cc56adea349ac387e78c0e33fc18
                              • Instruction ID: a3bfb364b2f1d2211fbd8fceeb5615ad695eb5b77e197b0a262e2c0e2908f4f8
                              • Opcode Fuzzy Hash: 8128a5a8c4c02927d5f0790517ad56d67fa3cc56adea349ac387e78c0e33fc18
                              • Instruction Fuzzy Hash: 0EB18B75F607098FCB14DFA8D8C499EB7B2BF98300B258569E509AB361DB70EC45CB40
                              Function 01900A05 Relevance: .3, Instructions: 292COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2bdfd45154f585bb9652e40453da3a9fc322d9dad82b6904c367eee176ecde3
                              • Instruction ID: 0214f28ab4bef449ef7b0b2cb8e99cfc5db4bde81ebd78adfddeb41a4586da7f
                              • Opcode Fuzzy Hash: b2bdfd45154f585bb9652e40453da3a9fc322d9dad82b6904c367eee176ecde3
                              • Instruction Fuzzy Hash: 21A1DF71B007168FDB15DEADD8D029DB6B7AF98204B548139E51EEF392EA74DC0ACB00
                              Function 0190A1F0 Relevance: .3, Instructions: 270COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd56a0290449ce09d2bc5cdbe4ad74a7d912bd75d147b968fe754def83e01fbc
                              • Instruction ID: 02bd5b209a233e11af6fa759080db48dc441be27d883a8e5ea9cdc10a58e1b8b
                              • Opcode Fuzzy Hash: fd56a0290449ce09d2bc5cdbe4ad74a7d912bd75d147b968fe754def83e01fbc
                              • Instruction Fuzzy Hash: 3CA1E536E002298FCB15DF6CD88499EBBB6FB88310B068176D809EB390D7759C41CBD0
                              Function 05B90DC0 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1234d9bc6c149bd258ad0d9dfad56ab205b1ac6f9cd4bc94257b0d052bb39b42
                              • Instruction ID: 462c9bf9e92a48b0d9fe42c98c8a2bd82e0f01c1cad3b54a1964b131ddc33884
                              • Opcode Fuzzy Hash: 1234d9bc6c149bd258ad0d9dfad56ab205b1ac6f9cd4bc94257b0d052bb39b42
                              • Instruction Fuzzy Hash: B3B19C70E0060A8FDF14DFA9D8857ADBBF2FF88314F148179E419A7254EB75A885CB81
                              Function 032B0768 Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bbff568059d9b9d395bee763a5627a7c5088f269558a875c4c9abfc3fffa392c
                              • Instruction ID: 2971ee0c97c17a4dba218c59889b2cfcb970abb87730fe98af9cba8526c3db39
                              • Opcode Fuzzy Hash: bbff568059d9b9d395bee763a5627a7c5088f269558a875c4c9abfc3fffa392c
                              • Instruction Fuzzy Hash: 86517B71E607198FDB18DFA9D88069EB7B2BB98300F25852DD505EB351DBB49C86CB40
                              Function 0190BE11 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 89a04be86fefbd6ba27a4e261d14223c110c52bb061adac33b142c11ad1ac6e5
                              • Instruction ID: 2f6696090d2ccb30382432413b1f99d5d2d1da77227e1912af213341c8475e5b
                              • Opcode Fuzzy Hash: 89a04be86fefbd6ba27a4e261d14223c110c52bb061adac33b142c11ad1ac6e5
                              • Instruction Fuzzy Hash: FF51E477F002258F9B15EF79C84456EB7A7AF9825131A81A9DD0AEB3A1DB30DC05CBD0
                              Function 0190BE20 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 281f514a73f1c4bf61993b693cc4d795e9247d4392b4d26f7f86bd117ec4e752
                              • Instruction ID: 9cfc7a099989e5d5ade48a4dfca0e522b90235e179061e703ee14ab488809118
                              • Opcode Fuzzy Hash: 281f514a73f1c4bf61993b693cc4d795e9247d4392b4d26f7f86bd117ec4e752
                              • Instruction Fuzzy Hash: 6351E176F002258F8B19EF79C84456EB7A7AF9825131A8169DD0AEB3A1DB30DC05CBD0
                              Function 01908DB0 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d20371f58261c1cea431e7f828fb13145f779889b0945a338c29768f97355c9
                              • Instruction ID: fb60fd3abbf18f31ebb942c2e10fa016fe9f491567b184f87ab8f239b600c7ff
                              • Opcode Fuzzy Hash: 9d20371f58261c1cea431e7f828fb13145f779889b0945a338c29768f97355c9
                              • Instruction Fuzzy Hash: 46412933F105354B9759CA1DC8951AAF7E79BD422074A82BAD809FB781DA74CC06C7D0
                              Function 01908DC0 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 02a8c6e784ca55b64d9d112ac0bd88e737caab3e64fe97c819e1f68307706dde
                              • Instruction ID: 8f947548b82a751f319afcf96a71e47f3ac7d782ef539ac27abd130355b64e4f
                              • Opcode Fuzzy Hash: 02a8c6e784ca55b64d9d112ac0bd88e737caab3e64fe97c819e1f68307706dde
                              • Instruction Fuzzy Hash: 3C413933F205354B9B18DA1DC8951AAF6E7ABD4220B5E82BADD09FB781DA74DC01C7D0
                              Function 03260002 Relevance: 5.1, Strings: 4, Instructions: 128COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1324 3260002-3260053 1325 3260055 1324->1325 1326 32600c3-32600d0 1324->1326 1327 32600d2-32600dc 1326->1327 1328 3260110-3260115 1326->1328 1331 32600f4 1327->1331 1332 32600de-32600e4 1327->1332 1329 3260117-3260138 1328->1329 1330 326018a 1328->1330 1342 3260152-3260182 1329->1342 1343 326013a-3260140 1329->1343 1336 326018c-3260198 1330->1336 1337 32601fa 1330->1337 1334 32600e6 1332->1334 1335 32600e8-32600f2 1332->1335 1334->1331 1335->1331 1338 32601a4-32601cb 1336->1338 1339 326019a-326019e 1336->1339 1340 3260212-3260218 1337->1340 1341 32601fc-3260202 1337->1341 1339->1338 1350 326021e-3260220 1340->1350 1344 3260206-3260210 1341->1344 1345 3260204 1341->1345 1342->1336 1346 3260144-3260150 1343->1346 1347 3260142 1343->1347 1344->1340 1345->1340 1346->1342 1347->1342
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'^q$4'^q$dLdq$$^q
                              • API String ID: 0-4211619051
                              • Opcode ID: 154b7b882ac79300bbb85008ed8d70c2784a0b0643e986b56ac09923a4ccdb2a
                              • Instruction ID: ae776c1b8c0db51cb1503f8bcba91e28ac34efbcfee35dc5ffa23f0e1094e359
                              • Opcode Fuzzy Hash: 154b7b882ac79300bbb85008ed8d70c2784a0b0643e986b56ac09923a4ccdb2a
                              • Instruction Fuzzy Hash: BD411471A1D3858FCB2ACF78C8585697FF5AF8A200B1C84DBD445CB362D6348D84DB62
                              Function 03260B2F Relevance: 3.9, Strings: 3, Instructions: 103COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1357 3260b2f-3260b43 1358 3260b45-3260b4a 1357->1358 1359 3260b4c 1358->1359 1360 3260b4d-3260b5b 1358->1360 1359->1360 1361 3260bd2-3260bdd 1360->1361 1362 3260b5d-3260b61 1360->1362 1363 3260bf5-3260c07 1361->1363 1364 3260bdf-3260be5 1361->1364 1362->1358 1365 3260b63-3260b78 1362->1365 1376 3260c21-3260c35 1363->1376 1377 3260c09-3260c0f 1363->1377 1366 3260be7 1364->1366 1367 3260be9-3260bf3 1364->1367 1368 3260b1e-3260b26 1365->1368 1369 3260b7a-3260b86 1365->1369 1366->1363 1367->1363 1378 3260b2d 1368->1378 1370 3260b87-3260b92 1369->1370 1374 3260b94 1370->1374 1375 3260b95-3260b96 1370->1375 1374->1375 1379 3260b9d 1375->1379 1380 3260b98-3260b99 1375->1380 1387 3260c3c-3260c3f 1376->1387 1381 3260c13-3260c1f 1377->1381 1382 3260c11 1377->1382 1379->1370 1384 3260b9e-3260baf 1379->1384 1380->1379 1381->1376 1382->1376
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: lqcq$$^q$$^q
                              • API String ID: 0-513581550
                              • Opcode ID: 1c4b4859eaa8cede80e12b4a926f994842ba532a9904e163a0abf3addfbd3266
                              • Instruction ID: 8a02d7ddc4dcda55099650caae48200f4b89981b69b3d5a8112d3ef2b6d734ad
                              • Opcode Fuzzy Hash: 1c4b4859eaa8cede80e12b4a926f994842ba532a9904e163a0abf3addfbd3266
                              • Instruction Fuzzy Hash: E931AF21A1D3864FC716CB7858A451ABFF66E9751831DC8DFC085CF2A7C8149C85D3A6
                              Function 032612DB Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1420 32612db-32612f0 1421 32612f1-32612f2 1420->1421 1422 326134d-326134f 1420->1422 1423 32612f4 1421->1423 1424 32612f5 1421->1424 1425 3261353-3261354 1422->1425 1426 3261351 1422->1426 1423->1424 1427 32612f6 1424->1427 1428 326136a-326137a 1424->1428 1430 3261356-326135e 1425->1430 1431 3261332-3261347 1425->1431 1429 326135f-3261364 1426->1429 1433 32612f7-32612fc 1427->1433 1434 32612fd-32612ff 1427->1434 1437 326137c 1428->1437 1438 326137d-326137e 1428->1438 1435 3261366-3261369 1429->1435 1436 326130a 1429->1436 1430->1429 1431->1429 1439 3261349 1431->1439 1433->1434 1440 3261317-3261323 1434->1440 1441 3261301-3261306 1434->1441 1435->1428 1443 326130b-3261316 1436->1443 1437->1438 1444 3261385-3261395 1438->1444 1445 326137f-3261384 1438->1445 1439->1422 1441->1438 1446 3261307 1441->1446 1443->1440 1451 3261397-326139d 1444->1451 1452 32613af-32613b2 1444->1452 1445->1444 1446->1443 1449 3261308-3261309 1446->1449 1449->1440 1454 32613a1-32613ad 1451->1454 1455 326139f 1451->1455 1456 32613b9-32613be 1452->1456 1454->1452 1455->1452
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: 3c98bec88a6ff230835ea8d9378bdc72b081a9f2c35dc59777d2ae45cf622383
                              • Instruction ID: d2a1cf6670e08e41b02159de65bd545fa929c5b37cba88ec05e40ef8758cbf80
                              • Opcode Fuzzy Hash: 3c98bec88a6ff230835ea8d9378bdc72b081a9f2c35dc59777d2ae45cf622383
                              • Instruction Fuzzy Hash: 87314662A6D2C24FCB27C6695450055BFEA5FC701032C04DBC0828F667D955B8F6C392
                              Function 0190A870 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1458 190a870-190a8a9 1460 190a8ac-190a8b6 1458->1460 1461 190a8b8 1460->1461 1462 190a8bd-190a8e3 1460->1462 1461->1462 1464 190a8e9-190a904 1462->1464 1466 190a906-190a914 1464->1466 1467 190a959-190a978 1464->1467 1466->1460 1468 190a916-190a91a 1466->1468 1469 190a97e-190a992 1467->1469 1470 190a93b 1468->1470 1471 190a91c-190a925 1468->1471 1469->1460 1472 190a998-190a9b8 1469->1472 1473 190a93e-190a954 1470->1473 1474 190a927-190a92a 1471->1474 1475 190a92c-190a92f 1471->1475 1472->1464 1481 190a9be-190a9d4 1472->1481 1476 190a9d6-190a9dc 1473->1476 1477 190a939 1474->1477 1475->1477 1478 190a9e6 1476->1478 1479 190a9de 1476->1479 1477->1473 1482 190a9e7 1478->1482 1479->1478 1481->1476 1482->1482
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: \;^q$\;^q
                              • API String ID: 0-2277681078
                              • Opcode ID: f7aa1ca319e943287d2fe88d1ea23587c889db88c7819a3aa32fae5aed801bca
                              • Instruction ID: 2ea909ac5ec7703215c5cb804b9d6967bafbdb55d3b85595b281fc9ffcd473b6
                              • Opcode Fuzzy Hash: f7aa1ca319e943287d2fe88d1ea23587c889db88c7819a3aa32fae5aed801bca
                              • Instruction Fuzzy Hash: FA41B075F003199FEB16CAA9D844BAEBBFAAF88310F154429D805FB380DB749D45CB90
                              Function 0190FE1E Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1483 190fe1e-190fe76 1489 190fe7b-190fe9b call 190a870 1483->1489 1491 190fea0-190febb 1489->1491 1491->1489 1492 190febd-190fecb 1491->1492 1494 190fee0-190fee9 1492->1494 1495 190fecd-190fed4 1492->1495 1494->1489 1496 190feeb-190ff39 1494->1496 1495->1489 1497 190fed6-190fedf 1495->1497
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$Hbq
                              • API String ID: 0-662517225
                              • Opcode ID: f1e21f6dca5c7e9d70cf7303d93685280fbefbee7e4f790dff7c3cdd174bc2d0
                              • Instruction ID: 26a831ca6136e836517fcdc6525833a842ae532ad02a57bd7f740cb7e561b407
                              • Opcode Fuzzy Hash: f1e21f6dca5c7e9d70cf7303d93685280fbefbee7e4f790dff7c3cdd174bc2d0
                              • Instruction Fuzzy Hash: EA113D31F042194FC728EA6E9C4419E7BB36BC9250F08417AE40EDB3A6EA34CD15CBD1
                              Function 032614A3 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1504 32614a3-32614ab 1505 32614b2-32614be 1504->1505 1506 32614c5-32614c8 1505->1506 1507 32614c0-32614c4 1505->1507 1506->1505 1508 32614c9-32614d2 1506->1508 1507->1506 1510 32614d4-32614da 1508->1510 1511 32614ec-32614ee 1508->1511 1512 32614de-32614ea 1510->1512 1513 32614dc 1510->1513 1514 32614f5-32614f9 1511->1514 1512->1511 1513->1511
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: 8e9a9fd9711e854d4e835fb339a48b90009c5f3943c5809a1278f562eeafdfb7
                              • Instruction ID: 5806bb95032a190aab860474b165fff5f42d7e2c59d4d06a0dd4750cbc03be0d
                              • Opcode Fuzzy Hash: 8e9a9fd9711e854d4e835fb339a48b90009c5f3943c5809a1278f562eeafdfb7
                              • Instruction Fuzzy Hash: 78F09635F2D3924FCB2B966928584566FB95FC692431D05EFC440DF267C908AC8583A2
                              Function 03260CA7 Relevance: 2.5, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1516 3260ca7-3260cda 1519 3260cf4-3260cf6 1516->1519 1520 3260cdc-3260ce2 1516->1520 1523 3260cfd-3260d01 1519->1523 1521 3260ce6-3260cf2 1520->1521 1522 3260ce4 1520->1522 1521->1519 1522->1519
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: f975ad00e5456a295aa9a24ecac09f820823c7b0e8b55592ad6434e95493fedd
                              • Instruction ID: 88e0780127e89a0a0b7bf73e92d70438c64583dd6f2c7998638463b4cd95c69a
                              • Opcode Fuzzy Hash: f975ad00e5456a295aa9a24ecac09f820823c7b0e8b55592ad6434e95493fedd
                              • Instruction Fuzzy Hash: DBF05E21A2E3E14FC727962818A44562FB94ED751031E44EBC440DF2A7CC588C8A83A3
                              Function 032613E0 Relevance: 2.5, Strings: 2, Instructions: 29COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1525 32613e0-32613eb 1527 3261403-326141d 1525->1527 1528 32613ed-32613f3 1525->1528 1533 3261423-3261426 1527->1533 1529 32613f7-3261401 1528->1529 1530 32613f5 1528->1530 1529->1527 1530->1527
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: XX^q$XX^q
                              • API String ID: 0-1102689228
                              • Opcode ID: 47c72ab3d00a2238cb7f73188f02d8dbdb4c2cf4adff908d880ca3c2012b9bd3
                              • Instruction ID: 11d8c1ad19e717f544291b4550250f92b20b4d92db4f96307546eca925d961c2
                              • Opcode Fuzzy Hash: 47c72ab3d00a2238cb7f73188f02d8dbdb4c2cf4adff908d880ca3c2012b9bd3
                              • Instruction Fuzzy Hash: 1FE0E535B100085F87089A1ED404D56BBEBEFC5621334C066E405CB324CA31EC928790
                              Function 05B91378 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1730 5b91378-5b9137e 1731 5b91380-5b91384 1730->1731 1732 5b91385-5b91404 CheckRemoteDebuggerPresent 1730->1732 1731->1732 1734 5b9140d-5b91448 1732->1734 1735 5b91406-5b9140c 1732->1735 1735->1734
                              APIs
                              • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 05B913F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: a59cc849fa5c259502a1c445e76200c96db9440700fe32e3ff3913b597dd4c31
                              • Instruction ID: 9fafd42b907e2327e0dad11d6cb4f0a0fbe4f8463baec45407f61c6e684efa7f
                              • Opcode Fuzzy Hash: a59cc849fa5c259502a1c445e76200c96db9440700fe32e3ff3913b597dd4c31
                              • Instruction Fuzzy Hash: 222139B190025ADFCB14CF9AD444BEEFBF4EF49310F14846AE455A3251D778A944CF64
                              Function 05B93478 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 05B934E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: 4160f55354eb8d3702073bfaf29fefc273c58cf89c00a92cb6aff514cb7e64b4
                              • Instruction ID: ad3e4132a3e7770d4a6d21d9e99e1fd438f324a76039276cdb5f206965b524bf
                              • Opcode Fuzzy Hash: 4160f55354eb8d3702073bfaf29fefc273c58cf89c00a92cb6aff514cb7e64b4
                              • Instruction Fuzzy Hash: 481113B1904248DFCB20DF9AC444BDEFFF4EB88324F248469D559A7250C775A540CFA5
                              Function 05B93480 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 05B934E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: d4a2b2e7ea5ec85da598885c8df4c0f10da274186418ab556979ebb75bc4c354
                              • Instruction ID: 95576b1512ba8def1811e77f5b7f53b123af6dbf4d44fe26cab6f1694d82216b
                              • Opcode Fuzzy Hash: d4a2b2e7ea5ec85da598885c8df4c0f10da274186418ab556979ebb75bc4c354
                              • Instruction Fuzzy Hash: CF11FEB5900249CFCB20DF9AC884BDEBFF4EB88324F208469D559A7250C775A944CFA5
                              Function 0190C950 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hbq
                              • API String ID: 0-1245868
                              • Opcode ID: 963b9a9275e8dc5898f45bd6ff823deb596a68b015507cc91a1d091338a103b0
                              • Instruction ID: 8d761164d56b3189c5775b9c62c81c6f5e74d706d64e8b4e9a788b41b2657d28
                              • Opcode Fuzzy Hash: 963b9a9275e8dc5898f45bd6ff823deb596a68b015507cc91a1d091338a103b0
                              • Instruction Fuzzy Hash: 12516B33B042354FC71A9A7C6C5006EA7D6EBC526030946BFD90EDB3C2EE298C0587E5
                              Function 03260BB2 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q
                              • API String ID: 0-388095546
                              • Opcode ID: ef3086c9a08affa04ea5053fb5bd9bab7d28b2d9e8bff7dc8b9a1ff7de59904b
                              • Instruction ID: fbf4a559fda12d2a47e2a4ffb905e5d851223f32d04b5669b90fe31db8e0bcd5
                              • Opcode Fuzzy Hash: ef3086c9a08affa04ea5053fb5bd9bab7d28b2d9e8bff7dc8b9a1ff7de59904b
                              • Instruction Fuzzy Hash: 4701D431B1D3814FC7268A285890816BFF96E96914319C8EFC080CB266C4218CC4D362
                              Function 032613BF Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: XX^q
                              • API String ID: 0-1315485225
                              • Opcode ID: 6cf8349be95205897c97af4ea12ffba9d9d31b0d578f8531fb6de554312d9e55
                              • Instruction ID: 7c3801b44a749231d8c9166c9b8ca4b26035509c1f46030da054c44dacbbc3bb
                              • Opcode Fuzzy Hash: 6cf8349be95205897c97af4ea12ffba9d9d31b0d578f8531fb6de554312d9e55
                              • Instruction Fuzzy Hash: 41018135A192809FC716CB19C850855BFB5EFC722131980D7D485CB2B2D631E8A6C761
                              Function 03260D03 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q
                              • API String ID: 0-388095546
                              • Opcode ID: e67f427e2b92dd656d6fb1fddec6d5433a28bc5db57f282c60664c83c9ab6b04
                              • Instruction ID: 9fc74eb78e32960632fa39321e65df0c4767cc0fae9199566cc9ccef2851c30d
                              • Opcode Fuzzy Hash: e67f427e2b92dd656d6fb1fddec6d5433a28bc5db57f282c60664c83c9ab6b04
                              • Instruction Fuzzy Hash: DCF0F634B3E3914FC72FD62818600697B369FD314031C84EBC0428E16BC93598C2E313
                              Function 0190B3D8 Relevance: .4, Instructions: 384COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62fe49e8d6a6599247b9f2c64b10862eef190269fbd02f926a39e81f4fb03807
                              • Instruction ID: f299b01e2e1b3147c62013392226ea6d28bfdea34d62ffd0ab29333fc81db260
                              • Opcode Fuzzy Hash: 62fe49e8d6a6599247b9f2c64b10862eef190269fbd02f926a39e81f4fb03807
                              • Instruction Fuzzy Hash: A8D1CF39B004208F8719AF3DC85892DB7E6FF8CA1171644ACE90BDB3A0DB34DD058B95
                              Function 01908AC8 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f6e108b61fbd2b57f0690b630842f054c4215dfaf419d6162dc2159b2b73e27
                              • Instruction ID: c510686d0903e1297bb21b3b7a60b101928e94dd420fc5099bab1c35c9274c6e
                              • Opcode Fuzzy Hash: 6f6e108b61fbd2b57f0690b630842f054c4215dfaf419d6162dc2159b2b73e27
                              • Instruction Fuzzy Hash: D3417C75F00219CFCB19CF68C85499DBBB2BF89314B254569E80AAB361CB71ED42CF90
                              Function 01908B7D Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3bc48e3ccfc26801904dc5835a01b3be677e8b61a203ae157ced7b5a20e0fc0
                              • Instruction ID: 7678ddf727b2b53113db1e6f00dd3453038f93e32b13b61be6c218b2f55c357d
                              • Opcode Fuzzy Hash: c3bc48e3ccfc26801904dc5835a01b3be677e8b61a203ae157ced7b5a20e0fc0
                              • Instruction Fuzzy Hash: A9315D71F00219CFCB19CF68C994A9DBBB2AF45314F254569E809AB3A1D771ED86CF80
                              Function 01909FE0 Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbcf142933263806dd31d0f7215d04fdd577b7128466741f80533097faa863df
                              • Instruction ID: 6560556c416e44e132753d59712c2d05085d8c3855a9551d1ff417e36bf02d59
                              • Opcode Fuzzy Hash: fbcf142933263806dd31d0f7215d04fdd577b7128466741f80533097faa863df
                              • Instruction Fuzzy Hash: 2D214333E017229FCB199F79CC500AABB72AF95214755027AC805EB792DB31DC52CBC0
                              Function 0190F884 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1ef41b575c0b27c8c0fbcf12a8f35f043f96a22bb03115a9fc77b7c632bd917
                              • Instruction ID: ad4aaf87c80398e1f9b3a9884fdf451dc2b78aade7c9cd1bad51766e3925b510
                              • Opcode Fuzzy Hash: c1ef41b575c0b27c8c0fbcf12a8f35f043f96a22bb03115a9fc77b7c632bd917
                              • Instruction Fuzzy Hash: A3313A35A002198FDB21DFA9C980ADDB7B2BF48304F114099D909EB351DB71AE45CF91
                              Function 01909FF0 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41c5c6535dd99c16927479d62298f847d59ace961206c8ead10418eff4eda75a
                              • Instruction ID: ac6e8917c47cfbf6bbbcdafeac2d291a7871786a42c75e6a172b069df9532292
                              • Opcode Fuzzy Hash: 41c5c6535dd99c16927479d62298f847d59ace961206c8ead10418eff4eda75a
                              • Instruction Fuzzy Hash: ED214233E016369BCB18DF79CC9046AB776AF952047550239CD09AB791DB31DCA1CBC0
                              Function 0190DD70 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4cec6299311b6a47fe2edab128166ec03f1d96bb078dfc2045263c90f28fc27a
                              • Instruction ID: 61eed3c4ed32e95a4691fc1151e13a269d92e389afee71d3397b2fabb82720ca
                              • Opcode Fuzzy Hash: 4cec6299311b6a47fe2edab128166ec03f1d96bb078dfc2045263c90f28fc27a
                              • Instruction Fuzzy Hash: 8721D332F002258F8714DBADC88449DBBF6AFD922074941BADC09EB3A5DB719C45CBA0
                              Function 03261013 Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aeb8cc68496d7ae8c85722e4f7a58dcf11da23375daa483792a0b3752e1d5e9a
                              • Instruction ID: d9733713dc9a1ab74dc13fc2cb02ec8b65cc064bc0b5d446774807a10209d8a4
                              • Opcode Fuzzy Hash: aeb8cc68496d7ae8c85722e4f7a58dcf11da23375daa483792a0b3752e1d5e9a
                              • Instruction Fuzzy Hash: 62117C29A2E7C29FCF1BCA3588A04657F715F9314031D04EAC441CF1B3C92AB8D59712
                              Function 0326026B Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 049a4cd1316372ca1dab09f67788f8bcba05def5d346420ea14a77c2658f2d6b
                              • Instruction ID: 24f77603c01e5d21c257770b16f64cc1615137f29d925a956b191952c898bc25
                              • Opcode Fuzzy Hash: 049a4cd1316372ca1dab09f67788f8bcba05def5d346420ea14a77c2658f2d6b
                              • Instruction Fuzzy Hash: 89012B3665E3C08FC71BCB688860001BFB4AE8B02031E80E7C080CF2B3C224CC86C7A2
                              Function 0326079E Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43e9d29571eaf26dffca08f940cb46553cd12340c9e579fe2942a67880531229
                              • Instruction ID: 1931c00280a6a75810e5841c12a362019df2aa05e89c5f589b501f28bd2d397f
                              • Opcode Fuzzy Hash: 43e9d29571eaf26dffca08f940cb46553cd12340c9e579fe2942a67880531229
                              • Instruction Fuzzy Hash: 1EF0F6227582514FCB03EB7CE8485687FE8AF8616079C44DAD005CF362D660DC449798
                              Function 0190AB30 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af74a6578efc806cd0486c0450ff3f84ac8d98b54888e45ad0697014c328461d
                              • Instruction ID: cba27cb2840bcb7f892d5fad3254209327ff66cd6a8bf9f4ae0515c524517088
                              • Opcode Fuzzy Hash: af74a6578efc806cd0486c0450ff3f84ac8d98b54888e45ad0697014c328461d
                              • Instruction Fuzzy Hash: 2201F235701200CFC3599B39D45882577FAAF9A72532540FAE80ACB372DA72EC41CB80
                              Function 032603E3 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f73c50d2fa9a565c66681fe9250df8b6245d65a40d6b584e7d80b2ae47754c0
                              • Instruction ID: 37b65ef8ea468ebc1debe8c590b6bff3fa6f046372d0b5d79818e3d401b3c88a
                              • Opcode Fuzzy Hash: 1f73c50d2fa9a565c66681fe9250df8b6245d65a40d6b584e7d80b2ae47754c0
                              • Instruction Fuzzy Hash: 06F09031B5C2958FC716CB2DD8545167BFADFDA12032984E7C045CB272DA609C8293A1
                              Function 0190AB40 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 03c64027d5994afccf52a9c99de00c0dd505ae4974954ca9c9d994f64d065bf3
                              • Instruction ID: a6b9e0a3f7de00798f817657c2d5536b0b314e402e6b56259dcf2990be9149fa
                              • Opcode Fuzzy Hash: 03c64027d5994afccf52a9c99de00c0dd505ae4974954ca9c9d994f64d065bf3
                              • Instruction Fuzzy Hash: DCF0FF35700600CFC758EB39D45881AB3EAAF8A66532144B9E40ACB371CB32EC01CB80
                              Function 0190CD08 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a055966298872bcfb9bee88e78a2bdf47e09fa03505d455ca81ab7a4db7d22ad
                              • Instruction ID: 05d135a6b9ed1d7b59aab55373c8aef971669407a4478ee47f9168f7fd9a5c5d
                              • Opcode Fuzzy Hash: a055966298872bcfb9bee88e78a2bdf47e09fa03505d455ca81ab7a4db7d22ad
                              • Instruction Fuzzy Hash: 2AF0F831B803158FC75AAA2894508AE73E6AFD672432544BED44ADB7A1CA79DC43CB50
                              Function 032601CF Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45a35c5ad57bfbfd8fe77a123c734d0ee80ab1651c813caa683566965cf025b0
                              • Instruction ID: 75e55f16fd93b20c9eebb38ac64075479eb509dc525b767255d83fe677cf6122
                              • Opcode Fuzzy Hash: 45a35c5ad57bfbfd8fe77a123c734d0ee80ab1651c813caa683566965cf025b0
                              • Instruction Fuzzy Hash: 77F06731A1D3C18FCB17CB28C8944817FB1AF8721071E80DBD085CB1B3D6248C86C722
                              Function 0190D6A0 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19b16102b6d1528d9cbf95af7a6ff9c907925cd45c28692e20004b17cc31a669
                              • Instruction ID: a455332d5da3f3d16402e69863d98f1b753841c8e5ba91cc790f01d8edc1a583
                              • Opcode Fuzzy Hash: 19b16102b6d1528d9cbf95af7a6ff9c907925cd45c28692e20004b17cc31a669
                              • Instruction Fuzzy Hash: C8F05E31701310DFC3169B34D414865B7E5EF8A32535544BED80ACB7A1DA36EC02CB50
                              Function 03261143 Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ab89f7f21a1cb4007a362611e50898cab2199302743a4b83a75e9046b657400
                              • Instruction ID: 6c52237f26bebe4dfc5f8d949eef5a4059ecf8ce106f531195f07d6303df27ff
                              • Opcode Fuzzy Hash: 6ab89f7f21a1cb4007a362611e50898cab2199302743a4b83a75e9046b657400
                              • Instruction Fuzzy Hash: 04F08C31A1D3815FC706CB69C8508027FB99F8B51031880EBD044CB273C521A885C751
                              Function 03260ED3 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f87d36ef01887c312295a0b5388e2545d26fe7563fb7f90fa56cb39da07c735
                              • Instruction ID: 8a5ef636d1da20b36396ac5367bd7cb59b29deeb001259afee04072e4d2e07b1
                              • Opcode Fuzzy Hash: 4f87d36ef01887c312295a0b5388e2545d26fe7563fb7f90fa56cb39da07c735
                              • Instruction Fuzzy Hash: BAE09B3556E3814FC717DB2488609F97F756EE320071D84E6C002CF166CD2889C5A761
                              Function 0190082D Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e06dcd5675166504ec1234c61ead7eaa290ec5dbe345428f525a73dd535ebfe9
                              • Instruction ID: 4f9c7042a5103f28ab91181c914e9aea10af06f748fe8719f70e89fbf0e9df6d
                              • Opcode Fuzzy Hash: e06dcd5675166504ec1234c61ead7eaa290ec5dbe345428f525a73dd535ebfe9
                              • Instruction Fuzzy Hash: 6DF03A30949384AFC756DB78DD250AEBBB1AF8721071644EFD082DB2A3D6380E15DB15
                              Function 03260400 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cb0eea3cfef759010deefc80779909b1a691731e09971f1ddc8865319dbc1f2e
                              • Instruction ID: e2c69bc66482782e45514caa2c9fb0e8c05b19f05776c7126632bc72fcaaffe2
                              • Opcode Fuzzy Hash: cb0eea3cfef759010deefc80779909b1a691731e09971f1ddc8865319dbc1f2e
                              • Instruction Fuzzy Hash: 3CE04F31B585198B872CAA6EE554927B7EFAFC9521334C8B6D009C7368DEA1CCC193A1
                              Function 0190CD18 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6eb526070ca331fce69df02f6152dafde4b7572d08cee27b62615e6c15b02b87
                              • Instruction ID: 417ca1d885ee590f60ff0875e15db1bf74e58170478286b6a00b58f6c7f02e96
                              • Opcode Fuzzy Hash: 6eb526070ca331fce69df02f6152dafde4b7572d08cee27b62615e6c15b02b87
                              • Instruction Fuzzy Hash: CAE04F357002148F8715AB39D00082AB3EAEFD962536544BDD80ECB760CE71EC02C780
                              Function 03260F73 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 24fc09a0654bfc30769b0d8f6d2d3f1841410d22b579216db967196b71fd974d
                              • Instruction ID: e0e5252b94c4e83c4a105c3541a27f812e482d093ab73009659e96e58dbf1c12
                              • Opcode Fuzzy Hash: 24fc09a0654bfc30769b0d8f6d2d3f1841410d22b579216db967196b71fd974d
                              • Instruction Fuzzy Hash: 73E09220A1E3818FCB07DB3489240217FBA9E9720031C84DAD082CF1B7DE34A8C6DB53
                              Function 0190D6B0 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: beba8e545ab159e8bba78a353d9cfdafed288b36af4a6687c90956e6e782842a
                              • Instruction ID: 1fdcb42479b58fa15cd05f187b46f0fae1e262aa62d41b495cefed043d984f33
                              • Opcode Fuzzy Hash: beba8e545ab159e8bba78a353d9cfdafed288b36af4a6687c90956e6e782842a
                              • Instruction Fuzzy Hash: 9FE01A35701614CFC329AB38D404815B7E5EF8E62935188BED80E8B761CA32FC41CB80
                              Function 03261160 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 866fc465e0beb5b2eddf4ddc4f55740b99beec1f2ea93c9996077ce292e8cb2c
                              • Instruction ID: ad12eb57135bfbc1bc3a7d6be7f80a7b3c9b8e7b9c505d2c6a440fe982dcf933
                              • Opcode Fuzzy Hash: 866fc465e0beb5b2eddf4ddc4f55740b99beec1f2ea93c9996077ce292e8cb2c
                              • Instruction Fuzzy Hash: B0D01235B505199B8758DA9ED40085277ABAFC9551328C0E5D009C7364D961FC918781
                              Function 032601F0 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f58c87c0ecaec28e13c1668223405a75817e8d6e94866aa6418056b9b4a5e2e2
                              • Instruction ID: e44427995ba9c66a695668309e8ddfdc95d66f3ce44755b89b68e0ac190e8ed9
                              • Opcode Fuzzy Hash: f58c87c0ecaec28e13c1668223405a75817e8d6e94866aa6418056b9b4a5e2e2
                              • Instruction Fuzzy Hash: CFE0123176462D8F8718DE5DD404853B39BAFCA120728C4E5E50AC7369DD61DCC15795
                              Function 03260AB8 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 43ef11c26ce02fb3f4d0919d3340106de33e54b122821929148214d801a5425d
                              • Instruction ID: 9ac4d5a1f18c5fe6d9a19e1aaf1fd42b3be17239e6743f37ee33ec57f9c33928
                              • Opcode Fuzzy Hash: 43ef11c26ce02fb3f4d0919d3340106de33e54b122821929148214d801a5425d
                              • Instruction Fuzzy Hash: 72D0A705B044201F034866AD740015E51D79BD9550324456FA008D7348DD5ACC0243EC
                              Function 0190CF4A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 522ae902c6a8ed427a433fc0a2133544c3fb7ad41534e7fe609e7569978bcc80
                              • Instruction ID: 0cc6cf13f9eaea0b0763be71f3074ae8ef54d56c23d1591d08f63d8c72f6e3a2
                              • Opcode Fuzzy Hash: 522ae902c6a8ed427a433fc0a2133544c3fb7ad41534e7fe609e7569978bcc80
                              • Instruction Fuzzy Hash: 65E0EC35245254DFC7419B68D8408517BF8EF8A73472540EEE508CB263E666EC06C761
                              Function 0190CE6A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e4a62ee70dd73c6805dadcb8472b620d617e88abc45b788a5c8a162fea8af0e
                              • Instruction ID: 02dc72427b5767fae406eabf9cd2d0c24568c5ce4f0db88fa658d33cb2ae698d
                              • Opcode Fuzzy Hash: 8e4a62ee70dd73c6805dadcb8472b620d617e88abc45b788a5c8a162fea8af0e
                              • Instruction Fuzzy Hash: 35E08C30E44208AF8754DBB49D1126D73F6AB99300B5044B9C808EB280DA344E019755
                              Function 01900848 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3e95aefc3a8dec60c33007d50983cc13772be3dcfa11ac5b4fc294c4466d49e
                              • Instruction ID: d2b30393b3ec26826dc38c658ac87ded5e7de2b60b248da0f239a743ea1f06a0
                              • Opcode Fuzzy Hash: b3e95aefc3a8dec60c33007d50983cc13772be3dcfa11ac5b4fc294c4466d49e
                              • Instruction Fuzzy Hash: F6D01770A00208FF8754EFA4DE1556DB7FAEB89201B1084A8E50AD7280DF311F10DB58
                              Function 0190CE70 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16524cf906de23b0f0d5e6b38c7b7a979536ec5c4eaafdb05c5ba1927f310519
                              • Instruction ID: 34b6fd965002642b89d49b1b8b123e11335d594ed47467854184968795a49fec
                              • Opcode Fuzzy Hash: 16524cf906de23b0f0d5e6b38c7b7a979536ec5c4eaafdb05c5ba1927f310519
                              • Instruction Fuzzy Hash: 84D01760E04208AB8754EBB49A1166EB2FAEB99200B9084B9C409AB280DE356E009799
                              Function 0190CF58 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction ID: a670bbac25a441c252a2624be2189c388e7c40ea42babbeb44432ff7b3e5974c
                              • Opcode Fuzzy Hash: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction Fuzzy Hash: 07D0C9363101249F8740DA5DE444C42B7ECEF4D6243258099E50CCB322D662EC028B90
                              Function 0190CD78 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfbe5e280b27843c8c255e1af9392c42f85dc4f9e272be262acff8d1d7cd755b
                              • Instruction ID: 5865c81681d8e408bd44dbd3faaa27aa2d1e84cc0d92e5a14be2ba881f07b514
                              • Opcode Fuzzy Hash: cfbe5e280b27843c8c255e1af9392c42f85dc4f9e272be262acff8d1d7cd755b
                              • Instruction Fuzzy Hash: D4D0C9343940008FC354CB18E888C41B3E2EF48330329C1A9E40CCB772C632EC068A41
                              Function 03260776 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 028ef9a9e4e24459af1f3a69a6aa8c85651f3781237f1bfc213c8931403bd912
                              • Instruction ID: 2f3b51f1bdb3cc31aa459360935c3560dfe474ae4999a9f747960c53025cd486
                              • Opcode Fuzzy Hash: 028ef9a9e4e24459af1f3a69a6aa8c85651f3781237f1bfc213c8931403bd912
                              • Instruction Fuzzy Hash: F4C08C2CF2C24F86CF9E9969411013F86632FCA0203B8C87E80014B3CCEC3988C17A05
                              Function 03260B07 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cec426f0c05b337954ff7d2499945e49372644f1d1d9b54fb6a74c957504f6b6
                              • Instruction ID: 0352de9cab1a64465d7360528ae21143deec960cb2dc546c5d7a673ca1c12a4e
                              • Opcode Fuzzy Hash: cec426f0c05b337954ff7d2499945e49372644f1d1d9b54fb6a74c957504f6b6
                              • Instruction Fuzzy Hash: F6D0123475C2079FCB78CF60D45017972D37F84209364C4AED00149625CAB6DCC1EB00
                              Function 0190CD80 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction ID: 5edbf907d9953af07623ebf09808672cb874cac1f8d6421fdc4b4bd1f08e9d02
                              • Opcode Fuzzy Hash: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction Fuzzy Hash: 0CC002392642048F8344DB58E488C11B3E9EB4C634316C195E90D8B332C631FC00CA44

                              Non-executed Functions

                              Function 032B34D1 Relevance: 2.9, Strings: 2, Instructions: 368COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: ?9\$'K,f
                              • API String ID: 0-2180392013
                              • Opcode ID: 0d2ee68a45333baaf578c3e5818af88c60f29eb58252f4f4d6e45f8bd0b8fb61
                              • Instruction ID: 4a0e5a01ab9f2cb00a44edd778cdfa4ef48332d64cf7334dad23574046dac2ec
                              • Opcode Fuzzy Hash: 0d2ee68a45333baaf578c3e5818af88c60f29eb58252f4f4d6e45f8bd0b8fb61
                              • Instruction Fuzzy Hash: 61F1B2B5E102199FCF48CFE9D8815DDBFB2AF8C320F29912AE515BB214D6349891CF64
                              Function 032B9410 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 'J?c
                              • API String ID: 0-3989396051
                              • Opcode ID: 8d9a56b3514a6d20717d5660c827da9058f17021257fcbd774764da3107cc642
                              • Instruction ID: cb8e557f43e838d3c3c072172865e9a64b30780e6f04a1ee9950c8a7c5248cb5
                              • Opcode Fuzzy Hash: 8d9a56b3514a6d20717d5660c827da9058f17021257fcbd774764da3107cc642
                              • Instruction Fuzzy Hash: 6DB19276F102298FCB18CFADC88059EF7F6BB88350B5A856AD905EB345D7709C858BC4
                              Function 0190BAC0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: *""
                              • API String ID: 0-3539760889
                              • Opcode ID: 613ac946e399cb7ff8f5c32d8209a0fa0b2a0b8a3830fc3987b349545bdad371
                              • Instruction ID: 6b5449d78595cc1d0d58b077e4c489b53a60c2a5e7746d512eeb0e45b9257740
                              • Opcode Fuzzy Hash: 613ac946e399cb7ff8f5c32d8209a0fa0b2a0b8a3830fc3987b349545bdad371
                              • Instruction Fuzzy Hash: A1811676F005298FDB25DA9DD89059DFBB6AF84210F19857ADC0AFB395DA348C42CBC0
                              Function 05B901A8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1852476036.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_5b90000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: \VKm
                              • API String ID: 0-3894457903
                              • Opcode ID: 5e2986dfff11ee56b65ecd9d89bc6e07ae690f1c696f96ecd3fab7dab1ecf882
                              • Instruction ID: 1540f2a2dbcf2991578f084b8d6d455801149b35515e15ecd4d60200776638db
                              • Opcode Fuzzy Hash: 5e2986dfff11ee56b65ecd9d89bc6e07ae690f1c696f96ecd3fab7dab1ecf882
                              • Instruction Fuzzy Hash: 379139B0E0420D9FDF14DFA9D89979DBBF2BB88314F148179D409A7254EB74A885CB81
                              Function 01909408 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 9!r
                              • API String ID: 0-3244874196
                              • Opcode ID: ea0e38673e3c4de8ed8419f54855517b28e0eec84deb849217a11b496f1ee9ad
                              • Instruction ID: 41134a462f3b2d4b930ab71c75eee96a0f45dd5d91d02866040b14f4d55f9e53
                              • Opcode Fuzzy Hash: ea0e38673e3c4de8ed8419f54855517b28e0eec84deb849217a11b496f1ee9ad
                              • Instruction Fuzzy Hash: C781B171B007158FCB16CEA9DCC09AEB7B2BF98314B55862AE509E7392DB70AC45CB50
                              Function 0190D998 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hbq
                              • API String ID: 0-1245868
                              • Opcode ID: ac8ac5bc1b0b8a52dab4201807a52bc4d6190e0a5d9428a4960e0cb60d3c8c5e
                              • Instruction ID: 9aec57d9b8109166865943df37e45696317ce1ad4adc5a8e7df02d7ac1447f19
                              • Opcode Fuzzy Hash: ac8ac5bc1b0b8a52dab4201807a52bc4d6190e0a5d9428a4960e0cb60d3c8c5e
                              • Instruction Fuzzy Hash: AC61AF36B052268FDB15DFADC84046EB7B6FFC922031585BAD819EB391CB359C52CB90
                              Function 032B16C0 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: &!8)
                              • API String ID: 0-3367970750
                              • Opcode ID: 2f9c8933c49af479b9b13471de950a21b273a6e9a804a69181442f01ca3a621a
                              • Instruction ID: 047cf4188d3e3506b599f73b36b4e38868eb44788352cc64add7c6606f67583c
                              • Opcode Fuzzy Hash: 2f9c8933c49af479b9b13471de950a21b273a6e9a804a69181442f01ca3a621a
                              • Instruction Fuzzy Hash: FF511776E102298FCB04CFA9D9819DEFBF2BF98210B1A416AD915FB350D634AD45CB90
                              Function 032B9400 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: 'J?c
                              • API String ID: 0-3989396051
                              • Opcode ID: f769794d63968209510dd404d0c0a50b557394fd8b2f36a354c7694e2ca6a99c
                              • Instruction ID: dac9e7da5041ebdc142b3c4ca8a53df22eb05f0dd33ed8afe6c2b6cd492efa2e
                              • Opcode Fuzzy Hash: f769794d63968209510dd404d0c0a50b557394fd8b2f36a354c7694e2ca6a99c
                              • Instruction Fuzzy Hash: 9541E772E206398BCB24CF6DC48059AFBF6BB4834071A86AED905FB340D7709D958BC4
                              Function 032B5048 Relevance: .3, Instructions: 326COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e9355c7d2a46ce95403125fdcec16077ede76e0aa7dc765ed9e82dd6e67bb0a
                              • Instruction ID: 8a702799ec9cb210b3ddf43faf522e2ad16e5862cbadc34d32b8882562cfdc31
                              • Opcode Fuzzy Hash: 4e9355c7d2a46ce95403125fdcec16077ede76e0aa7dc765ed9e82dd6e67bb0a
                              • Instruction Fuzzy Hash: 76C1C632F212258FCB18DF78C884499B7B2AF8935072A85AAD819EF355DB75DC41CBD0
                              Function 032B8A88 Relevance: .3, Instructions: 268COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 041af8a70a5366279b7ac20cdf6f5075650b4b4e60268858cae6a78f3a411b70
                              • Instruction ID: 922742fdc21e626c1bf6a73e8c80508fa8e3ecb62a17185a86885a2141f18944
                              • Opcode Fuzzy Hash: 041af8a70a5366279b7ac20cdf6f5075650b4b4e60268858cae6a78f3a411b70
                              • Instruction Fuzzy Hash: 92A19276F1026A8FCB14DF69C84459EB7F6BF88350B1A816AE819EB360D6349C41CB90
                              Function 032B56A8 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21e1b60d014f074e695fdb5d6226cbcc7ca70f34fe2c7e4de96dc751578280d6
                              • Instruction ID: d7a39c6334d2631f0ae060ae82f0cb24d824107b52b3ce54a212d4212695fdbc
                              • Opcode Fuzzy Hash: 21e1b60d014f074e695fdb5d6226cbcc7ca70f34fe2c7e4de96dc751578280d6
                              • Instruction Fuzzy Hash: 8BB17275E1022A8FCF04CFA8C8905EEFBB2FF89340B15896AD425EB301D7749A45CB90
                              Function 032B3070 Relevance: .2, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61aa5d5fd1570b72e8634717ed1897484844a105981418c86f99593fd68ffc87
                              • Instruction ID: 7e7b4d04496d564924e26d8972773f47f1c2c8ff4a6ca94c9c6a54657fea2cd9
                              • Opcode Fuzzy Hash: 61aa5d5fd1570b72e8634717ed1897484844a105981418c86f99593fd68ffc87
                              • Instruction Fuzzy Hash: BF81C177F2052A8B8B14CEA9C8804AEF7F6BF8835070A896ADD55FB310D6749D45CBD0
                              Function 032B4AFF Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a30783af99e2e73c418c66f451ee120f7323dc4d2ca3edce88f9e9ca03a1105e
                              • Instruction ID: bbd99dba610bef7b0fa132a027418a9e308c5b2bdb35fe7483a13631b9eac962
                              • Opcode Fuzzy Hash: a30783af99e2e73c418c66f451ee120f7323dc4d2ca3edce88f9e9ca03a1105e
                              • Instruction Fuzzy Hash: DA517D23F106324BC704EAFA589406DA6B77B986D039B497ECC06EB382DA74DC49C7D5
                              Function 032B3060 Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1f8968678de4eaef84814b1e2445787c2390dbd8e5e7c887a1cee8b7634a38a
                              • Instruction ID: d8c0760b805a53248dbb7ca54b66d4de1eea64959ea2cde866a0ab41160b821c
                              • Opcode Fuzzy Hash: e1f8968678de4eaef84814b1e2445787c2390dbd8e5e7c887a1cee8b7634a38a
                              • Instruction Fuzzy Hash: 8161C277F205298F8B14DEA9C8804AEF7F6BB8835070A896ADD55FB350D6349C45CBD0
                              Function 032B4B10 Relevance: .2, Instructions: 192COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ee8fac4e4871b31362646295c8d44ff471a47e74cc9e63d9aa771d6332d8a20
                              • Instruction ID: 73e17a0186ea67daeb69384c78c416ae1f037d9d1db18e7469cb2ed2646a5e71
                              • Opcode Fuzzy Hash: 0ee8fac4e4871b31362646295c8d44ff471a47e74cc9e63d9aa771d6332d8a20
                              • Instruction Fuzzy Hash: 06516D23F206364BC708EAFA589016DA2B67B986D039B457DCC06EB382DA64DC49C7D5
                              Function 032B5BEA Relevance: .2, Instructions: 160COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2ac41cfdc661c2709bc91518a06064c9aec38e5c6e9e49c81e8a6144f68a402
                              • Instruction ID: d6c0451a23817fd68f329da49e453b1dedfa22f83de05614ef455cbf7c4fa763
                              • Opcode Fuzzy Hash: d2ac41cfdc661c2709bc91518a06064c9aec38e5c6e9e49c81e8a6144f68a402
                              • Instruction Fuzzy Hash: 8B512632F101268FC719CAB988444AEF7B2AF9639072E85AADC14EB315DB309C45CB90
                              Function 032B8A78 Relevance: .2, Instructions: 160COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bffbaeb6b493fa327d0c0833aad060215ee3ae39417f476905e4fe70ed21c071
                              • Instruction ID: e8f42b527686b8de73173caa8ae3d1514e967e5e8108d78c290826f2ee6586ea
                              • Opcode Fuzzy Hash: bffbaeb6b493fa327d0c0833aad060215ee3ae39417f476905e4fe70ed21c071
                              • Instruction Fuzzy Hash: 9A51A0B6F1022A8FCB48DF78C8445ADB7F6BF98350B19816AD809EB355D634DC41CB90
                              Function 032B25B0 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 659da9925daef6cc3c23628a60b70a03219190e10b1a101ed9b4304bbe5ff956
                              • Instruction ID: b5c7f99134ba7ccd8339e80fc90dde63c4106c6f86820fd70596024c4b2fb649
                              • Opcode Fuzzy Hash: 659da9925daef6cc3c23628a60b70a03219190e10b1a101ed9b4304bbe5ff956
                              • Instruction Fuzzy Hash: 6741C672F102298B9B18DFADC4804EEF3F3AFC875071A856AD859EB350DA749D458BD0
                              Function 032B1CE1 Relevance: .1, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd40e8f37b718b37e13a9795bb921de743188bad4db615afed8a8f9d16d5e300
                              • Instruction ID: ff9bfbce013eae8c3dcc8589d67cf2863b21b968410602456fd33e36dda5cd11
                              • Opcode Fuzzy Hash: fd40e8f37b718b37e13a9795bb921de743188bad4db615afed8a8f9d16d5e300
                              • Instruction Fuzzy Hash: 0B41E376F105268BCB18CE6DC8504AEF7B2ABC439072A816ADC15EB350D6309D56CBD1
                              Function 0190DBE8 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a2d1d7605c27d6c206e2ed6ad6e241f69c08a06693706bdfbc0c08feff72696
                              • Instruction ID: e89027e78e893212a1df6ea302558b7bff1f5b88186e2d53bc0a017b5cd36f91
                              • Opcode Fuzzy Hash: 9a2d1d7605c27d6c206e2ed6ad6e241f69c08a06693706bdfbc0c08feff72696
                              • Instruction Fuzzy Hash: 8D41A477E502298FCB04DFA9C8814DEB7F6BB88224B1A816AD914FB351D6789D01CFD0
                              Function 032B0E19 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd551fc8019112af014dee56f74ac05d21c1b81ac4f3f80453f8b8e3122e87a8
                              • Instruction ID: 4a90afceb81fde372c8134ab400836d3bb0529553ee1121dd955751d6485848c
                              • Opcode Fuzzy Hash: dd551fc8019112af014dee56f74ac05d21c1b81ac4f3f80453f8b8e3122e87a8
                              • Instruction Fuzzy Hash: D341F436F102268BC755CEA988405AFFBF6BB9835074AC56A9805E7360DB749D42CBD0
                              Function 032B25A0 Relevance: .1, Instructions: 115COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 895094e8a6e429cd0ce463b8608f5bced4d3daa0867c6fc112e18d5b0a6df784
                              • Instruction ID: e59201f457a5e91850e4d98f5d124c2ef48b6f0c7a4d406037d23143f9050c4f
                              • Opcode Fuzzy Hash: 895094e8a6e429cd0ce463b8608f5bced4d3daa0867c6fc112e18d5b0a6df784
                              • Instruction Fuzzy Hash: C041B472F102298FCB18DFADC4844AEF7F3AFD825071A846AD859EB361D6349C458BD1
                              Function 032B0E28 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850251919.00000000032B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_32b0000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b64934b24f40436f6e78d4d8e3d125fc8114f7dd0bbfe787454ca9f476b5fd10
                              • Instruction ID: 3f7fd4b9d265164a4e93833e3b2a4fd39ad3f422d29af5524e8e39b3c9de0410
                              • Opcode Fuzzy Hash: b64934b24f40436f6e78d4d8e3d125fc8114f7dd0bbfe787454ca9f476b5fd10
                              • Instruction Fuzzy Hash: 9641F636F102264BC755CEA988405EFF7F6BB9874075AC9699805E7350DB709D42CBD0
                              Function 019096F0 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9863526b24bb7a6b59f625f93b138d2c1dbe192de019a7fb4f8b0485c26344f
                              • Instruction ID: a154d14155d9702d796a8cbed052378ead28b6f5e79f81d3abb6cea056fb62ae
                              • Opcode Fuzzy Hash: b9863526b24bb7a6b59f625f93b138d2c1dbe192de019a7fb4f8b0485c26344f
                              • Instruction Fuzzy Hash: C231D537E006394B8764CE5DC9800DAB7EB9BC426474A826ADC5DFB345EA70EE05CBC1
                              Function 0190A0E0 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b4fc81d66dbfb44d761fa56dd75a64e773dab243f78667d93143570e6a588d7
                              • Instruction ID: 572d782ed2d8a43f37d5497c127b5c0f09491fd9ea680f2a4e39b6e31380ba7c
                              • Opcode Fuzzy Hash: 2b4fc81d66dbfb44d761fa56dd75a64e773dab243f78667d93143570e6a588d7
                              • Instruction Fuzzy Hash: 28212733F142390FD7159A7DCC845A9B7E6ABC466474B82BAE819EF791C9708C05C7D0
                              Function 01909EC8 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850010115.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1900000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16165ba508a2342d96777fd5f1e1bc8b503a86cfa7451acf49e3bdbbe6e4959a
                              • Instruction ID: 229cf3e689abe8fe120138cf7f9e6de7e7ae4c466ab1a5801ec9ed2d9040de7d
                              • Opcode Fuzzy Hash: 16165ba508a2342d96777fd5f1e1bc8b503a86cfa7451acf49e3bdbbe6e4959a
                              • Instruction Fuzzy Hash: 52210733F015298FDB54CD6EC8814AAF7F6ABC861075A81AADC0DEB345D6309C068BD0
                              Function 03260943 Relevance: 7.6, Strings: 6, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q$LR^q$$^q$$^q$$^q$$^q
                              • API String ID: 0-4154641970
                              • Opcode ID: 05c7861ec51a244747f50c32a279adabdd6ed17c653159a288d1dd3ecc4530f5
                              • Instruction ID: a8a14d8e30989a840dad1ce6359ec68fd2e39ede44c61e8c624401cb81180a7c
                              • Opcode Fuzzy Hash: 05c7861ec51a244747f50c32a279adabdd6ed17c653159a288d1dd3ecc4530f5
                              • Instruction Fuzzy Hash: AA31F731A2E3964FD72BC72998141557FB6AEC791032C84EFC084CF267D92288C6D356
                              Function 03260E57 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q$$^q$$^q
                              • API String ID: 0-2125118731
                              • Opcode ID: d0a737a4594889124463907e9a1985b04291952619171563f726a9ed286b87c6
                              • Instruction ID: 3f53735338353bfc9b6bf63316aa0426860e92aadb7f8cfdfe1164f3b6c7c2d3
                              • Opcode Fuzzy Hash: d0a737a4594889124463907e9a1985b04291952619171563f726a9ed286b87c6
                              • Instruction Fuzzy Hash: 9401B531A5D3964FD72AC6295914519BFB11F8641072D84DBC040CF2AACA39C8CA9352
                              Function 03261518 Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1850214756.0000000003260000.00000040.00000800.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3260000_PowerRat.jbxd
                              Similarity
                              • API ID:
                              • String ID: P[^q$P[^q$$^q$$^q
                              • API String ID: 0-1851721795
                              • Opcode ID: 162f3e71ad2fc5f16ea8a0bc4bf45afec38568410fd7db53aa8a1e32e208ace4
                              • Instruction ID: 57d15f8bab52ab9aa28e438b6827e4ea0ef0f0f0c5f09cec6b998785c2b9463e
                              • Opcode Fuzzy Hash: 162f3e71ad2fc5f16ea8a0bc4bf45afec38568410fd7db53aa8a1e32e208ace4
                              • Instruction Fuzzy Hash: 2AF08231F3051E8BCB2C990EA424516F3EE6FC4A20328846AD4068B314DD61FCD54681

                              Execution Graph

                              Execution Coverage:16.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:33
                              Total number of Limit Nodes:0
                              execution_graph 20499 1183d48 20500 1183d93 NtAllocateVirtualMemory 20499->20500 20502 1183dda 20500->20502 20503 1184648 20504 1184690 NtQuerySystemInformation 20503->20504 20506 11846cb 20504->20506 20507 11848c8 20508 1184910 NtDeviceIoControlFile 20507->20508 20510 118495d 20508->20510 20523 1183a38 20524 1183a80 NtQueryInformationProcess 20523->20524 20526 1183abe 20524->20526 20531 1184568 20532 11845b6 NtCreateSection 20531->20532 20534 1184603 20532->20534 20491 1184710 20492 118475b NtMapViewOfSection 20491->20492 20494 11847bd 20492->20494 20495 1184490 20496 11844de NtOpenFile 20495->20496 20498 1184528 20496->20498 20511 1183b00 20512 1183b40 NtSetInformationThread 20511->20512 20514 1183b7a 20512->20514 20515 1184800 20516 1184848 NtQueryVolumeInformationFile 20515->20516 20518 1184886 20516->20518 20519 1183bc0 20520 1183c00 NtClose 20519->20520 20522 1183c31 20520->20522 20527 1183c70 20528 1183cbe NtProtectVirtualMemory 20527->20528 20530 1183d08 20528->20530

                              Executed Functions

                              Function 00C21090 Relevance: 22.3, Strings: 12, Instructions: 7311COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: #-N$%<3($'L:C$.;!$9*j$?G8U$#CV$3{V$;$V$KGV$kOV$#V
                              • API String ID: 0-3006600215
                              • Opcode ID: 0480c81e26bcd832686d1413886f65e799280cb23c7f11af4f2acdab6b4f0ac4
                              • Instruction ID: 4a207c08cf0becae55d5938411d62da155777d06c3209c2d5062b56e96e9abe3
                              • Opcode Fuzzy Hash: 0480c81e26bcd832686d1413886f65e799280cb23c7f11af4f2acdab6b4f0ac4
                              • Instruction Fuzzy Hash: 68E32E75E002299FCB64DF68D840B9DB7B6EB89304F5181EAD80DF7751DA31AE818F81
                              Function 00C21098 Relevance: 22.3, Strings: 12, Instructions: 7304COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: #-N$%<3($'L:C$.;!$9*j$?G8U$#CV$3{V$;$V$KGV$kOV$#V
                              • API String ID: 0-3006600215
                              • Opcode ID: e51b02650ad0825010fe718cb5d5d30e940020ef1e847635ff55db81941e0116
                              • Instruction ID: e926ded028c4f6148973e43d544e7d33fa6cb39ac2cab86b8b4e5736b0c528d0
                              • Opcode Fuzzy Hash: e51b02650ad0825010fe718cb5d5d30e940020ef1e847635ff55db81941e0116
                              • Instruction Fuzzy Hash: 8CE32E75E002299FCB64DF68D840B9DB7B6EB89304F5181EAD80DF7751DA31AE818F81
                              Function 00C2E0A0 Relevance: 10.6, Strings: 7, Instructions: 1890COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: yZ$(h<=$(o^q$-=>1$Hbq$pbq$pbq
                              • API String ID: 0-1965142003
                              • Opcode ID: 1811dd682c8d145a2989f6f80364479397731e46c64da2de548e7dda86bc59ac
                              • Instruction ID: 88d21b2bd9f1f3d949c461839205a1ff82d6f6327355ea02b46315287a7bdc55
                              • Opcode Fuzzy Hash: 1811dd682c8d145a2989f6f80364479397731e46c64da2de548e7dda86bc59ac
                              • Instruction Fuzzy Hash: 34F26B75A402298FCB24DF69D894B99B7B2BF88300F1581F9E509EB361DB719E85CF40
                              Function 00C2DD80 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2191 c2dd80-c2dd89 2192 c2dd8c-c2dd9b call c296f0 2191->2192 2195 c2dda0-c2ddbe call c2a870 2192->2195 2197 c2ddc3-c2ddde 2195->2197 2199 c2de60-c2de6d 2197->2199 2200 c2dde4-c2ddf0 2197->2200 2199->2195 2201 c2de73-c2de87 2199->2201 2202 c2ddf2-c2de52 call c28d68 2200->2202 2203 c2de58-c2de5f 2200->2203 2206 c2df13-c2df1f 2201->2206 2207 c2de8d-c2df05 call c28d68 2201->2207 2202->2192 2202->2203 2206->2192 2208 c2df25-c2df3f 2206->2208 2207->2203 2234 c2df0b-c2df12 2207->2234 2213 c2df45-c2df50 2208->2213 2214 c2dfcf-c2dfda 2208->2214 2213->2192 2217 c2df56-c2dfc1 call c28d68 2213->2217 2214->2192 2216 c2dfe0-c2e002 2214->2216 2217->2234 2238 c2dfc7-c2dfce 2217->2238
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$\s^q
                              • API String ID: 0-2238190635
                              • Opcode ID: 024ef3140d91c6dd36a376bc761d714cae57166fc9f08205a6f105f1e5b01ff1
                              • Instruction ID: e361a5d2336786da71ef7815fe8cefbcb4abbc437b050eba5936c69672d50994
                              • Opcode Fuzzy Hash: 024ef3140d91c6dd36a376bc761d714cae57166fc9f08205a6f105f1e5b01ff1
                              • Instruction Fuzzy Hash: FF61E332F011288F8B14DB79E84459DB7F2AFD8310B5981AAEC05EB365CA30DD09CB91
                              Function 01184708 Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2507 1184708-11847bb NtMapViewOfSection 2510 11847bd-11847c3 2507->2510 2511 11847c4-11847e9 2507->2511 2510->2511
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 011847AE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: a7a7553d89e0f8d0e44c1a3b52f0d7849e123149f67dfd2d92ae2c9901498bd6
                              • Instruction ID: 499b97d0238715bb6c0c9ae1dfc1cf3c4933dd5445b8150851dfc0afa2161109
                              • Opcode Fuzzy Hash: a7a7553d89e0f8d0e44c1a3b52f0d7849e123149f67dfd2d92ae2c9901498bd6
                              • Instruction Fuzzy Hash: 3A31E1B5901249AFDF10DFA9D884ADEBFF5FF48324F14842AE919A7220C7359950CFA4
                              Function 01184710 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2515 1184710-11847bb NtMapViewOfSection 2518 11847bd-11847c3 2515->2518 2519 11847c4-11847e9 2515->2519 2518->2519
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 011847AE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 2bbf0dc7de9d06d46b40a9eabe2d867325f35c938f150bee2f4e5bec8f02ddd6
                              • Instruction ID: 96a5aed929550ce1a67e73f89bada6c6bf88db26d3e47150a91a2dd69e7c115d
                              • Opcode Fuzzy Hash: 2bbf0dc7de9d06d46b40a9eabe2d867325f35c938f150bee2f4e5bec8f02ddd6
                              • Instruction Fuzzy Hash: 1D31E2B5900249AFDF10DFA9D884ADEBFF5FF48324F14842AE919A3210C7359950CFA4
                              Function 01184560 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2523 1184560-1184601 NtCreateSection 2526 118460a-118462f 2523->2526 2527 1184603-1184609 2523->2527 2527->2526
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 011845F4
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: 327a8f85de93058690f9e36b1dfd68de4a3bf8dcdb9ecbb048aa5abb4bf142f9
                              • Instruction ID: 9007ec76281ed7830c46191c7539be5df76ebcec12e0506de0443500d6e2fcaa
                              • Opcode Fuzzy Hash: 327a8f85de93058690f9e36b1dfd68de4a3bf8dcdb9ecbb048aa5abb4bf142f9
                              • Instruction Fuzzy Hash: 392102B1D01259AFCB10DFA9D984AEEFBB4FF48314F20802AE918A7210C7359955CFA4
                              Function 01183C68 Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2531 1183c68-1183d06 NtProtectVirtualMemory 2534 1183d08-1183d0e 2531->2534 2535 1183d0f-1183d34 2531->2535 2534->2535
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 01183CF9
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 937b3af9d983ae3c6dea000d3ca7f43666b2dd1e98487ed7e3e7ebf9b62c60b9
                              • Instruction ID: e3b3045f6b73dbd3db162e33e14fe2b83d7bdea6378101b326dee629316420b9
                              • Opcode Fuzzy Hash: 937b3af9d983ae3c6dea000d3ca7f43666b2dd1e98487ed7e3e7ebf9b62c60b9
                              • Instruction Fuzzy Hash: 5F21F0B19012499FCB10DFAAD584AEEFBF4FF48320F20842AE859A7210C7759940CFA4
                              Function 011848C1 Relevance: 1.6, APIs: 1, Instructions: 64filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2555 11848c1-118495b NtDeviceIoControlFile 2559 118495d-1184963 2555->2559 2560 1184964-1184989 2555->2560 2559->2560
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 0118494E
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: 1cbf4ebcfb96a811b6e9ac25d318482381f29f031777311d97a368c68bb47be6
                              • Instruction ID: a54d4d49a5da92005c8695f5ce460233238c7f81a2ffecda7559488bce681dc0
                              • Opcode Fuzzy Hash: 1cbf4ebcfb96a811b6e9ac25d318482381f29f031777311d97a368c68bb47be6
                              • Instruction Fuzzy Hash: 8F2114B29002499FCF14DFAAC844AEEBFF5FF48314F148429E969A7210CB359954CFA1
                              Function 01184568 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2547 1184568-1184601 NtCreateSection 2550 118460a-118462f 2547->2550 2551 1184603-1184609 2547->2551 2551->2550
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 011845F4
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: bd5d94e95676affb8e3dc7f7a7613698571720dff6f33984fda96ad4d3e18ec4
                              • Instruction ID: e1bd5527ae8e8f286086b7695a67431628aeadc81dbda3aef1546f2a56d41ee6
                              • Opcode Fuzzy Hash: bd5d94e95676affb8e3dc7f7a7613698571720dff6f33984fda96ad4d3e18ec4
                              • Instruction Fuzzy Hash: 5B21F2B1D0125DAFCB00DFAAD984ADEFBB4FF48310F20802AE918A7200C7759954CFA5
                              Function 0118448B Relevance: 1.6, APIs: 1, Instructions: 64filenativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2539 118448b-1184526 NtOpenFile 2542 1184528-118452e 2539->2542 2543 118452f-1184554 2539->2543 2542->2543
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 01184519
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: 2ffb7ba0f2a9b89034a47b929bf0ed23d2f52e4c875c00801ca23a13fbeb9a62
                              • Instruction ID: d37570fc5615b2f890316077558f613d36fef090d977cc3c68192e48611db143
                              • Opcode Fuzzy Hash: 2ffb7ba0f2a9b89034a47b929bf0ed23d2f52e4c875c00801ca23a13fbeb9a62
                              • Instruction Fuzzy Hash: 3B2123B1D00219AFCB04DFA9D984ADEFBF4FF48310F20802AE518A3200C7359A50CFA1
                              Function 01183D40 Relevance: 1.6, APIs: 1, Instructions: 63memorynativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2572 1183d40-1183dd8 NtAllocateVirtualMemory 2575 1183dda-1183de0 2572->2575 2576 1183de1-1183e06 2572->2576 2575->2576
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 01183DCB
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 19afe0054bfe55b1d9e903dff62de71a9590688948cbc935dcdf77efd406b3e6
                              • Instruction ID: b9173b8671ca987a066e63aa5d71865a80f13bcb7ec03d6abc684e27b8280f70
                              • Opcode Fuzzy Hash: 19afe0054bfe55b1d9e903dff62de71a9590688948cbc935dcdf77efd406b3e6
                              • Instruction Fuzzy Hash: 48212EB19002599FCB10DFAAC884ADEBBF4FF48320F50842AE919A7210C775A940CFA1
                              Function 01183C70 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2564 1183c70-1183d06 NtProtectVirtualMemory 2567 1183d08-1183d0e 2564->2567 2568 1183d0f-1183d34 2564->2568 2567->2568
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 01183CF9
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: 9d603e92ce26a5f02133fe62f26c50a141992dcbb1c58bcb82f4e111191a545a
                              • Instruction ID: ee9d27b8141a8181feb3281e2a94e705d96c102171db1c91179be734e76311a2
                              • Opcode Fuzzy Hash: 9d603e92ce26a5f02133fe62f26c50a141992dcbb1c58bcb82f4e111191a545a
                              • Instruction Fuzzy Hash: 4B21FFB1D012499FCB10DFAAD984ADEFBF5FF48310F20842AE919A7210C775A940CBA5
                              Function 01184490 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 01184519
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: a0b1911a94825f531f2e3903d1d912d82bbed0a5656b6be31dd1be4321cbf3ad
                              • Instruction ID: 9281d21221fdcdc391ecbcd7165404a2cc27bec08a3b02b92c824c151e286c83
                              • Opcode Fuzzy Hash: a0b1911a94825f531f2e3903d1d912d82bbed0a5656b6be31dd1be4321cbf3ad
                              • Instruction Fuzzy Hash: B421E3B1D0125DAFCB10DFAAD984ADEFBB4FF48314F10802AE518A7210C7759A54CFA5
                              Function 011848C8 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 0118494E
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: 88b84a28d70c565f1b62a64178f2d6b1fe81d8d3e863409299cb532c4c7704e4
                              • Instruction ID: 1df391a5f04db1a1fb23016234c531ea8dc1c6a92d2c35654a71cf8951e2c2dc
                              • Opcode Fuzzy Hash: 88b84a28d70c565f1b62a64178f2d6b1fe81d8d3e863409299cb532c4c7704e4
                              • Instruction Fuzzy Hash: 022114B19002499FCF10DFAAC844ADEBBF5FF48314F108429E919A7210C7359954CFA1
                              Function 01183A30 Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01183AAF
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: a000e0b87fabeb66c30c63a8dece61a4ccbf06ba89fb934863c30b982d27a95d
                              • Instruction ID: 496405c6f0c0ae8abbd6db680b934a30339b732478487fc00534a54960ba482c
                              • Opcode Fuzzy Hash: a000e0b87fabeb66c30c63a8dece61a4ccbf06ba89fb934863c30b982d27a95d
                              • Instruction Fuzzy Hash: 1F2137B1D002499FCB14DFAAC844AEEFBF4FF88320F14842AE919A7250C7759945CFA1
                              Function 01183D48 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 01183DCB
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 8ed39f911dffb153114245e679f2d5267c4705d6f7f89d9371c12fa8a849cee7
                              • Instruction ID: 0c0d61cd6b4f07807a694cbe4050ed75a056f8cf3f03d87c3f6176698553fb95
                              • Opcode Fuzzy Hash: 8ed39f911dffb153114245e679f2d5267c4705d6f7f89d9371c12fa8a849cee7
                              • Instruction Fuzzy Hash: 372120B19002499FCB10DFAAC884ADEFFF5FF48320F50842AE919A7210C775A944CFA4
                              Function 011847F9 Relevance: 1.6, APIs: 1, Instructions: 60filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 01184877
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: 06994d58b54a8a2b6d61fc96b645914037a9413680ff087885acd928fe389a7c
                              • Instruction ID: 592b60a57b875f81d474333648754dbd558f3b826cac297e8af5a4c85fc58840
                              • Opcode Fuzzy Hash: 06994d58b54a8a2b6d61fc96b645914037a9413680ff087885acd928fe389a7c
                              • Instruction Fuzzy Hash: B12134B1D002499FDB14DFAAC884BEEFBF4EF88314F14842AE519A7210C775A940CFA1
                              Function 00C28F70 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0a:s
                              • API String ID: 0-1960802389
                              • Opcode ID: 20d27c8c7d170d9725309a875c8609bda592345a58b7e1e5a8b0ab6ee370b3a3
                              • Instruction ID: 3915e8cce87be0b22048cd7e684608eccd1330c185c93a26caf20d7a6a5884a0
                              • Opcode Fuzzy Hash: 20d27c8c7d170d9725309a875c8609bda592345a58b7e1e5a8b0ab6ee370b3a3
                              • Instruction Fuzzy Hash: 2CE1D675E0021A8FCB44CFAAD4915AEBBB2FF88310F50812AE425E7355D7389A56CF91
                              Function 01184640 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 011846BC
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 49e6d7e707deb85480313cf0486c15bd77a3b32934b99acce74c6c4115cb6391
                              • Instruction ID: bfa204a56bfaacbec3895ee699e4c2f2215551ef0bdee3c5c7c959621e82ebea
                              • Opcode Fuzzy Hash: 49e6d7e707deb85480313cf0486c15bd77a3b32934b99acce74c6c4115cb6391
                              • Instruction Fuzzy Hash: 242104B19002499FCB14DFAAC484AAEFBF4AF88324F10842AD459A7250CB759944CFA5
                              Function 01184800 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 01184877
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: 74464283bcdb5d564fbf5f12db6e24c1a804f38941fdd8fec8a01dd7dd06eebd
                              • Instruction ID: ffc863da63900f2b4c0fef7c3f8edd9aa7f16b324b6d5cb6c9cacd5a122eaec3
                              • Opcode Fuzzy Hash: 74464283bcdb5d564fbf5f12db6e24c1a804f38941fdd8fec8a01dd7dd06eebd
                              • Instruction Fuzzy Hash: F32124B1D002499FDB14DFAAC844BDEFBF4EF48324F10842AE519A7250CB75A944CFA1
                              Function 01183A38 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 01183AAF
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 02426c53bf578ffb7a92b470055a6bf15ab5afa972926baa2af1295d05d79c7c
                              • Instruction ID: 8b95a689b90370f27a2877c4d1e50da9dd5da7ea397f9144e66bf2aa64fbe00b
                              • Opcode Fuzzy Hash: 02426c53bf578ffb7a92b470055a6bf15ab5afa972926baa2af1295d05d79c7c
                              • Instruction Fuzzy Hash: B02147B1D002499FCB14DFAAC844ADEFBF4FF48320F14842AE519A7250C775A944CFA1
                              Function 01184648 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 011846BC
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 7211eca6eac95dd6c6295865c4215dad470bd7ed00024a77afe06903bd0577bc
                              • Instruction ID: 28936b20c6926f63dfee8b0dbe078d67ba2d5f79737fc5e447c735bd703cfaff
                              • Opcode Fuzzy Hash: 7211eca6eac95dd6c6295865c4215dad470bd7ed00024a77afe06903bd0577bc
                              • Instruction Fuzzy Hash: CA11F4B1D002499FDB14DFAAC444BDEFBF4EF48324F10842AD559A7250CB79A944CFA5
                              Function 01183AF9 Relevance: 1.6, APIs: 1, Instructions: 55nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationThread.NTDLL(?,?,?,?), ref: 01183B6B
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationThread
                              • String ID:
                              • API String ID: 4046476035-0
                              • Opcode ID: 98a1083bf4fbd5f7fdf178cb336cfe3d24bdacc472d1c01b820d2792956f282c
                              • Instruction ID: 7c2ac5ed863b327212ec158a057ec680e016c846535e3beb2920ea60f9ea4250
                              • Opcode Fuzzy Hash: 98a1083bf4fbd5f7fdf178cb336cfe3d24bdacc472d1c01b820d2792956f282c
                              • Instruction Fuzzy Hash: 0A1144B19042488FCB14DFAAC845BEEBFF5AF88324F24881ED469A7250C775A544CF94
                              Function 01183B00 Relevance: 1.6, APIs: 1, Instructions: 52nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationThread.NTDLL(?,?,?,?), ref: 01183B6B
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: InformationThread
                              • String ID:
                              • API String ID: 4046476035-0
                              • Opcode ID: f7d2b44d188ea95592275ee2be87b07698ddd173da3ed74878250050efde6a9d
                              • Instruction ID: 42eabab24008e9f33de2e844a2e138cea55e611660a8e5ca35a9369a1b2a5975
                              • Opcode Fuzzy Hash: f7d2b44d188ea95592275ee2be87b07698ddd173da3ed74878250050efde6a9d
                              • Instruction Fuzzy Hash: 6E1146B19002489FCB14DFAAC845BDEFFF5EF88324F248819E569A7250C775A544CFA4
                              Function 01183BB9 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: a9237407bdb89d5b14c2e966f62a02fbe5114cccd3e32afb5790317fbef96c33
                              • Instruction ID: d61bcab9636eebd3ac36d843338486dca45616bce8345e430c3ab92f9319d11b
                              • Opcode Fuzzy Hash: a9237407bdb89d5b14c2e966f62a02fbe5114cccd3e32afb5790317fbef96c33
                              • Instruction Fuzzy Hash: 341104B19002498FDB24DFAAC5447EEFBF4AF88324F24842ED559A7254C735A944CFA4
                              Function 01183BC0 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951016302.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_1180000_DasHost.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: c0406fe298d0690d9799495b0cfdc5f7676c070773657982f07f376bf06af81f
                              • Instruction ID: 8bdcca95e92405d4af236613c7d47c2005160534dc192cdee0589e407f77232a
                              • Opcode Fuzzy Hash: c0406fe298d0690d9799495b0cfdc5f7676c070773657982f07f376bf06af81f
                              • Instruction Fuzzy Hash: A0113AB19003488FDB24DFAAC4457DEFBF4EF88324F24841AD559A7250C775A544CFA5
                              Function 00C28F68 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0a:s
                              • API String ID: 0-1960802389
                              • Opcode ID: c6af9b9181b283ca9b93c2221d1b047e77458578f6f0d704638b2eaaa6e97604
                              • Instruction ID: bf46d07b23902dbb722a9f65482f232fc4029d676e331e7d98d2315b9d47529c
                              • Opcode Fuzzy Hash: c6af9b9181b283ca9b93c2221d1b047e77458578f6f0d704638b2eaaa6e97604
                              • Instruction Fuzzy Hash: 03C1E774E4021ACFCB44DFAAD8916AEBBB1FF88310F50812AD425E7354D7389A56CF91
                              Function 00C29948 Relevance: .5, Instructions: 472COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f476421039de9c806e428f55cf759e37837dc070f5f75eba67a1c063372c0c2
                              • Instruction ID: 5f40909e6b6480ea1409dedad4e0172657561bb1b21606b47e35775442d6b2dd
                              • Opcode Fuzzy Hash: 3f476421039de9c806e428f55cf759e37837dc070f5f75eba67a1c063372c0c2
                              • Instruction Fuzzy Hash: 76F1D072F007198FCB14DEA9E8D069DB7B2AF98300B59817AE519EB752DA709C46CB40
                              Function 00C2C0A0 Relevance: .4, Instructions: 406COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a3d9afe47070df40c26cd46c30fd557092014ff389b6c502de74ef83ec79bca
                              • Instruction ID: a2c0c147d82323e8e35418f00750a35c049983f6e9e8d134042327e36b32fdc1
                              • Opcode Fuzzy Hash: 1a3d9afe47070df40c26cd46c30fd557092014ff389b6c502de74ef83ec79bca
                              • Instruction Fuzzy Hash: 9DD1E436F501358FCB18EB7DA89427EB2E2BBC8750B158439E816EB390DE709D0597C2
                              Function 00C2993F Relevance: .3, Instructions: 279COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 684c69f42c8d15f21bf387e521302ead433afea51ea1c27d4fecec6e072c1ccf
                              • Instruction ID: 954ce17b0be653d909b6856c52ac1cbcbd965f7de2359166afd954bd3110f2ac
                              • Opcode Fuzzy Hash: 684c69f42c8d15f21bf387e521302ead433afea51ea1c27d4fecec6e072c1ccf
                              • Instruction Fuzzy Hash: FB91E272F107158BCB54EEA9E8D069DB2E3AF98300F54813DE51AEB752DA70DD46DB00
                              Function 00C2A1FB Relevance: .2, Instructions: 209COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2bbb8c336af9c4704e82834ae0e56d50390a27f92ee6de836f935f0d2175d6f9
                              • Instruction ID: 46f3b27fcc0e207501a4e813ee031dc9c86e7b2f04a5aefa512b9f3c85301a95
                              • Opcode Fuzzy Hash: 2bbb8c336af9c4704e82834ae0e56d50390a27f92ee6de836f935f0d2175d6f9
                              • Instruction Fuzzy Hash: 8681CF36E102298FCB14DFA9D88099EB7B2AB88310B55816AD819FB751D771DC81CBD1
                              Function 00C2BE11 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b65709610d6b0129b6e63d9099d9141b0a2198d500d6c53ad381476de84fa515
                              • Instruction ID: ed4931a0c021f38e373eed52d5c55f1bb3f817b9a9f798af7cbc1aff8e4b042e
                              • Opcode Fuzzy Hash: b65709610d6b0129b6e63d9099d9141b0a2198d500d6c53ad381476de84fa515
                              • Instruction Fuzzy Hash: 4C51F233E012358B8B18EF79D45456AB7B3AF8835071A81A9ED15EB7A1DB30CC06CBD0
                              Function 00C2BE20 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c55d291f7ab4693d227c7b23d04e155d8850f2da26eb54bd5e077e97c05fe0d0
                              • Instruction ID: ba8084cefa4e13761ab6ee45ae6553e34b532c445dbf484f082fcf54764e0a38
                              • Opcode Fuzzy Hash: c55d291f7ab4693d227c7b23d04e155d8850f2da26eb54bd5e077e97c05fe0d0
                              • Instruction Fuzzy Hash: 3D51C072E102358B8B58EF79D84456AB7B3AF8835071A8169ED15EB7A1DB30CC06CBD0
                              Function 00C28DBD Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 683162ef603430309552a8679beb881cbf5cb5d37fb8ab8d6d1da8ee36ff7eb8
                              • Instruction ID: 4f8d2f3e16bad15090eac0220a77f2a578df90f0846557a45754bc9a29acaef1
                              • Opcode Fuzzy Hash: 683162ef603430309552a8679beb881cbf5cb5d37fb8ab8d6d1da8ee36ff7eb8
                              • Instruction Fuzzy Hash: CE412933F115354B9B18CA1DD8951AAF6E39BD4220B5E82BADD0AFBB81DA74CC05C7D0
                              Function 00C28DC0 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62f1829e9af5572ebb2b73c1e161695c3a3178dc9958f70a8dbd5dee62757fcb
                              • Instruction ID: a907b091b49c4d65cf0f6a88739a742955c4e1e8e4a0e7f0bb73cd876484f258
                              • Opcode Fuzzy Hash: 62f1829e9af5572ebb2b73c1e161695c3a3178dc9958f70a8dbd5dee62757fcb
                              • Instruction Fuzzy Hash: 4C412C33F115354B9B18CA1DD8551AAF2E79BD4220B5E82BADD09FBB81DA74CC05C7D0
                              Function 00C2A870 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2270 c2a870-c2a8a9 2272 c2a8ac-c2a8b6 2270->2272 2273 c2a8b8 2272->2273 2274 c2a8bd-c2a8e3 2272->2274 2273->2274 2276 c2a8e9-c2a904 2274->2276 2278 c2a906-c2a914 2276->2278 2279 c2a959-c2a978 2276->2279 2278->2272 2280 c2a916-c2a91a 2278->2280 2283 c2a97e-c2a992 2279->2283 2281 c2a93b 2280->2281 2282 c2a91c-c2a925 2280->2282 2287 c2a93e-c2a954 2281->2287 2285 c2a927-c2a92a 2282->2285 2286 c2a92c-c2a92f 2282->2286 2283->2272 2284 c2a998-c2a9b8 2283->2284 2284->2276 2293 c2a9be-c2a9d4 2284->2293 2288 c2a939 2285->2288 2286->2288 2289 c2a9d6-c2a9dc 2287->2289 2288->2287 2291 c2a9e6 2289->2291 2292 c2a9de 2289->2292 2294 c2a9e7 2291->2294 2292->2291 2293->2289 2294->2294
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: \;^q$\;^q
                              • API String ID: 0-2277681078
                              • Opcode ID: aa971cbfde989a1ac2d39e2714297898c0f71f05a47ea2ac94cb47d0b314f5a6
                              • Instruction ID: 96f13ec4db936a57bd72514ea1aa7cb5d9c224e8418fa83f80a361a4b2922694
                              • Opcode Fuzzy Hash: aa971cbfde989a1ac2d39e2714297898c0f71f05a47ea2ac94cb47d0b314f5a6
                              • Instruction Fuzzy Hash: F541E775F002259BDB14DAAAD840BEEB7F6AF88310F154029D801FB780DB759D85CB51
                              Function 00C2FE1E Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2295 c2fe1e-c2fe76 2301 c2fe7b-c2fe9b call c2a870 2295->2301 2303 c2fea0-c2febb 2301->2303 2303->2301 2304 c2febd-c2fecb 2303->2304 2306 c2fee0-c2fee9 2304->2306 2307 c2fecd-c2fed4 2304->2307 2306->2301 2309 c2feeb-c2ff0a 2306->2309 2307->2301 2308 c2fed6-c2fedf 2307->2308
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$Hbq
                              • API String ID: 0-662517225
                              • Opcode ID: 1bc89e1a16a08141e0527d0873269ba92606a8e312c61bb65b26107bd9fb0a0f
                              • Instruction ID: fddadab936a93b384b967b582c1875d10b8bdcacbec1de39457941da42140369
                              • Opcode Fuzzy Hash: 1bc89e1a16a08141e0527d0873269ba92606a8e312c61bb65b26107bd9fb0a0f
                              • Instruction Fuzzy Hash: 9D113D31F041294BC718EA6EAD5415E7BB36FC9250F0840BAE41DDB366EA308D15C791
                              Function 011C0BB0 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2313 11c0bb0-11c0bdd 2314 11c0bdf-11c0be5 2313->2314 2315 11c0bf5-11c0c07 2313->2315 2316 11c0be9-11c0bf3 2314->2316 2317 11c0be7 2314->2317 2320 11c0c09-11c0c0f 2315->2320 2321 11c0c21-11c0c35 2315->2321 2316->2315 2317->2315 2322 11c0c11 2320->2322 2323 11c0c13-11c0c1f 2320->2323 2326 11c0c3c-11c0c3f 2321->2326 2322->2321 2323->2321
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: 52b53ccb3ff06756a736233cd7ee0c7db9090d2021ecd222fe1bb04b4d55c660
                              • Instruction ID: b1626167efd07a69dd797bd8e9649ab5e94eb0ab594d8cd70a1dd4926288c5c1
                              • Opcode Fuzzy Hash: 52b53ccb3ff06756a736233cd7ee0c7db9090d2021ecd222fe1bb04b4d55c660
                              • Instruction Fuzzy Hash: 7A018838B4D3858FC71E9F7D59501167FE16EAA91031984EFD484CF29BCA218C45C352
                              Function 00C2C950 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hbq
                              • API String ID: 0-1245868
                              • Opcode ID: 8aa3029cb03872226548b50d53413a583191031d8315ecdcdb4305d697f55695
                              • Instruction ID: f727b1cda669f051d6b4e0869223773c0dd072db85a5f34e24f68a128eb3cfbf
                              • Opcode Fuzzy Hash: 8aa3029cb03872226548b50d53413a583191031d8315ecdcdb4305d697f55695
                              • Instruction Fuzzy Hash: F8016833F491344BCB00AA7DFC8845EBB869AD07A034981BADC09DB793EA248C4987D1
                              Function 00C2A788 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: %R2`
                              • API String ID: 0-2035437543
                              • Opcode ID: 24c9936c9a0ec6d2b3c9c47de8387fb7821789e85a62b0b04d185d9584be3ac0
                              • Instruction ID: ba114cb97fa6a1c2e08d574a316ddc882b237d95958bbbd73fb9963021f396f8
                              • Opcode Fuzzy Hash: 24c9936c9a0ec6d2b3c9c47de8387fb7821789e85a62b0b04d185d9584be3ac0
                              • Instruction Fuzzy Hash: 1C012876F152148FCB148B79A84446EBBB1EBD5210B0480BAD809E7356C6318C15C752
                              Function 00C2A798 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: %R2`
                              • API String ID: 0-2035437543
                              • Opcode ID: 1db01218f3d4d456fad074fdec750d848767f617a5b3c4c046476be06566a3e5
                              • Instruction ID: 45f0e19d5db1686d4e0f57600239054a3b50bce5a1a96a0a23330f01868e1efa
                              • Opcode Fuzzy Hash: 1db01218f3d4d456fad074fdec750d848767f617a5b3c4c046476be06566a3e5
                              • Instruction Fuzzy Hash: 6DF0D1B6F112248B8B149F69A88546EB7B6EBD4210B04807AEC09E7345DA318D11CBA2
                              Function 00C2B3D8 Relevance: .4, Instructions: 384COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 95ac734cfa456870a1f6d0087c15117ad17896b93126b29548ec5c6ee464bd45
                              • Instruction ID: f4ec25fd368b74ee8f376a935f1b8222262a26d67dd8025b2b76ff230398081d
                              • Opcode Fuzzy Hash: 95ac734cfa456870a1f6d0087c15117ad17896b93126b29548ec5c6ee464bd45
                              • Instruction Fuzzy Hash: 99D19F35B501308F8758EF3DE898A2D77E6BF8871035685B9E80ADB7A1DF21DD058782
                              Function 00C2C07E Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0eeca4d8d12c77756ecbca941c333f1803ebe7d5ce2ba65b030927a130efdf2e
                              • Instruction ID: c8b82ad56a93f89668863491828437e588013195905089e6e669fe5992e5b523
                              • Opcode Fuzzy Hash: 0eeca4d8d12c77756ecbca941c333f1803ebe7d5ce2ba65b030927a130efdf2e
                              • Instruction Fuzzy Hash: A8311431F042348FDB18DA6DA8807AEB7B27BC4350F19857AD81AEB751D6708D4487D2
                              Function 00C28AC3 Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab83edf13b41a20b98fe5f7efca75fa896c3709070527dacf82b47cdda590314
                              • Instruction ID: a4539daabb22da08d4aa949127bfe9a88727550705cc90d4330c68be9f42c158
                              • Opcode Fuzzy Hash: ab83edf13b41a20b98fe5f7efca75fa896c3709070527dacf82b47cdda590314
                              • Instruction Fuzzy Hash: 16418F75E01214CFCB18CF68D49495DBBB2FF89310B25816AE805AB761CB71ED86CF80
                              Function 00C28AC8 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8592789051376594285725fc61b717ed2a7439cd23aa7e4f5e19c8c749d19d2
                              • Instruction ID: 820f5cd47cbccdca2dbcabffb6544626d7a620283aacf9545887d8d273a9e6e1
                              • Opcode Fuzzy Hash: b8592789051376594285725fc61b717ed2a7439cd23aa7e4f5e19c8c749d19d2
                              • Instruction Fuzzy Hash: 31418D75E01219CFCB08CF68D854A5DBBB2BF88310B258169E805AB761CB71ED86CF90
                              Function 00C28B7D Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dc0cffc36050988660c4b081e7d459a2ad4cc9b2140f9dd60fe2c959fba1f2f
                              • Instruction ID: e7ce60781cc5c4b3bb1b0ccaf232b5917e6d64d37e6acf4972704e9c2123aae4
                              • Opcode Fuzzy Hash: 7dc0cffc36050988660c4b081e7d459a2ad4cc9b2140f9dd60fe2c959fba1f2f
                              • Instruction Fuzzy Hash: AE319071E01229CFCB18CF68D954A5DBBB2AF44314F254169E805AF761CB71ED8ACF90
                              Function 00C2F884 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 242402ac34f82b964689c44e7e93d966d466e14a7374db4fb50bc443d7925168
                              • Instruction ID: 704e08fcd7a6b9c0f1096ff1fb92e00edbd3eb7580fc09e7fe0510837d1b6afb
                              • Opcode Fuzzy Hash: 242402ac34f82b964689c44e7e93d966d466e14a7374db4fb50bc443d7925168
                              • Instruction Fuzzy Hash: DB310B35A002298FDB20DF69D980B9DF7B2BF49304F5040A9E505AB351DA71AE86CF51
                              Function 00C29FEB Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e12a117fb095c52a979ce1c3a54d0df7e69eb8ceee31372f50285d2d419d879c
                              • Instruction ID: a2c5b64ef38a624bb9a8520cb38a2696d4f8e910267909973b67279c2f7b4084
                              • Opcode Fuzzy Hash: e12a117fb095c52a979ce1c3a54d0df7e69eb8ceee31372f50285d2d419d879c
                              • Instruction Fuzzy Hash: 46210833F126328BCB189F79D8804AA77B2EF94214755467ADC02ABB51CB31DD91CBC0
                              Function 00C29FF0 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: adec87d8b6e25cde9c572abe8bdd8e6e82b2260adc07248175632e9f643e73b3
                              • Instruction ID: d4a3829f0bd20980e6ea37f76e7744c02433250ee20a5930b6a1d1cfc4463bd1
                              • Opcode Fuzzy Hash: adec87d8b6e25cde9c572abe8bdd8e6e82b2260adc07248175632e9f643e73b3
                              • Instruction Fuzzy Hash: FA210333E116368BCB189F79D88046AB7B6EB94214755067AEC02ABB91DB31DD91CBC0
                              Function 00C2DD70 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef98e20bff195eb091b1cc131a5c46a2ba6a86367fe55e4fed741bfef7231dc0
                              • Instruction ID: e1624c2aca1a1b7b97ab6f505b5be2d21d53be1e3941189a63da0f01ab2dc57c
                              • Opcode Fuzzy Hash: ef98e20bff195eb091b1cc131a5c46a2ba6a86367fe55e4fed741bfef7231dc0
                              • Instruction Fuzzy Hash: 2421C732E001244F8714DB68D44449DBBF6AF9931075541BAEC05EB771DA709C49C791
                              Function 00C2AB30 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b039fc6edd50fef227c9ad85b40c24e0b0d77de75f91934157d7190e41f95f58
                              • Instruction ID: 826831b5c02bbe101ab47f347b8f967a3fe29bca30c34ea43e0a507def72e95c
                              • Opcode Fuzzy Hash: b039fc6edd50fef227c9ad85b40c24e0b0d77de75f91934157d7190e41f95f58
                              • Instruction Fuzzy Hash: 410142357062008FC358DB39E45881ABBE2AF8A32532541EEE40ACB7B2CA32DC01CB40
                              Function 011C03E3 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a08be799547117cd902327ae0f47d0d1b7e0a4cc1c01dafa57875d8280fca9eb
                              • Instruction ID: 9aa0658f94382db70cbb0ec29fce1af177e5494ca09d07a7d52b6bb7a81b90b3
                              • Opcode Fuzzy Hash: a08be799547117cd902327ae0f47d0d1b7e0a4cc1c01dafa57875d8280fca9eb
                              • Instruction Fuzzy Hash: 19F0B426B4D3C09FC30A473D9421452BFF69EDB41031A84EBD084CB2A3D6118C0A83A2
                              Function 00C2AB40 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb48755c3109ac3a54cdebd9b6ab3d81398f261c763f3eea4aa1132f2a8bc32a
                              • Instruction ID: 277af077454880458fc833ca4952528c688a73e36edb328e9f8a60590fa824cc
                              • Opcode Fuzzy Hash: eb48755c3109ac3a54cdebd9b6ab3d81398f261c763f3eea4aa1132f2a8bc32a
                              • Instruction Fuzzy Hash: 58F0ED357116108FC758EB39D45881AB3EAEF8A76532544A9E10ACB771CB32EC01CB80
                              Function 011C01CF Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee1acefc031fefdf4be6963e5dbbd72b803e18beccee3661eefb2aea42b776ed
                              • Instruction ID: 29ea48c792a551aed9a3330c60333bbf355a902422b51bf9802a8d07bdd7e01f
                              • Opcode Fuzzy Hash: ee1acefc031fefdf4be6963e5dbbd72b803e18beccee3661eefb2aea42b776ed
                              • Instruction Fuzzy Hash: 5BF05E3964E3D48FC71B8B7894504A17FB6AF4B62471E40DFE484CB5B3D6244C0AC722
                              Function 011C075B Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72fab14d4c8a5b9f4c379f48eb40ce55416a99289bd31819768c798d9bab790d
                              • Instruction ID: 1b538939b79b7638c3af28649c21988a0865a55307fecfd0611ff1385a9ec6d9
                              • Opcode Fuzzy Hash: 72fab14d4c8a5b9f4c379f48eb40ce55416a99289bd31819768c798d9bab790d
                              • Instruction Fuzzy Hash: 84F0A00614E3C04FD703C77018761E97FB06D5351479A80DFC4888B9B3C919840F9352
                              Function 011C0A9F Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5c0859b14811caac9475752cee2a7cb988cb6808716ad311e7857deb921192c
                              • Instruction ID: 3c6607408d8ab7c6d0cd0f4eb6b3fb7519bddd02670da87a88f5fa09cb34a10e
                              • Opcode Fuzzy Hash: a5c0859b14811caac9475752cee2a7cb988cb6808716ad311e7857deb921192c
                              • Instruction Fuzzy Hash: FBE0320174E3D00FC30B937828665986FF25E8701030A84EBD080CB2A7C8088C0A83A7
                              Function 011C0B2F Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd238eb388d213fa0c624675e6b5e2ffb01eeaa6cccecf95ff3d58c8a3464228
                              • Instruction ID: 10133a7925593cae3802ed4ab5e80b83f70d52bdf9cb25144bc8253fd7c6c67f
                              • Opcode Fuzzy Hash: bd238eb388d213fa0c624675e6b5e2ffb01eeaa6cccecf95ff3d58c8a3464228
                              • Instruction Fuzzy Hash: 82F0306854E3C58FC70B473488212753F716E9B60871E40DBC080CF1A7D6254989C313
                              Function 011C0400 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb12fb85e8493b0a6141217e594fae7a6659a096c3a2b735129bd2ae89017615
                              • Instruction ID: 8abb807a950bb108afef42c587d7fdfdaa9b3b9660b3aba9bee78bf2ef81003d
                              • Opcode Fuzzy Hash: fb12fb85e8493b0a6141217e594fae7a6659a096c3a2b735129bd2ae89017615
                              • Instruction Fuzzy Hash: DCE04F35B445188B471CAA6EA514917B7EFAFDD921335887AE109C7368DE61CC4183A1
                              Function 00C2CD13 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: edefa380491ceacde3ee630c10dafa37eff20eea2993589821aaaffed4b039ea
                              • Instruction ID: 9d105d39c057ae69e152de12774d494fe9f3ebe331ada6803d027b54cf9e99bc
                              • Opcode Fuzzy Hash: edefa380491ceacde3ee630c10dafa37eff20eea2993589821aaaffed4b039ea
                              • Instruction Fuzzy Hash: AFE06D357052248FC7159B38A05086EB7E69FCA72132840BEE40AC7B71CE71EC02DB40
                              Function 00C2D6AB Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b90b47c43c5f96565ecf9a9f0086d9ca9171118d5d3e185ef57f61b5b9b1ae7
                              • Instruction ID: 4f02a6d649fe7abb22b8f54d2643c647681ada42938b1fb348ee8067b1a646bb
                              • Opcode Fuzzy Hash: 6b90b47c43c5f96565ecf9a9f0086d9ca9171118d5d3e185ef57f61b5b9b1ae7
                              • Instruction Fuzzy Hash: A1E06D342422208FC3259B34E044859BBE1EF8A32532084BEE80AC7B61CA32EC46CB40
                              Function 00C2CD18 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6eb526070ca331fce69df02f6152dafde4b7572d08cee27b62615e6c15b02b87
                              • Instruction ID: 1970b5f22c7a16f9b29370e2dc4352fba3eef3a8d58b913c4c3bafcf8d9be4ee
                              • Opcode Fuzzy Hash: 6eb526070ca331fce69df02f6152dafde4b7572d08cee27b62615e6c15b02b87
                              • Instruction Fuzzy Hash: 42E04F357002248F8718AB39E00082AB3EAEFCA72135544BDE409CBB61CE71EC02CB80
                              Function 011C0AEB Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b38b6130f1c95a83cc3741efd1001b0747eda11900ee2bf83f460285873e7e49
                              • Instruction ID: 969d0b8a01433b44a0e4cb769a63f79d90bedb2a4b90718b9f00eb34d3eaa72c
                              • Opcode Fuzzy Hash: b38b6130f1c95a83cc3741efd1001b0747eda11900ee2bf83f460285873e7e49
                              • Instruction Fuzzy Hash: B1E0922858E3C28FC72BCB7498251B57FF12E4750431944DFD480CE5A3C7198886D712
                              Function 00C2D6B0 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c855ba1c6f1e2e8c1822f0c1a0badd8d7a50645ab9b5f96f100f57321beba8ca
                              • Instruction ID: d883dfc98cef379a895a57b437d8315f566a4615ff99de2f401e2082005fda70
                              • Opcode Fuzzy Hash: c855ba1c6f1e2e8c1822f0c1a0badd8d7a50645ab9b5f96f100f57321beba8ca
                              • Instruction Fuzzy Hash: D7E01A35341624CFC328AB38E004815B7E5EF4A32535188BEE80A8BB61CF32FC41CB80
                              Function 011C026B Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8188c27b1c21efbd1be4c65bb12bb65e87dfe874e43fbf6cff2c1c6694bae36b
                              • Instruction ID: c012fb5e14e67ce4f7bf57be7416895d07413321e1da83667a9a283e20c19379
                              • Opcode Fuzzy Hash: 8188c27b1c21efbd1be4c65bb12bb65e87dfe874e43fbf6cff2c1c6694bae36b
                              • Instruction Fuzzy Hash: 6FE0B62651E3E04FC353577928666D93FB09A4753430A44CBD481CB6A3D6085C8A87A3
                              Function 011C079C Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 03d0dbe20de66991ddad9ae8a0939736c247e0934da1a4a75130c546ce23913f
                              • Instruction ID: 372b7fdbfc2641119fcddf74e2d64a66583af6df0aa99fe2044639d5a4b8be3c
                              • Opcode Fuzzy Hash: 03d0dbe20de66991ddad9ae8a0939736c247e0934da1a4a75130c546ce23913f
                              • Instruction Fuzzy Hash: 56E0174260E7E11FDB43637838205992FB02E9316038B80DBE485DF2E3E5491E1E93A7
                              Function 011C01F0 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40ee3d88ceff21eef82243c7ddfe38369effbff57ec06d53785da5871e284db7
                              • Instruction ID: 441cda01a0e97c752fb0e8bcb2ab57a8036ab297bd1f9394a47067321524aad7
                              • Opcode Fuzzy Hash: 40ee3d88ceff21eef82243c7ddfe38369effbff57ec06d53785da5871e284db7
                              • Instruction Fuzzy Hash: 36E0C23874022CCF870CCE8DD00481373ABAFCD52032480A9F508C7329DE21CC014791
                              Function 00C20844 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5fee491415da491765dec6d1cce3a57000aca29d954f063aece2717656713aa
                              • Instruction ID: fb6174c685a5741259d4bc3515a0dcc814cf90a9fd81bc30d5a31799cade60e9
                              • Opcode Fuzzy Hash: d5fee491415da491765dec6d1cce3a57000aca29d954f063aece2717656713aa
                              • Instruction Fuzzy Hash: E1E08C30A8A208AFC700DBB5EA11A7C7BB2EB89300B20C1BEE406D3241CA300A00AB01
                              Function 00C20848 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ecf2e4f70de0899fb8c7bc2507031b085a41fec62b9da1f147832a506e814b4
                              • Instruction ID: 98038cd8eeac58f650570742f8e1c7377a6893efd28647fb35b7a28a18469f67
                              • Opcode Fuzzy Hash: 5ecf2e4f70de0899fb8c7bc2507031b085a41fec62b9da1f147832a506e814b4
                              • Instruction Fuzzy Hash: 67D0C730A45308EF8700EFB4E901A2CB7FAEB88200B00C0BEE40AD3240DE301E00AB01
                              Function 00C2CE70 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb715828c92d489c898e73273aaccd67c70656f401b8ce8ca0ee80dcaf66c04c
                              • Instruction ID: 1a503a0a0e725aa94986f6221c13f2b3bc7e03da5ef98e425309eea08303923a
                              • Opcode Fuzzy Hash: bb715828c92d489c898e73273aaccd67c70656f401b8ce8ca0ee80dcaf66c04c
                              • Instruction Fuzzy Hash: E3D05B70E4530CEB4754EBB5E91266D73F5DB85700B50C4B9D409A7341DD311F006745
                              Function 00C2CE6C Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2465f309776089ab4babc61dfde8160bc5c184d4db4cb3fe6061d14c05cfaf30
                              • Instruction ID: 50aadc0b5051374be60d2403a88e5d25d857b90c64fc44977143eb4c4f210e58
                              • Opcode Fuzzy Hash: 2465f309776089ab4babc61dfde8160bc5c184d4db4cb3fe6061d14c05cfaf30
                              • Instruction Fuzzy Hash: 39D01270E45208EA9754EFB4A96266D77A2AB85700B54C4FED409A7241DE311E10E742
                              Function 00C2CA7E Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a702ad7687c89495d1b6cb910a8cc8939ff98fdc0974ec4f7ea4174f98c3e3de
                              • Instruction ID: b19c90233e673f44b22467873b7e88bbe7e8de44ff1ee79de15b1e4ac2d11fd3
                              • Opcode Fuzzy Hash: a702ad7687c89495d1b6cb910a8cc8939ff98fdc0974ec4f7ea4174f98c3e3de
                              • Instruction Fuzzy Hash: 5FC08C23B042300B0A0876BC381126D42C2D7C4175714843FE60AD7382EC124C0643CA
                              Function 00C2CF53 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2cbbfc15f14b2d29f7da8396a8b6f574679d079d2b5c78dbbaf1ffb5e278dcbe
                              • Instruction ID: 8be35482c0d70f7b4dedc901d74a82d056cfe0ea422469073f0672f69b879da0
                              • Opcode Fuzzy Hash: 2cbbfc15f14b2d29f7da8396a8b6f574679d079d2b5c78dbbaf1ffb5e278dcbe
                              • Instruction Fuzzy Hash: 35D0C936750420CF8B44CA6CE4549A277EAAF8C625365809AE50CCB331C623EC038B60
                              Function 00C2CF58 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction ID: a670bbac25a441c252a2624be2189c388e7c40ea42babbeb44432ff7b3e5974c
                              • Opcode Fuzzy Hash: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction Fuzzy Hash: 07D0C9363101249F8740DA5DE444C42B7ECEF4D6243258099E50CCB322D662EC028B90
                              Function 00C2CD7B Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3bfde53e478dfe299cdcbafa3e2dc8fbe75aae89141e14905f44d06c40c45a5
                              • Instruction ID: 3f4084e75f1c2fccaab22efa3584403d650f3ded1187d8b21082502bdd735883
                              • Opcode Fuzzy Hash: a3bfde53e478dfe299cdcbafa3e2dc8fbe75aae89141e14905f44d06c40c45a5
                              • Instruction Fuzzy Hash: DFC00239394410CF8744CB68E498D51B7E2EF9C23536AC196E80DCB776D632EC06CA10
                              Function 00C2CD80 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1950799626.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C20000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_c20000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction ID: 5edbf907d9953af07623ebf09808672cb874cac1f8d6421fdc4b4bd1f08e9d02
                              • Opcode Fuzzy Hash: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction Fuzzy Hash: 0CC002392642048F8344DB58E488C11B3E9EB4C634316C195E90D8B332C631FC00CA44

                              Non-executed Functions

                              Function 011C0943 Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000007.00000002.1951123819.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_11c0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q$LR^q$$^q$$^q
                              • API String ID: 0-2454687669
                              • Opcode ID: f7c94c897335ee16a4d1c8dedbd34aa71d3f4aaadae1dc013cb407df5a34c01a
                              • Instruction ID: 8018d0597089f783cbc022de5ce6d60cf70cfa844ba32898167997e723712bc6
                              • Opcode Fuzzy Hash: f7c94c897335ee16a4d1c8dedbd34aa71d3f4aaadae1dc013cb407df5a34c01a
                              • Instruction Fuzzy Hash: A2F0F934A093858FE33F062C54142A17FB16BD7D1071945EFD088CF25BDA25488B8393

                              Execution Graph

                              Execution Coverage:22.1%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:56
                              Total number of Limit Nodes:0
                              execution_graph 17816 12a4568 17817 12a45b6 NtCreateSection 17816->17817 17819 12a4603 17817->17819 17858 12a3d48 17859 12a3d93 NtAllocateVirtualMemory 17858->17859 17861 12a3dda 17859->17861 17862 12a4648 17863 12a4690 NtQuerySystemInformation 17862->17863 17865 12a46cb 17863->17865 17866 12a48c8 17867 12a4910 NtDeviceIoControlFile 17866->17867 17869 12a495d 17867->17869 17870 12a3b00 17871 12a3b40 NtSetInformationThread 17870->17871 17873 12a3b7a 17871->17873 17874 12a4800 17875 12a4848 NtQueryVolumeInformationFile 17874->17875 17877 12a4886 17875->17877 17878 12a3bc0 17879 12a3c00 NtClose 17878->17879 17881 12a3c31 17879->17881 17820 12a3a38 17821 12a3a80 NtQueryInformationProcess 17820->17821 17823 12a3abe 17821->17823 17824 55131c8 17825 5513242 17824->17825 17826 55131e9 17824->17826 17826->17825 17828 5511e3c 17826->17828 17829 5513268 RtlSetProcessIsCritical 17828->17829 17831 55132dc 17829->17831 17831->17825 17832 12ad770 17833 12ad779 17832->17833 17834 12ad783 17833->17834 17837 55112b0 17833->17837 17842 55112f8 17833->17842 17838 55112bd 17837->17838 17839 5511285 17838->17839 17847 5511380 17838->17847 17850 5511378 17838->17850 17839->17834 17843 5511320 17842->17843 17844 5511350 17842->17844 17843->17844 17845 5511380 CheckRemoteDebuggerPresent 17843->17845 17846 5511378 CheckRemoteDebuggerPresent 17843->17846 17844->17834 17845->17844 17846->17844 17848 55113c4 CheckRemoteDebuggerPresent 17847->17848 17849 5511406 17848->17849 17849->17839 17851 5511380 CheckRemoteDebuggerPresent 17850->17851 17853 5511406 17851->17853 17853->17839 17854 12a3c70 17855 12a3cbe NtProtectVirtualMemory 17854->17855 17857 12a3d08 17855->17857 17882 12a4710 17883 12a475b NtMapViewOfSection 17882->17883 17885 12a47bd 17883->17885 17886 12a4490 17887 12a44de NtOpenFile 17886->17887 17889 12a4528 17887->17889

                              Executed Functions

                              Function 00EE1098 Relevance: 24.8, Strings: 14, Instructions: 7304COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: #-N$%<3($'L:C$,b$,g$.;!$9*j$?G8U$#C<$3{<$;$<$KG<$kO<$#<
                              • API String ID: 0-4254984090
                              • Opcode ID: 1b6169c316c565adb8d4c3f7854c3d77b0b1d599d4bb62215be0b73c1902631f
                              • Instruction ID: 34193b76abb70a84adc1d433dc50663e8d153fd35b6b53d0e151fa33ace28a44
                              • Opcode Fuzzy Hash: 1b6169c316c565adb8d4c3f7854c3d77b0b1d599d4bb62215be0b73c1902631f
                              • Instruction Fuzzy Hash: 19E31F75E012289FCB64DF69C840A9DB7B6EB89304F5181EAD80DF7351DA35AE81CF81
                              Function 00EEE0A0 Relevance: 10.7, Strings: 7, Instructions: 1906COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: yZ$(h<=$(o^q$-=>1$Hbq$pbq$pbq
                              • API String ID: 0-1965142003
                              • Opcode ID: 4ac31b84b1da6d75e622b3c90212ab9a4c932cdbec1ff33c2074e22a8e523cd7
                              • Instruction ID: 474e6eb14c6aa8c8b5bc4e8861c5c717b7dc92f1d1f75c187d73c01fa244dda3
                              • Opcode Fuzzy Hash: 4ac31b84b1da6d75e622b3c90212ab9a4c932cdbec1ff33c2074e22a8e523cd7
                              • Instruction Fuzzy Hash: C2F26A75B402198FCB24DF69C894B99B7B2BF88304F1581E9E509EB362DB719E85CF40
                              Function 00EEDD80 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1407 eedd80-eedd89 1408 eedd8c-eedd9b call ee96f0 1407->1408 1411 eedda0-eeddbe call eea870 1408->1411 1413 eeddc3-eeddde 1411->1413 1415 eedde4-eeddf0 1413->1415 1416 eede60-eede6d 1413->1416 1418 eede58-eede5f 1415->1418 1419 eeddf2-eede52 call ee8d68 1415->1419 1416->1411 1417 eede73-eede87 1416->1417 1422 eede8d-eedf05 call ee8d68 1417->1422 1423 eedf13-eedf1f 1417->1423 1419->1408 1419->1418 1422->1418 1449 eedf0b-eedf12 1422->1449 1423->1408 1424 eedf25-eedf3f 1423->1424 1429 eedfcf-eedfda 1424->1429 1430 eedf45-eedf50 1424->1430 1429->1408 1432 eedfe0-eee007 1429->1432 1430->1408 1433 eedf56-eedfc1 call ee8d68 1430->1433 1433->1449 1454 eedfc7-eedfce 1433->1454
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$\s^q
                              • API String ID: 0-2238190635
                              • Opcode ID: fbdf1b4bac42437534f068968f44b93662c5c37c3c74b0964fba5480551a9d59
                              • Instruction ID: aa051a261028a9c8c535121d89e6f5720eceb573f13ec5ece06baa5355424928
                              • Opcode Fuzzy Hash: fbdf1b4bac42437534f068968f44b93662c5c37c3c74b0964fba5480551a9d59
                              • Instruction Fuzzy Hash: 0F61C332F001298F8B14EB7AD8544ADB7F2AFC871075A51AADC09FB3A5DA349C05CBD0
                              Function 00EE0A20 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2020 ee0a20-ee996c 2022 ee996f-ee999a call ee98c0 2020->2022 2025 ee999c-ee99af call ee89c0 2022->2025 2029 ee99b2-ee99d2 2025->2029 2032 ee99d4-ee9a03 2029->2032 2032->2029 2034 ee9a05-ee9a63 2032->2034 2038 ee9baf-ee9bdb call ee96f0 2034->2038 2039 ee9a69-ee9a70 2034->2039 2038->2022 2043 ee9be1-ee9bfd 2038->2043 2039->2022 2041 ee9a76-ee9aa3 2039->2041 2041->2022 2047 ee9aa9-ee9ab3 2041->2047 2045 ee9bff-ee9c1b 2043->2045 2046 ee9c72-ee9ca3 call ee96f0 2043->2046 2045->2022 2048 ee9c21-ee9c2b 2045->2048 2046->2032 2059 ee9ca9-ee9cda call ee1098 call ee8ac8 2046->2059 2050 ee9b6d-ee9b73 2047->2050 2052 ee9e50-ee9e64 2048->2052 2053 ee9c31-ee9c61 2048->2053 2050->2029 2051 ee9b79-ee9ba3 2050->2051 2055 ee9ab8-ee9ad4 call ee98c0 2051->2055 2056 ee9ba9 2051->2056 2057 ee9e6b-ee9e8e 2052->2057 2053->2057 2058 ee9c67-ee9c6c 2053->2058 2069 ee9ae6-ee9b17 call ee96f0 2055->2069 2070 ee9ad6-ee9ade 2055->2070 2056->2038 2058->2046 2058->2052 2075 ee9cdf-ee9ce8 2059->2075 2092 ee9b1a call eeb3d8 2069->2092 2093 ee9b1a call eeb317 2069->2093 2070->2069 2075->2029 2076 ee9cee-ee9d3f 2075->2076 2078 ee9d61-ee9d6c 2076->2078 2078->2078 2080 ee9d6e-ee9d83 2078->2080 2079 ee9b20-ee9b49 2079->2022 2089 ee9b4f-ee9b67 2079->2089 2083 ee9d85-ee9d90 2080->2083 2084 ee9d41-ee9d4f 2080->2084 2083->2078 2085 ee9d92-ee9da5 2083->2085 2086 ee9da7 2084->2086 2087 ee9d51-ee9d5c 2084->2087 2090 ee9dac 2085->2090 2086->2090 2087->2078 2089->2050 2090->2052 2092->2079 2093->2079
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: ,g
                              • API String ID: 0-282136697
                              • Opcode ID: f615197e35878ccc9b33e0739d56f224563549399e2648a3de0406ef037bcfa4
                              • Instruction ID: 21fcf4157c43459ab7cb7744eda8e0620b84392a1bdaed0105a207580c25364f
                              • Opcode Fuzzy Hash: f615197e35878ccc9b33e0739d56f224563549399e2648a3de0406ef037bcfa4
                              • Instruction Fuzzy Hash: 1CC18C71B007498FCB54DEAAD8D469DB7E3AF98300B558139E50AEB363EA74DC46CB00
                              Function 012A4708 Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2094 12a4708-12a47bb NtMapViewOfSection 2098 12a47bd-12a47c3 2094->2098 2099 12a47c4-12a47e9 2094->2099 2098->2099
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 012A47AE
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: e3241eefacd1c18c48d44056cc376386c3bdcfe8bff898a287d193ddac34dce6
                              • Instruction ID: ca87010b88ee18e9aa1c7138a4aea3fd072cfc50bbc14ee9e12ea76d8966e768
                              • Opcode Fuzzy Hash: e3241eefacd1c18c48d44056cc376386c3bdcfe8bff898a287d193ddac34dce6
                              • Instruction Fuzzy Hash: 8F31E1B5900249AFDF10DFA9D884ADEBFF5BF4C324F14842AE918A7210C775A950CFA4
                              Function 012A4710 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2103 12a4710-12a47bb NtMapViewOfSection 2106 12a47bd-12a47c3 2103->2106 2107 12a47c4-12a47e9 2103->2107 2106->2107
                              APIs
                              • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 012A47AE
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 554480b428dd2d203f995e091d22d0123ac6c653e93d5e99acd143d5b4889192
                              • Instruction ID: ec6a4e1144e1e8afe541d50c4677767f378c4300a316be09a452b0e3d7f8adb5
                              • Opcode Fuzzy Hash: 554480b428dd2d203f995e091d22d0123ac6c653e93d5e99acd143d5b4889192
                              • Instruction Fuzzy Hash: 5831E2B5900249AFDF10DFA9D884ADEBFF5FF48324F14842AE918A3210C7759950CFA4
                              Function 012A4560 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 012A45F4
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: d0deec99101141dde87d6d6ace6a90b08fd784f90ae8a6d00ba8e55025b21f5e
                              • Instruction ID: eb5512c86603e58f5e3b4ac4ccfe6e0774034594a9a4fd4f2b8ea8bc4d5a68eb
                              • Opcode Fuzzy Hash: d0deec99101141dde87d6d6ace6a90b08fd784f90ae8a6d00ba8e55025b21f5e
                              • Instruction Fuzzy Hash: 502102B1D00259AFCB10DFA9D980AEEFFB4FF48310F10852AE918A7200C375A955CFA4
                              Function 012A448A Relevance: 1.6, APIs: 1, Instructions: 66filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 012A4519
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: 2d8aac08b92639be9ea5c03eeb71a503589de4084c9d75be76468f91e797af08
                              • Instruction ID: 522c3deeee93d68b01b78d9a6946bce9a5bdc8338bbc6c2b2b688515b64cdc54
                              • Opcode Fuzzy Hash: 2d8aac08b92639be9ea5c03eeb71a503589de4084c9d75be76468f91e797af08
                              • Instruction Fuzzy Hash: 9E21F2B1D11259AFCB10DFA9D984ADEFBF4FF48310F20812AE918A7210C7759A54CFA1
                              Function 012A3C68 Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 012A3CF9
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: d286282911065890348997bc24307f6e6508a6e5957fafd4a49ba9376773a3b6
                              • Instruction ID: 8c6eaccc585d407981df5d5699eb91e11b9cb26be104dbeb65a2278a4b9a47ce
                              • Opcode Fuzzy Hash: d286282911065890348997bc24307f6e6508a6e5957fafd4a49ba9376773a3b6
                              • Instruction Fuzzy Hash: 40210FB19003499FCB10CFAAD880ADEFFF5FF48310F20842AE959A7210C775A950CBA4
                              Function 012A48C1 Relevance: 1.6, APIs: 1, Instructions: 64filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 012A494E
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: cb706c59d53d0a0546e1e7e024bb51fb23d69262d1113f4ffa6e2bfd3bc895ea
                              • Instruction ID: 64e2eefa5abcf23e87af182095dcff653faea3dca39d1a490cb0d9257a4e89bc
                              • Opcode Fuzzy Hash: cb706c59d53d0a0546e1e7e024bb51fb23d69262d1113f4ffa6e2bfd3bc895ea
                              • Instruction Fuzzy Hash: 1D2105719002499FCF10DFAAC844ADEFBF5FF48314F548419E959A7210C7759954CFA1
                              Function 012A4568 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 012A45F4
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: CreateSection
                              • String ID:
                              • API String ID: 2449625523-0
                              • Opcode ID: 872af912e46650d6dfd030abe8104fb8eec4abb6991d8cc731724bd04dcacbf2
                              • Instruction ID: df0f221b527742a9c776f2219eadc7fcf76f87da9ec7391d9379df7a4355f02f
                              • Opcode Fuzzy Hash: 872af912e46650d6dfd030abe8104fb8eec4abb6991d8cc731724bd04dcacbf2
                              • Instruction Fuzzy Hash: 9E21F2B1D0125DAFCB00DFAAD980ADEFFB4FF48310F10802AE918A7200C775A954CBA4
                              Function 00EE8F70 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0a:s
                              • API String ID: 0-1960802389
                              • Opcode ID: fadb39cb812be84b9a1cd718835391db3fa53499dea61acac20fa35a9f4b1ea0
                              • Instruction ID: cb9877671a1c56b9b73d3612094c1ac6c236f7c5682688311c7038d540ee8214
                              • Opcode Fuzzy Hash: fadb39cb812be84b9a1cd718835391db3fa53499dea61acac20fa35a9f4b1ea0
                              • Instruction Fuzzy Hash: 6EE1D675E0020A8FDB44CFAAC8815AEBBF1BF88310F50816AD425F7355D7389A56CF91
                              Function 012A3D40 Relevance: 1.6, APIs: 1, Instructions: 63memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 012A3DCB
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: a034c6827a9595d6f301fe08762da6e62a13eca25fe78653f3e74f9baf484fb3
                              • Instruction ID: b9537a44e749dbe212b5e5ba96881f73f0f29fbc2f756ca9016e6c043bfead54
                              • Opcode Fuzzy Hash: a034c6827a9595d6f301fe08762da6e62a13eca25fe78653f3e74f9baf484fb3
                              • Instruction Fuzzy Hash: CF21FDB19002199FCB10DFAAC885ADEBBF5BB88320F10842AE919A7210C7759954CBA5
                              Function 012A3C70 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 012A3CF9
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: MemoryProtectVirtual
                              • String ID:
                              • API String ID: 2706961497-0
                              • Opcode ID: d0fce607c6bc659ac1e4afbb7d558f7fda930267fbeded6edf26ffdb09450cb4
                              • Instruction ID: 1e9b620a7186b25218d2adc83e3e8eb04b644fdbba55c07b106106a0217d3d56
                              • Opcode Fuzzy Hash: d0fce607c6bc659ac1e4afbb7d558f7fda930267fbeded6edf26ffdb09450cb4
                              • Instruction Fuzzy Hash: C62100B1D003499FCB10DFAAD980ADEFBF5FF48310F20842AE919A7210C775A940CBA4
                              Function 012A4490 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 012A4519
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: FileOpen
                              • String ID:
                              • API String ID: 2669468079-0
                              • Opcode ID: 35b67561a48135981b5135df90b8f82ab5ab1eb84197ef777791b1ea55a8fff2
                              • Instruction ID: e030e74430a45bb3c878cc2d74cfc2947864349b084614aab60681a18021a78b
                              • Opcode Fuzzy Hash: 35b67561a48135981b5135df90b8f82ab5ab1eb84197ef777791b1ea55a8fff2
                              • Instruction Fuzzy Hash: A521E3B1D0125DAFCB10DFAAD984ADEFBB4FF48310F50802AE918A7210C7759A54CBA5
                              Function 012A48C8 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 012A494E
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: ControlDeviceFile
                              • String ID:
                              • API String ID: 3512290074-0
                              • Opcode ID: 64e6648b04095e2354226c8f58474b615240ce042d47845bb4ead749a50b42cb
                              • Instruction ID: 0efe96a6fc5258cce2d6afdc6f1a62a6e1c78476235c19a4d1afe8717dd82fe8
                              • Opcode Fuzzy Hash: 64e6648b04095e2354226c8f58474b615240ce042d47845bb4ead749a50b42cb
                              • Instruction Fuzzy Hash: B421E4B19002499FCB10DFAAC844ADEFFF5FF88314F14842AE959A7210C7759954CFA5
                              Function 012A3D48 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 012A3DCB
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: AllocateMemoryVirtual
                              • String ID:
                              • API String ID: 2167126740-0
                              • Opcode ID: 6c38356f96a903d303a210edff203bd8fe8867f7f14ac65f4d45038cbfff7094
                              • Instruction ID: ef9b49c3cb99a786756c7a8487fa6336bce3c8eba9813e9e889be11cad2daf94
                              • Opcode Fuzzy Hash: 6c38356f96a903d303a210edff203bd8fe8867f7f14ac65f4d45038cbfff7094
                              • Instruction Fuzzy Hash: 0121E2B19002599FCB10DFAAC885ADEFFF5FF48314F50842AE919A7210C775A954CBA4
                              Function 012A47F9 Relevance: 1.6, APIs: 1, Instructions: 60filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 012A4877
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: 704683a898b0d3e7e71a8576d4ab555a087859310f18797a3e7ede394866d669
                              • Instruction ID: 54106e413d97a57a327a8ea0e7cc64e0a12c5d355867d373b98dc4723ae1f9ae
                              • Opcode Fuzzy Hash: 704683a898b0d3e7e71a8576d4ab555a087859310f18797a3e7ede394866d669
                              • Instruction Fuzzy Hash: 0B2134B1D002499FDB10DFAAC844BDEFBF4EF88310F14842AE519A7210C775A940CFA1
                              Function 012A4640 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 012A46BC
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 0a1daf7c498fee2bf080cd73a61b88d7831e545ae804e103868ad2e76a52c226
                              • Instruction ID: 9d97748df8f9a3d0320bc9c6aeae1ab51e3d1fca0b35d508bb32c5e65cf71137
                              • Opcode Fuzzy Hash: 0a1daf7c498fee2bf080cd73a61b88d7831e545ae804e103868ad2e76a52c226
                              • Instruction Fuzzy Hash: 482104B19002498FCB24DFAAC444AAEFBF4AF88320F14842AD559A7250C7749945CFA5
                              Function 012A4800 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 012A4877
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: FileInformationQueryVolume
                              • String ID:
                              • API String ID: 634242254-0
                              • Opcode ID: f453a3044be968338040659dfc3787adc0c71666ebffb1539d445df6fcc20535
                              • Instruction ID: 77e5cb3428f567c6654baf4fba8cfd5820191f0622c114e0e703f711b93732bd
                              • Opcode Fuzzy Hash: f453a3044be968338040659dfc3787adc0c71666ebffb1539d445df6fcc20535
                              • Instruction Fuzzy Hash: 542113B1D002499FDB10DFAAD844ADEFBF4AF88320F14842AE519A7250C775A944CFA1
                              Function 012A3A38 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 012A3AAF
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 008edfb5ffc828acdd1ff784cf45519e5dcedf0c7e0e71e99b23e9a4cd9d2755
                              • Instruction ID: 0cecf7caf0d45affad7a442d1ddafd8674b2f283c93caa5e2d67d246fa8daffe
                              • Opcode Fuzzy Hash: 008edfb5ffc828acdd1ff784cf45519e5dcedf0c7e0e71e99b23e9a4cd9d2755
                              • Instruction Fuzzy Hash: A32117B1D002499FDB10DFAAC844ADEFBF5FF88320F14842AE959A7250C775A944CFA5
                              Function 012A4648 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 012A46BC
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: 82fe9bf126e072253a3253f39096dfe9d923e74e51b37e3ffc9053f8293c6702
                              • Instruction ID: 8950bf9f4e0eccd6c738aedf5fded3a8b9ae464be7dc140aa6479550511b75b8
                              • Opcode Fuzzy Hash: 82fe9bf126e072253a3253f39096dfe9d923e74e51b37e3ffc9053f8293c6702
                              • Instruction Fuzzy Hash: 331106B1D002499FDB10DFAAC444ADEFBF4FF88320F14842AD559A7250C775A944CFA5
                              Function 012A3B00 Relevance: 1.6, APIs: 1, Instructions: 52nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtSetInformationThread.NTDLL(?,?,?,?), ref: 012A3B6B
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: InformationThread
                              • String ID:
                              • API String ID: 4046476035-0
                              • Opcode ID: ee63a5412b2e92782b8e6202c34fc7c7818151844064ec5f959750c1e7702704
                              • Instruction ID: 081c96a239dd0ac75e7f0a599a0d24b7d3790b78d969b3aca4fd4f7f1cfc5958
                              • Opcode Fuzzy Hash: ee63a5412b2e92782b8e6202c34fc7c7818151844064ec5f959750c1e7702704
                              • Instruction Fuzzy Hash: 171134B19002498FCB10DFAAC845BDEFFF5EB88320F24881AD559A7250C775A544CFA4
                              Function 012A3BB9 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: edf5d7bcaaa27b7ff2a4691660ac6462259be13c5710d219813cc69aeb417c86
                              • Instruction ID: 107c57e55fc223ca67bc5a61d28664627ac2f7066579b6cf38aaf7ac5ffa8ec0
                              • Opcode Fuzzy Hash: edf5d7bcaaa27b7ff2a4691660ac6462259be13c5710d219813cc69aeb417c86
                              • Instruction Fuzzy Hash: E41134B19002498FCB24DFAAD8447EEFBF5BB88324F20842AD519A7250C734A944CFA4
                              Function 012A3BC0 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168685828.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_12a0000_DasHost.jbxd
                              Similarity
                              • API ID: Close
                              • String ID:
                              • API String ID: 3535843008-0
                              • Opcode ID: c29e19896575da07bf62a1d2f84d06805774c3ed36efddcf15fad7483322ca81
                              • Instruction ID: 17e7ffdd4d3d60e975b5c67c93d65fea7258e7a088df925f2b56e2409637535a
                              • Opcode Fuzzy Hash: c29e19896575da07bf62a1d2f84d06805774c3ed36efddcf15fad7483322ca81
                              • Instruction Fuzzy Hash: 351158B19002498FCB20DFAAC4457DEFBF5AB88324F20841AC519A7240C674A544CBA4
                              Function 00EEC0A0 Relevance: .4, Instructions: 406COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2500d0263a7613de8da1071cbb9be539336c375316e96affe2de22cbc7e83a06
                              • Instruction ID: d3dba87c626d29c6db2af95f7b7fa5e463c5febbaf1b2d47ccdebdc620597064
                              • Opcode Fuzzy Hash: 2500d0263a7613de8da1071cbb9be539336c375316e96affe2de22cbc7e83a06
                              • Instruction Fuzzy Hash: 8FD1C531F001398F8B18EB7AD95417EB2E2ABC8B40B252579D81AFB394DE709D0687D1
                              Function 00EEA203 Relevance: .2, Instructions: 212COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ff4bdec0678cd29cf7d6733e3cf6c0f321b772df4e363bf9131d79f842f3ef1
                              • Instruction ID: 443d3a412fd50ca12229e323682d9b1b3b8b6ccecc0ee071f7153aeb5c5356fc
                              • Opcode Fuzzy Hash: 2ff4bdec0678cd29cf7d6733e3cf6c0f321b772df4e363bf9131d79f842f3ef1
                              • Instruction Fuzzy Hash: 9381B232E002698FCB24DFA9C88459EBBF2EB48310B59917AD815FB350D775AC41CBD1
                              Function 00EEBE20 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7cf5085c88deadda3530228dca0207c39fee4f0eb1454ddc72533ccacb474f6
                              • Instruction ID: d687f497d93d8b37a93283175e63380c1a01c50bf86a3d9c9fcabb5ae671df47
                              • Opcode Fuzzy Hash: c7cf5085c88deadda3530228dca0207c39fee4f0eb1454ddc72533ccacb474f6
                              • Instruction Fuzzy Hash: 4E51A472F102298B8B58EF7AD84456AB7E7AB8825031A8169ED05FB361DB30DC05CBD0
                              Function 00EE8DB0 Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee5ed5181e37203843a44841af119d1921645d27c5c7b2964fde70efdce89640
                              • Instruction ID: 4c7b790a4de023cfaebf4453d2415e0b55127e7379e5d99767cd296e89a2d56c
                              • Opcode Fuzzy Hash: ee5ed5181e37203843a44841af119d1921645d27c5c7b2964fde70efdce89640
                              • Instruction Fuzzy Hash: 92412833F116794BDB18CA1ECC541AAF7E39BD426474A82BAD809FB791DA64CC06C7D0
                              Function 00EE8DC0 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 077a554d85cad8a1553769dc205bb968325e89e909c1ae82292042dfaaa0e105
                              • Instruction ID: 207f6fb4ae5a6ba60259c6aee2b10108337e4690dcdc7e264b29960ea3ef2b48
                              • Opcode Fuzzy Hash: 077a554d85cad8a1553769dc205bb968325e89e909c1ae82292042dfaaa0e105
                              • Instruction Fuzzy Hash: 98411933F115394B9B18CA1ECC551AAF2E79BD4224B5E82AADC09FB791DA74CC05C7D0
                              Function 00EEA870 Relevance: 2.6, Strings: 2, Instructions: 107COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1486 eea870-eea8a9 1488 eea8ac-eea8b6 1486->1488 1489 eea8bd-eea8e3 1488->1489 1490 eea8b8 1488->1490 1492 eea8e9-eea904 1489->1492 1490->1489 1494 eea959-eea978 1492->1494 1495 eea906-eea914 1492->1495 1497 eea97e-eea992 1494->1497 1495->1488 1496 eea916-eea91a 1495->1496 1498 eea91c-eea925 1496->1498 1499 eea93b 1496->1499 1497->1488 1501 eea998-eea9b8 1497->1501 1502 eea92c-eea92f 1498->1502 1503 eea927-eea92a 1498->1503 1500 eea93e-eea954 1499->1500 1504 eea9d6-eea9dc 1500->1504 1501->1492 1509 eea9be-eea9d4 1501->1509 1505 eea939 1502->1505 1503->1505 1507 eea9de 1504->1507 1508 eea9e6 1504->1508 1505->1500 1507->1508 1509->1504
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: \;^q$\;^q
                              • API String ID: 0-2277681078
                              • Opcode ID: 92d6dbffde9416b3c6b76c3092388d8d50b119c3f850dabc66c848acc4c780da
                              • Instruction ID: 501a7625f614acbc3e2b3caec24e3933cb882ef260fc6b51fdda35ea88a0173d
                              • Opcode Fuzzy Hash: 92d6dbffde9416b3c6b76c3092388d8d50b119c3f850dabc66c848acc4c780da
                              • Instruction Fuzzy Hash: 9141C135F002589BDB14DEAAD844BAEBAF6AF88704F196039D801FB381DB35AD45CB51
                              Function 00EEFE1E Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1510 eefe1e-eefe76 1516 eefe7b-eefebb call eea870 1510->1516 1519 eefebd-eefecb 1516->1519 1521 eefecd-eefed4 1519->1521 1522 eefee0-eefee9 1519->1522 1521->1516 1523 eefed6-eefedf 1521->1523 1522->1516 1524 eefeeb-eeff1c 1522->1524 1528 eeff26-eeff39 1524->1528
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$Hbq
                              • API String ID: 0-662517225
                              • Opcode ID: a2f1b5ccb8ceed067f4cc4c65184250436e6557b1425f1fb30d10da9d7729dc6
                              • Instruction ID: 67366e06e2c0f99c082a2743107953851bbf35f4336935694d6132afdca75361
                              • Opcode Fuzzy Hash: a2f1b5ccb8ceed067f4cc4c65184250436e6557b1425f1fb30d10da9d7729dc6
                              • Instruction Fuzzy Hash: F0112B31F041594BC718EA6EDC5415E7BB26FC5250F0840BAE40DEB3A6EA309C15C791
                              Function 02AD0BB0 Relevance: 2.6, Strings: 2, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1531 2ad0bb0-2ad0bdd 1532 2ad0bdf-2ad0be5 1531->1532 1533 2ad0bf5-2ad0c07 1531->1533 1534 2ad0be9-2ad0bf3 1532->1534 1535 2ad0be7 1532->1535 1538 2ad0c09-2ad0c0f 1533->1538 1539 2ad0c21-2ad0c35 1533->1539 1534->1533 1535->1533 1540 2ad0c11 1538->1540 1541 2ad0c13-2ad0c1f 1538->1541 1544 2ad0c3c-2ad0c3f 1539->1544 1540->1539 1541->1539
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: 1c239bdfec55d11bf74f0678daece4329282a6bdc87eea6fe7b01e3e0942bd5e
                              • Instruction ID: 0d3affc714ae25aa87626c64b99297935e913695694f3556e1285461d84984f0
                              • Opcode Fuzzy Hash: 1c239bdfec55d11bf74f0678daece4329282a6bdc87eea6fe7b01e3e0942bd5e
                              • Instruction Fuzzy Hash: 93019620B0D3844FC72A5B7D58A06576FF67FDA610B1988EB8486DF35ACD218C49C762
                              Function 02AD1650 Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1545 2ad1650-2ad165f 1546 2ad1677-2ad167b 1545->1546 1547 2ad1661-2ad1667 1545->1547 1550 2ad167d-2ad1683 1546->1550 1551 2ad1695-2ad1697 1546->1551 1548 2ad1669 1547->1548 1549 2ad166b-2ad1675 1547->1549 1548->1546 1549->1546 1552 2ad1685 1550->1552 1553 2ad1687-2ad1693 1550->1553 1554 2ad1699-2ad169f 1551->1554 1555 2ad16b1-2ad16c0 1551->1555 1552->1551 1553->1551 1557 2ad16a1 1554->1557 1558 2ad16a3-2ad16af 1554->1558 1559 2ad16c6-2ad16ca 1555->1559 1557->1555 1558->1555
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: 967fd27bbc8515d1e8d40a97f399809fb7860650fb10ba682c4119654fc813d7
                              • Instruction ID: a62e5face9299a150e40fff500ad2c8fa27f83973cbe47609cae4051e6774790
                              • Opcode Fuzzy Hash: 967fd27bbc8515d1e8d40a97f399809fb7860650fb10ba682c4119654fc813d7
                              • Instruction Fuzzy Hash: FC01A739B041099F87284F5D588497B77FAEBC9620329412AE80ACB318DF72CC00C691
                              Function 02AD0CA7 Relevance: 2.5, Strings: 2, Instructions: 35COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1562 2ad0ca7-2ad0cda 1564 2ad0cdc-2ad0ce2 1562->1564 1565 2ad0cf4-2ad0cf6 1562->1565 1566 2ad0ce4 1564->1566 1567 2ad0ce6-2ad0cf2 1564->1567 1568 2ad0cfd-2ad0d01 1565->1568 1566->1565 1567->1565
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: f05af9f1a956b475581080ea60584bdb55314f8db0018a07e6fbc24b1a96a0c2
                              • Instruction ID: 77c19e70301330fa211c8ecc423ef81d331619cf1d2600219850bfbc6cbac5a6
                              • Opcode Fuzzy Hash: f05af9f1a956b475581080ea60584bdb55314f8db0018a07e6fbc24b1a96a0c2
                              • Instruction Fuzzy Hash: 27F0822561E3D40FC727473818B88652FB64A9361030E49EFD481CF297CD184C0D87A3
                              Function 02AD16CF Relevance: 2.5, Strings: 2, Instructions: 28COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1570 2ad16cf-2ad16f4 1571 2ad170c-2ad1713 1570->1571 1572 2ad16f6-2ad16fc 1570->1572 1573 2ad16fe 1572->1573 1574 2ad1700-2ad170a 1572->1574 1573->1571 1574->1571
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: XX^q$XX^q
                              • API String ID: 0-1102689228
                              • Opcode ID: 6b5fa70e488d0b72745af2b276630ed41dac6ab7ac28a0bb6f633edff8597d22
                              • Instruction ID: ff53006cc0d0de597d6a957fdfbca24d3bef18319387598ac0601367245acb67
                              • Opcode Fuzzy Hash: 6b5fa70e488d0b72745af2b276630ed41dac6ab7ac28a0bb6f633edff8597d22
                              • Instruction Fuzzy Hash: FFE0E51C60E3C54FC71B577828B96652F72AA8315532A85DBC48ACF1A3C918480A8B26
                              Function 05511378 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 055113F7
                              Memory Dump Source
                              • Source File: 00000009.00000002.4173272460.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_5510000_DasHost.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: 585231ade2f49c8f2560d43bbd21e0aecce9ed134fabf4989b74541b8fe4b7dd
                              • Instruction ID: 3c10f7d4e752881ef211db528a784f69e97d4f3ce6d532d35c4db3bfbcfb5a53
                              • Opcode Fuzzy Hash: 585231ade2f49c8f2560d43bbd21e0aecce9ed134fabf4989b74541b8fe4b7dd
                              • Instruction Fuzzy Hash: 442136B1900259CFCB10CF9AD984BEEFBF4BF48320F14846AE855A3251D778A944CFA5
                              Function 05511380 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 055113F7
                              Memory Dump Source
                              • Source File: 00000009.00000002.4173272460.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_5510000_DasHost.jbxd
                              Similarity
                              • API ID: CheckDebuggerPresentRemote
                              • String ID:
                              • API String ID: 3662101638-0
                              • Opcode ID: aa438a8f34e3ea30dd15d4d1600a394581704ab02029a9defbe8c7ad4bac5017
                              • Instruction ID: 524dbd838aeff9f60ada0ebf24226aa9d20a02e263eb4d2894587eb967c9e0d8
                              • Opcode Fuzzy Hash: aa438a8f34e3ea30dd15d4d1600a394581704ab02029a9defbe8c7ad4bac5017
                              • Instruction Fuzzy Hash: 162125B1900259CFDB10CF9AD484BEEFBF4BF49320F14846AE859A7250D778A944CFA5
                              Function 05513300 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • RtlSetProcessIsCritical.NTDLL(00000001,00000000,?), ref: 055132CD
                              Memory Dump Source
                              • Source File: 00000009.00000002.4173272460.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_5510000_DasHost.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: dd148ec01979cc7e3ae90a3e39f70e0bee3ead6eb8e9e29e3e11c095780eb256
                              • Instruction ID: 609db270f1f39fa8fb02ab8ae7970ca33f271e93ec8009413939ea842881ce90
                              • Opcode Fuzzy Hash: dd148ec01979cc7e3ae90a3e39f70e0bee3ead6eb8e9e29e3e11c095780eb256
                              • Instruction Fuzzy Hash: AF018BB29042098EE710EFE9A4447DEFFE0BF48214F10856AC918A6251DA35124ACBA6
                              Function 05513261 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • RtlSetProcessIsCritical.NTDLL(00000001,00000000,?), ref: 055132CD
                              Memory Dump Source
                              • Source File: 00000009.00000002.4173272460.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_5510000_DasHost.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: 12c4d4bc027e0a6f4b0f17633d7e2aa054ed3f01836b896974b05fc188d13519
                              • Instruction ID: 83c68b178d5ac2b46bcbf856f2207ecfb22d1f0391704c98d9c5efc02909d6be
                              • Opcode Fuzzy Hash: 12c4d4bc027e0a6f4b0f17633d7e2aa054ed3f01836b896974b05fc188d13519
                              • Instruction Fuzzy Hash: 5D1113B58002488FDB20DF9AD944BDEFFF4FB48320F20842AD919A7210C775A944CFA5
                              Function 05511E3C Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • RtlSetProcessIsCritical.NTDLL(00000001,00000000,?), ref: 055132CD
                              Memory Dump Source
                              • Source File: 00000009.00000002.4173272460.0000000005510000.00000040.00000800.00020000.00000000.sdmp, Offset: 05510000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_5510000_DasHost.jbxd
                              Similarity
                              • API ID: CriticalProcess
                              • String ID:
                              • API String ID: 2695349919-0
                              • Opcode ID: 118856cfbb793316bbd358bdd14e9727a5d46aaea57872b4c14b77c2d21221a4
                              • Instruction ID: 1f04fed0b71af3a5cdb3e6131e98a12aae7e043ab5eed75e5f02109e84958be8
                              • Opcode Fuzzy Hash: 118856cfbb793316bbd358bdd14e9727a5d46aaea57872b4c14b77c2d21221a4
                              • Instruction Fuzzy Hash: 801113B1904248DFDB20DF9AC484BDEBFF4FB48310F208429D959A7210C374A944CFA5
                              Function 00EED118 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hbq
                              • API String ID: 0-1245868
                              • Opcode ID: 2b88324b822c18ae8dd2dcbc19b79fbe6c9d734592e1c2b8fdd943dc2cef4454
                              • Instruction ID: 12899bfc59fb410d6f836c52535b2f158e4dff818338a063e017a9bffb1ef490
                              • Opcode Fuzzy Hash: 2b88324b822c18ae8dd2dcbc19b79fbe6c9d734592e1c2b8fdd943dc2cef4454
                              • Instruction Fuzzy Hash: D6319E71B001588FC748EF79D45082EB7E2AF89250725417AE409EB362DB31DC06CBD1
                              Function 02AD162F Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q
                              • API String ID: 0-388095546
                              • Opcode ID: c30961753531a7d4a22827538ab5d248eaf27f9d87351bd899670b5c16855771
                              • Instruction ID: 59e2502a6e8505d8e2531bdd9bb9cb457b3e884c59b1166062b880ccf9ceee53
                              • Opcode Fuzzy Hash: c30961753531a7d4a22827538ab5d248eaf27f9d87351bd899670b5c16855771
                              • Instruction Fuzzy Hash: DA01D83960D2C09FC7264B295894E667FB1DFCB510B1E41EBE48ACF122C7758805CB12
                              Function 00EEA798 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: %R2`
                              • API String ID: 0-2035437543
                              • Opcode ID: 059262c811b30f59cc6114f87169109e29b6c033767e4921687ab37a75145f1f
                              • Instruction ID: 6a3dd2e296da75aaba29faddb91fef086a8518e824d143be7c194c95541c1195
                              • Opcode Fuzzy Hash: 059262c811b30f59cc6114f87169109e29b6c033767e4921687ab37a75145f1f
                              • Instruction Fuzzy Hash: BBF0D1B6F002188BCB089F6AEC8546EB7FAEBC4211B08407AEC0DB7355DA319C01C7A1
                              Function 02AD079C Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q
                              • API String ID: 0-388095546
                              • Opcode ID: eefe43149c01f8ea2111eb54eb7190230fbf98314ebfebf545f0db703308e27d
                              • Instruction ID: 1a5d8e60e2f597664de1ba12a3c2f07f510558f98351f651c78eb0d59366d941
                              • Opcode Fuzzy Hash: eefe43149c01f8ea2111eb54eb7190230fbf98314ebfebf545f0db703308e27d
                              • Instruction Fuzzy Hash: 3BF0A72178D2D40FC707537D68254A87FF19E8702134E40DBD086DF6B3C8044C0AC3A2
                              Function 00EEB3D8 Relevance: .4, Instructions: 384COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4354d336b34fcfc697c35acb2651af50a69dbaca71fada9c32c4f3a66bd4efbf
                              • Instruction ID: 7dfc2fea4db58dba3f4ec2c8d289179f55aecb97675e890075b3c5ad8d8e1cb3
                              • Opcode Fuzzy Hash: 4354d336b34fcfc697c35acb2651af50a69dbaca71fada9c32c4f3a66bd4efbf
                              • Instruction Fuzzy Hash: 32D19135B101248F8B48AF3ED95852EB6E6BF8CB1035651B9E80AFB3B1DB21DC0587C5
                              Function 00EEC9F8 Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b59dc54687e3b032735797aafbfdc42d05e4485702b3ea238a4db979b7cbceee
                              • Instruction ID: 8d61c7178ce639af0f08ded38697431f59f1f14794e0fc78ecd085811c73e041
                              • Opcode Fuzzy Hash: b59dc54687e3b032735797aafbfdc42d05e4485702b3ea238a4db979b7cbceee
                              • Instruction Fuzzy Hash: 8221E433B041780F9B18AABEBC515AEA3D6DBC9664319157EE10EF7346EC268D0643C4
                              Function 00EE8AC8 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23bce9cb9510ce7f3f0167d7e7a0b81ec906231a8ea4a0040d24023d8c2c1110
                              • Instruction ID: f0a4312e0d14abbd7d9708ea2489c639c9b386058bd7f6b246a43a872872321a
                              • Opcode Fuzzy Hash: 23bce9cb9510ce7f3f0167d7e7a0b81ec906231a8ea4a0040d24023d8c2c1110
                              • Instruction Fuzzy Hash: 9A418D75E00219CFCB18CFA9C55499DBBB2AF89314B25416AE809BB361DB71EC46CF90
                              Function 00EED4AB Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ece94f3992d34b54e95c02e97c6b94354d26742aa10e4d9926188997f6e36de
                              • Instruction ID: 81815c15ceda2b13738bec0aff0f4ff95c02022156ae449bc1ac74c7e268ead7
                              • Opcode Fuzzy Hash: 4ece94f3992d34b54e95c02e97c6b94354d26742aa10e4d9926188997f6e36de
                              • Instruction Fuzzy Hash: EA31C6B3F106398F9714DE6ECC405AAB6F1ABA8260706456ADC29F7361EA31DE05C7C0
                              Function 00EE8B7D Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b49ed70372be10881de11b8e847aa385aea68f241f391c4fc2daadc2329f9cf
                              • Instruction ID: 3f071d6a85d7591777596f7193765e0817daade8c126366eeb1f7887f5fbccc5
                              • Opcode Fuzzy Hash: 1b49ed70372be10881de11b8e847aa385aea68f241f391c4fc2daadc2329f9cf
                              • Instruction Fuzzy Hash: F3319F75E00259CFCB18CF69C654A9DBBB1AF44314F25416AE809BB361DB71ED86CF80
                              Function 00EED86B Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ccb3307a0a3c5a18c380a15e3d42d8761fd60de660f822ddea2e9fecc040a891
                              • Instruction ID: 34387abfe5b8e685d879710349cf51e980f0665a58150990bd626c1fc31f2c8d
                              • Opcode Fuzzy Hash: ccb3307a0a3c5a18c380a15e3d42d8761fd60de660f822ddea2e9fecc040a891
                              • Instruction Fuzzy Hash: 0A2109B3F105294FCB08CE6D9D5546AB3A3AB9865471A8179EC0DF7351DA71CC0587C0
                              Function 00EEF884 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af42e1bd815f793fc3b58f8c2258b635cd5b3d2d52771fe5731c4df35d633905
                              • Instruction ID: e02c48419e3c63ee9befbcf874a1f102e821c5c3c8495a4b7817acc7bef86f94
                              • Opcode Fuzzy Hash: af42e1bd815f793fc3b58f8c2258b635cd5b3d2d52771fe5731c4df35d633905
                              • Instruction Fuzzy Hash: 27312935A002198FDB24DFA9C980BDDF7B2BF49304F1040A9D949AB351DB71AE45CF55
                              Function 00EE9FF0 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36fe73cb6edf89e110966931a5f9b8ad44d1c83ea138558c255e4f148a3a5b48
                              • Instruction ID: b9e6361ea733a3616a8b67789fccfc5eee5a591be8eae2a0803272ad8f40713c
                              • Opcode Fuzzy Hash: 36fe73cb6edf89e110966931a5f9b8ad44d1c83ea138558c255e4f148a3a5b48
                              • Instruction Fuzzy Hash: D8212273E116268BCB189F7AC88046AB7B6AF94214759063ADC01BB792DB31DC91CBC0
                              Function 00EEDD70 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5560e4330897c36c0a79091f8ac36255dbbb39ad861cf74cca08287a8d32a1c
                              • Instruction ID: 9f92cb2240631502cc0c2e30d1f73857297b951e65be3b06b7b4920f0d4b3582
                              • Opcode Fuzzy Hash: a5560e4330897c36c0a79091f8ac36255dbbb39ad861cf74cca08287a8d32a1c
                              • Instruction Fuzzy Hash: 5721C132F002688F8B14DB69D85449DBBF6AF9932074951BAEC09FB372DA719C49C790
                              Function 00E9D0EC Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167837800.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_e9d000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28642949167517080fcecd026b0c86a979eebd55bbfb62e7f88fcab580fa519d
                              • Instruction ID: 2cdd72879035dc45d8cc648e956404d09bf1746e9b1f34458f34193a9a0de04d
                              • Opcode Fuzzy Hash: 28642949167517080fcecd026b0c86a979eebd55bbfb62e7f88fcab580fa519d
                              • Instruction Fuzzy Hash: 232104B2549204EFDF04DF15DDC0B26BBA5FB94318F20C56DD8095B396C33AD846CAA1
                              Function 00EED37F Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25a9dc78238c4a64ce7f3b5b0a8a70ea9427ba26838dc224de8ee5b321fe33db
                              • Instruction ID: d0e1c5d8af3738f652b629fddb19aa39121444c3ef64ee71a071ea343fecb551
                              • Opcode Fuzzy Hash: 25a9dc78238c4a64ce7f3b5b0a8a70ea9427ba26838dc224de8ee5b321fe33db
                              • Instruction Fuzzy Hash: 0811A0313082805FC7159B6AD8508497FB5EF8632071684EBE048DF363DA25EC06C792
                              Function 02AD026B Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df8de5437549388444b11d987c1a6befc763b13f464fff12d2d81d2a05753941
                              • Instruction ID: 947fb3c6c059e016624eb0b556600e4cf811b8bf1d60bf362ac910112fd6cdca
                              • Opcode Fuzzy Hash: df8de5437549388444b11d987c1a6befc763b13f464fff12d2d81d2a05753941
                              • Instruction Fuzzy Hash: 2801F22A20E3D44FC727577958666A57FB49E8712470E80DBD489CF2A3CA148C4BCB63
                              Function 00E9D0E7 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167837800.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_e9d000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                              • Instruction ID: 32a6198f0eff42841f3691a0e132bedf46b3a8085b6fe9e7bf92353401fa0881
                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                              • Instruction Fuzzy Hash: 4611DD76508280DFDB01CF10D9C4B15BFB2FB84318F24C6AAD8094B256C33AD80ACBA1
                              Function 00EED7C0 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0b99b007d8703bb0b17ed6e8fe1908c5bd41f6609b690fd969d60fb7954db40c
                              • Instruction ID: c36c5e58eea9d5db9b674140717048d73258754e1a75c46c41a52a72b09aafc2
                              • Opcode Fuzzy Hash: 0b99b007d8703bb0b17ed6e8fe1908c5bd41f6609b690fd969d60fb7954db40c
                              • Instruction Fuzzy Hash: 68019632E002188B8B18EF66984555FBBB6EF85310715917BDC09BF255DB319D05CBD1
                              Function 02AD13E3 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75a529ce7a5221675848bbb5d901a2791a41b198c13d81176b92f057fb19144c
                              • Instruction ID: fa0d7d55fe2f4f3c427ab101229a7b3d28b13d0a10a6bf7b3479b520c07aa334
                              • Opcode Fuzzy Hash: 75a529ce7a5221675848bbb5d901a2791a41b198c13d81176b92f057fb19144c
                              • Instruction Fuzzy Hash: A40128B564A3958FC736073C58142667FF2AEC7160329C1EBD48A9B72ACF359C42C762
                              Function 02AD03E3 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae1af07f0bcd5aae9e136a528b1b246d10989ef3e51532c374d8f9eeb760aa74
                              • Instruction ID: 6d0a8486832cb3e3738f0b06e77a7bf857c4bd80aa9235f9524e14e0f734d3f3
                              • Opcode Fuzzy Hash: ae1af07f0bcd5aae9e136a528b1b246d10989ef3e51532c374d8f9eeb760aa74
                              • Instruction Fuzzy Hash: 15F0B42570C2844FC31687BD99658517FF6AEC712132981E7C08ACF273CE509C0683A2
                              Function 00EE9670 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a482c98f4438906050b46ca0188f8d5ed76f65ab71dd08bbdca7d9cddc3c584
                              • Instruction ID: ae0d4df016be460d6dd6515d2778928d1a8877787222e5f6d8d1e9b1f1fd1c15
                              • Opcode Fuzzy Hash: 7a482c98f4438906050b46ca0188f8d5ed76f65ab71dd08bbdca7d9cddc3c584
                              • Instruction Fuzzy Hash: 5BF090727042148F8B149BAEE85585EB3EAEBC5268325407BE409E7322DE36DC468764
                              Function 00EED438 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5109f428b66c95085cc5c6a2bdb7cb36a597ab9e013feefb153403920270f46
                              • Instruction ID: 09aad073bfb8ae9046daa908a6547baad5663e777b42279d4cdd993538bf093e
                              • Opcode Fuzzy Hash: d5109f428b66c95085cc5c6a2bdb7cb36a597ab9e013feefb153403920270f46
                              • Instruction Fuzzy Hash: 27F08B31B0C3C54FC3092AB16890455BBE2AE8736036404BFD409E73A2CE3ACC42C780
                              Function 00EEAB40 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91be36601c44eff21ec13824eaf4b7f6e5af2a6c77f5fde63345ffec23e6ec50
                              • Instruction ID: 489674bfa9d7979e399e263607d72472a2d5a3268a50b6824bb8152b6118dbde
                              • Opcode Fuzzy Hash: 91be36601c44eff21ec13824eaf4b7f6e5af2a6c77f5fde63345ffec23e6ec50
                              • Instruction Fuzzy Hash: C3F0A4357116108FC758DB3AD45481977EAAF8A76532544B9E50ACB771DB32EC01CB40
                              Function 00EE8D40 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be22b87f082efa463cb26a0f9712437cb980067073cbedbbfc6729f04fbf4820
                              • Instruction ID: 3a95806a8963352cacbd0ab6859c624ab323a17cb9b999a55de496e95f31642a
                              • Opcode Fuzzy Hash: be22b87f082efa463cb26a0f9712437cb980067073cbedbbfc6729f04fbf4820
                              • Instruction Fuzzy Hash: 29F08C2538E7C64FD7079B7488744883FB18E4B19435A00FBD084CF2B3E55A9C4AC792
                              Function 02AD121B Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 586198bca2d8c22a80b1bebe06e989787d3cb15bb32f68ea3c94535a9ab640a0
                              • Instruction ID: d99f0c526f26a1b3e80fd9aa172d5ddd5461db781d8062d45ca498000c6baaf1
                              • Opcode Fuzzy Hash: 586198bca2d8c22a80b1bebe06e989787d3cb15bb32f68ea3c94535a9ab640a0
                              • Instruction Fuzzy Hash: E2E06D2620E3D01FC31307795C648667FB4DA8B52174A86EBE185EB2A7C9594C0A8762
                              Function 02AD01CF Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee8da81b6a538a61f907cf358027ff66ef78849862a1d556d697d6710fef6c16
                              • Instruction ID: f65f5e6981b6984cc0c0b7986079c444b0a1603dee6f1527dee25bf526a2dcb1
                              • Opcode Fuzzy Hash: ee8da81b6a538a61f907cf358027ff66ef78849862a1d556d697d6710fef6c16
                              • Instruction Fuzzy Hash: ACF02B3420E3C84FCF168B2888949A2BFB5DF87120B0E80DBD548CF173CA649C0AC712
                              Function 00EEA820 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25074676c33596d5939745796397958a0fbf90972687760b14da6d719af3321e
                              • Instruction ID: e13fd9e57fce795a80da905cc16f47aeaa51b54ad5b875653d17a7077a50a799
                              • Opcode Fuzzy Hash: 25074676c33596d5939745796397958a0fbf90972687760b14da6d719af3321e
                              • Instruction Fuzzy Hash: DAE02B1274C1B51FC71577BA182804C6BC66AC25E0B55027BC51AC72D2DD19CD4343D7
                              Function 00EED448 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a11aec025e2821d1805a016efe7558ae03a63abe73e71b833babe98f5a3ff7b7
                              • Instruction ID: b617d29eacbb4787c10c537549125020ad5a71acdbdea7af34504e30fb80c760
                              • Opcode Fuzzy Hash: a11aec025e2821d1805a016efe7558ae03a63abe73e71b833babe98f5a3ff7b7
                              • Instruction Fuzzy Hash: 92F0E572B012589BC3182E76A844816B3E9EF89335360457ED80AAB391CF36EC42C7D0
                              Function 02AD1263 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9776f4d5faf701a86d947b1859c5622fed16ad20274231a4eba663b3129c5ce
                              • Instruction ID: f8963ee247270397a436cc026483f623b67a190a1ee3b14a40d485d79eccc7a0
                              • Opcode Fuzzy Hash: f9776f4d5faf701a86d947b1859c5622fed16ad20274231a4eba663b3129c5ce
                              • Instruction Fuzzy Hash: FBE0652464D7D40FCB27173815652A56F725F8B01071A84F7C089EB266DE2A4D46C751
                              Function 02AD1143 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e0938325d6d3a82bdcad8e9fd2fc1fc8b5bb4260572489506ff668eb6eb0b2f
                              • Instruction ID: f4e1660c135d2c41d1cc94ed2279b93330050f3db1db8392a8f4ba2898c3a5f5
                              • Opcode Fuzzy Hash: 1e0938325d6d3a82bdcad8e9fd2fc1fc8b5bb4260572489506ff668eb6eb0b2f
                              • Instruction Fuzzy Hash: 50F06D2560D6C4AFC31A87A98561991BFB59F87114B1DC0EBE089CF263CA258C0BC752
                              Function 02AD0B2F Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b28508aa7b682ef637961b4db2d6ad20f7b6254855d4efd1617676f9cefbcf79
                              • Instruction ID: bb30f210f1e9ea8d5bd728a5b67b03c5cd1114f0005c83f4307d219e04926ec8
                              • Opcode Fuzzy Hash: b28508aa7b682ef637961b4db2d6ad20f7b6254855d4efd1617676f9cefbcf79
                              • Instruction Fuzzy Hash: ACF0322010E3C14FCB27637449A52353FB16D8B209B4E80DBC0D1CF1A3DA29480AC723
                              Function 02AD0A9F Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3355697c04df577b24a38dee0425edcc69015fec5b6cb9924fedc51d7a91e9ad
                              • Instruction ID: 074ac185f0797c3c5fa03d247c2204ba39b599e009a675a0886a39556ea4124b
                              • Opcode Fuzzy Hash: 3355697c04df577b24a38dee0425edcc69015fec5b6cb9924fedc51d7a91e9ad
                              • Instruction Fuzzy Hash: 74E0E50170E7D01FC30763B828654596FF25E9346031E45EBD08ACB2A7D9484D0A8367
                              Function 02AD1013 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4d59718cc432d5220787cb30ecdb97f22ac37092ca4cc6bc8065117ea698a75
                              • Instruction ID: bc3318a32f8eea03f861b5bcec223e52d60ac8e4b95c07a70b52e467bb814229
                              • Opcode Fuzzy Hash: e4d59718cc432d5220787cb30ecdb97f22ac37092ca4cc6bc8065117ea698a75
                              • Instruction Fuzzy Hash: 2EE0922860E3C14FD727677459A05B43F716D8311035981EBC489CF1A3CE1D890AC712
                              Function 02AD075B Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 678df8c99a08898256688cb2a5236d813c62b38119cac422a61149db8befa6b1
                              • Instruction ID: 49c9fa86a8da31b331c15fcf59ac36e44903b515b91b46d4ba50e94b5fb96ae6
                              • Opcode Fuzzy Hash: 678df8c99a08898256688cb2a5236d813c62b38119cac422a61149db8befa6b1
                              • Instruction Fuzzy Hash: 68E01A1924E7C94FC757577458A25A67F72AEC312035985DBC4C18F5E7C928484AC723
                              Function 02AD0ED3 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81f95b67f837d99b963c22225dbd9c23ddcd4d2634f4cb084f96ef4463628874
                              • Instruction ID: 8e81af84106706cc226530e4865f7eed9f9af4b5602f08c178413765b9cf4888
                              • Opcode Fuzzy Hash: 81f95b67f837d99b963c22225dbd9c23ddcd4d2634f4cb084f96ef4463628874
                              • Instruction Fuzzy Hash: 35E0922824E3C64FC317133448A45B83FB2AD8721076981EFC481CF197CA284947C742
                              Function 02AD0400 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ca0876107660b1372beffc963efd47585070ae1bcf81e77b44fed05fac71a762
                              • Instruction ID: 0a032ff0007ecb69199fc5c8a13a3fd4975a3199d7b685427a2a6e08f2a084a1
                              • Opcode Fuzzy Hash: ca0876107660b1372beffc963efd47585070ae1bcf81e77b44fed05fac71a762
                              • Instruction Fuzzy Hash: 6FE04F35B405188F471CAA6EA56491777FFBFD96217348876D00ACB368DE61DC4183A1
                              Function 02AD0F73 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0ff38a5b95627cf1b39986e776f9e76d861bb84ef6a7b0fc7056ab651dec29b5
                              • Instruction ID: dcf92865b15124a095c73d656a2197995fda35d7e92e13b13e92869af0357e8c
                              • Opcode Fuzzy Hash: 0ff38a5b95627cf1b39986e776f9e76d861bb84ef6a7b0fc7056ab651dec29b5
                              • Instruction Fuzzy Hash: 31E09A1860D2C00FCB1B433429A41A83FB2AE87210719C2DBC1C28B29BCE24490BCB86
                              Function 02AD0D03 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33d7d4acb5b61ab16d114851e5e1d6b64582466570f02ecd937f5cbb746d9123
                              • Instruction ID: cdd691d54050fc96bd37b4bcd0100da9889368500158aaf64c7d9738c173b59b
                              • Opcode Fuzzy Hash: 33d7d4acb5b61ab16d114851e5e1d6b64582466570f02ecd937f5cbb746d9123
                              • Instruction Fuzzy Hash: 12E04F2420B3C54FD76A133028B46643F326BC3215759C4EBC0C6CA267CE2A5946C723
                              Function 00EED3D8 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 75d544eaf74c238db98b39af0b7fee5694fc367a2d2741730412e60a083d309c
                              • Instruction ID: f6ccf741a6888d133298df69f91c462d0e30e46bbfb23954a2fef9ea26c7b14c
                              • Opcode Fuzzy Hash: 75d544eaf74c238db98b39af0b7fee5694fc367a2d2741730412e60a083d309c
                              • Instruction Fuzzy Hash: 70E04F353101205F8708EB6ED444C19B3EAEFC9B2131140AAF509DB332CE61EC0187D4
                              Function 00EECD18 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0f54a15d62a3ccb75f09a5e63c52b5733ea0f81b1eeaba6d54b5db15c10c12b
                              • Instruction ID: 01d76055fe73f34a1f56d531e2fed2ab1e19b1d817c9b3ecdfb3ce7df8be786b
                              • Opcode Fuzzy Hash: c0f54a15d62a3ccb75f09a5e63c52b5733ea0f81b1eeaba6d54b5db15c10c12b
                              • Instruction Fuzzy Hash: 93E04F317002188F8719AB3AD40182AB3EAEFCA72135544BDE409EB761CF71EC02C780
                              Function 02AD12AC Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d5133125b1180ff5d548728b523d6877fea52bfaceff24edcba3eb59c6abd851
                              • Instruction ID: 4a9a8092456e27da23a47f51c2b098642e98c7fcd858644f4c7a87b370a6e5e7
                              • Opcode Fuzzy Hash: d5133125b1180ff5d548728b523d6877fea52bfaceff24edcba3eb59c6abd851
                              • Instruction Fuzzy Hash: E7E06D2460D7C90FCB1647385821269AFB21F87014B1D80EAC44ADB267DA298D86C756
                              Function 02AD0AEB Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b08e28143da3a3f415a0eeded75846734ffe40945ec6f85c93ce9da8719d7da
                              • Instruction ID: 745bd54ca4643666ed31b4ed9a4f84caad0c4af327abfa1e5f19ba4264896640
                              • Opcode Fuzzy Hash: 6b08e28143da3a3f415a0eeded75846734ffe40945ec6f85c93ce9da8719d7da
                              • Instruction Fuzzy Hash: 55E04F2860E3C64FCB368BB459652653FF2BF93208B1980DBC0858E563DA298946C312
                              Function 00EED6B0 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 529d9350a90385d50fcdd7ba8427245b418768c739ebc66e7ae94e466e59c997
                              • Instruction ID: 2e888204591a302b8d6f7e31519eb300f0ecbd03531e094d62dbe45f7318d20f
                              • Opcode Fuzzy Hash: 529d9350a90385d50fcdd7ba8427245b418768c739ebc66e7ae94e466e59c997
                              • Instruction Fuzzy Hash: ACE01A35301614CFC328AB39D404855B7E9EF4932535188BEE80AAB761CE32FC41CB80
                              Function 02AD1160 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e39ce0d80a20953001bb7a0f32ea5273d248fe155f6221dd9c6e04c8eccb8fe9
                              • Instruction ID: f55cdddc984bce5f740e2afac5d85578ed83880ead55bd08d01a4c2d843e636d
                              • Opcode Fuzzy Hash: e39ce0d80a20953001bb7a0f32ea5273d248fe155f6221dd9c6e04c8eccb8fe9
                              • Instruction Fuzzy Hash: 46D01235B40519AB47189A9ED440852B7EBAFC9155324C0A9E00EC7364DE61DC05C781
                              Function 02AD01F0 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 272ada9529c866eb9ca9bedb5c8596830e5bd2baf54a0c722d91a9785872698f
                              • Instruction ID: 8d058616d52260247be6c216b31a996ef13a15a8d468b045af732187ee65e09c
                              • Opcode Fuzzy Hash: 272ada9529c866eb9ca9bedb5c8596830e5bd2baf54a0c722d91a9785872698f
                              • Instruction Fuzzy Hash: 74E0123175162D8F87189E5DD444563B3ABAFC9220B2484A5E50AC7369EE21DC418795
                              Function 00EECE6A Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc053f606b3c2cc724fca4a93a00fe6ab1be46a24870d5697eeb91ab94063488
                              • Instruction ID: 17b96d388dba13effa3f8b46605229a3862e27d7d5d47f0043e5676a870e6d3d
                              • Opcode Fuzzy Hash: bc053f606b3c2cc724fca4a93a00fe6ab1be46a24870d5697eeb91ab94063488
                              • Instruction Fuzzy Hash: D3E0C230E48248EF8B50EBB099221BD77F29B95300B9040FAD80DF7241DD310F519341
                              Function 00EE89C0 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f37c31f8a345b807a81cac1e96902b537ea73490c811ced89102a26ca66e370
                              • Instruction ID: 895b5ca399d6f55c671d4f358a11d21ecc205c48e53b3ef7981357b0ce6481d0
                              • Opcode Fuzzy Hash: 8f37c31f8a345b807a81cac1e96902b537ea73490c811ced89102a26ca66e370
                              • Instruction Fuzzy Hash: 24D0A7323001145B4604336AFC0556E7BDAFAC5621300013BF10DD3310CF946D1653D5
                              Function 00EE0848 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 250f7ce8faad11ca3afe9e10ddcf47be82e366ecd83b25f6ea998565516d33d0
                              • Instruction ID: d4288c603cc74f95b09f20194222af2fd9e3b5b9fd43a9cebd75ddca0a8cf834
                              • Opcode Fuzzy Hash: 250f7ce8faad11ca3afe9e10ddcf47be82e366ecd83b25f6ea998565516d33d0
                              • Instruction Fuzzy Hash: 63D01271A01208EF8744EFB5D95556D77F6EB89201B1044BAE50AE7251DE311E049B44
                              Function 00EECE70 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd4ea704253a3bbf45f15d8e952097990856ffadaed081c18fbfe64af6c9e109
                              • Instruction ID: b5aa432126ab2bce5065df201bad0b4dcf42a30940120dbf766201cdd8d84b02
                              • Opcode Fuzzy Hash: dd4ea704253a3bbf45f15d8e952097990856ffadaed081c18fbfe64af6c9e109
                              • Instruction Fuzzy Hash: EED05E70E0420CAB8B54EBB5D95266EB3FADB85300B9054BAE40DB7241DD312F50A781
                              Function 00EE8D68 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 17b4bbd2e5fac89ebb4b8981bfd9eb3b7a166a3afa719335b5843dcc4843b660
                              • Instruction ID: fb7ba602c8329e7b22feb76fcbf7c876ec1552559ac37792f98b33ccf640e838
                              • Opcode Fuzzy Hash: 17b4bbd2e5fac89ebb4b8981bfd9eb3b7a166a3afa719335b5843dcc4843b660
                              • Instruction Fuzzy Hash: 7AD0C9353416149FC705AA69D544859BBE9AF8E61931440B9E509CB731DA33EC028B80
                              Function 00EECF58 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction ID: a670bbac25a441c252a2624be2189c388e7c40ea42babbeb44432ff7b3e5974c
                              • Opcode Fuzzy Hash: a191846b3ef96226d40d1d6e0aba5bc4c4d8e8b44b099dfa09529a906a383d67
                              • Instruction Fuzzy Hash: 07D0C9363101249F8740DA5DE444C42B7ECEF4D6243258099E50CCB322D662EC028B90
                              Function 00EEFF10 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: adcc3338205dd2c4e6db712172bb87197d5b0d41c419f5301814e48edf5bdc94
                              • Instruction ID: b587230c1230c8233c46ab8e1b6334a20f1c8443929b96160b052d640288636d
                              • Opcode Fuzzy Hash: adcc3338205dd2c4e6db712172bb87197d5b0d41c419f5301814e48edf5bdc94
                              • Instruction Fuzzy Hash: EFD022212480920EC7047A3DB0000CC5AC349C23B0384523AE10CAB20CCF589C87839A
                              Function 00EECD78 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81515422548a5fc6061b4700c221354d72fb4227cd81531167eef3136f672856
                              • Instruction ID: bfaa6f5c42a8886592e1541ccd11ed88b1c78e034114502a725706dbfadeee76
                              • Opcode Fuzzy Hash: 81515422548a5fc6061b4700c221354d72fb4227cd81531167eef3136f672856
                              • Instruction Fuzzy Hash: 71D0C934354001CF9740DB68E488C80B3E2AF9D270325C195E40DCB336D632DC068A40
                              Function 00EECD80 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction ID: 5edbf907d9953af07623ebf09808672cb874cac1f8d6421fdc4b4bd1f08e9d02
                              • Opcode Fuzzy Hash: b182c8d7c63d543075e45b535c2e85b41558bc3fc4f601a38c3b23897d2492fb
                              • Instruction Fuzzy Hash: 0CC002392642048F8344DB58E488C11B3E9EB4C634316C195E90D8B332C631FC00CA44
                              Function 00EEB923 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000009.00000002.4167976438.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_ee0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 07855b023bfd816a0f860c41571fdcf468a3c9e0c59b8156fbfa569972b40af3
                              • Instruction ID: 13fb478ca94104c55a482bd1599ef95bc9330edd27083d3b435bc242f0682d65
                              • Opcode Fuzzy Hash: 07855b023bfd816a0f860c41571fdcf468a3c9e0c59b8156fbfa569972b40af3
                              • Instruction Fuzzy Hash: 74B09274F042014F4388EA3EF400155A6D2BBC9610326CA69A45DDB305D920EC8A9750

                              Non-executed Functions

                              Function 02AD0E57 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q$$^q$$^q
                              • API String ID: 0-2125118731
                              • Opcode ID: 4a68b3674e7c618072def3b9e41aa279964a653b29d1ae7369e4caa27e1d45e1
                              • Instruction ID: c4c8a31d41c43ae001bdc79545ddac3e4920f4cbc9beab2b777c8068fe2e8cdf
                              • Opcode Fuzzy Hash: 4a68b3674e7c618072def3b9e41aa279964a653b29d1ae7369e4caa27e1d45e1
                              • Instruction Fuzzy Hash: CD01F732A1C3C64FD72A47391824621BFB15FC3510B1984DFC085CF1ABDE25884AC713
                              Function 02AD0943 Relevance: 5.0, Strings: 4, Instructions: 42COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.4168857734.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_2ad0000_DasHost.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q$LR^q$$^q$$^q
                              • API String ID: 0-2454687669
                              • Opcode ID: 5fe0923daa3b0999967e1202edde5c01f1ac77860d610091998099f99160a78e
                              • Instruction ID: eaa262fb81847ee963561a9ce083c07f066bd0cf1caa0b14aa6db738b1fe0222
                              • Opcode Fuzzy Hash: 5fe0923daa3b0999967e1202edde5c01f1ac77860d610091998099f99160a78e
                              • Instruction Fuzzy Hash: E8F0FC35F052594FD33A0A2969151667FB16FD2A10B2585AFC446CF71ACD214C86C393