Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CheerSkullness.exe

Overview

General Information

Sample name:CheerSkullness.exe
Analysis ID:1584576
MD5:f9e101b2d9f6671484e6f6010e159cb9
SHA1:25c09df4f73610d5953d6a08cdf5a5183fa3e4b6
SHA256:0dcdf7c63a9e5dbf789c3c7eed54a2d5968be59fef0275e3925d8677a7b2b1b4
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w11x64_office
  • CheerSkullness.exe (PID: 5444 cmdline: "C:\Users\user\Desktop\CheerSkullness.exe" MD5: F9E101B2D9F6671484E6F6010E159CB9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: CheerSkullness.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: CheerSkullness.exeReversingLabs: Detection: 36%
Machine Learning detection for sample
Source: CheerSkullness.exeJoe Sandbox ML: detected
Source: CheerSkullness.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: CheerSkullness.exeStatic PE information: certificate valid
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004036C1 GetModuleFileNameA,__splitpath_s,__snprintf_s,FindFirstFileA,_wprintf,_wprintf,FindNextFileA,FindClose,0_2_004036C1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004079C1 __EH_prolog3_GS,HttpOpenRequestA,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,__EH_prolog3_GS,InternetOpenA,lstrlenA,InternetOpenUrlA,InternetQueryOptionA,InternetSetOptionA,__wfopen_s,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_004079C1
Source: global trafficDNS traffic detected: DNS query: softfantastic.com
Source: CheerSkullness.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: CheerSkullness.exeString found in binary or memory: http://ocsp.thawte.com0
Source: CheerSkullness.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CheerSkullness.exeString found in binary or memory: http://s.symcd.com06
Source: CheerSkullness.exeString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: CheerSkullness.exeString found in binary or memory: http://t2.symcb.com0
Source: CheerSkullness.exeString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: CheerSkullness.exeString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: CheerSkullness.exeString found in binary or memory: http://tl.symcd.com0&
Source: CheerSkullness.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CheerSkullness.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CheerSkullness.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CheerSkullness.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CheerSkullness.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CheerSkullness.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CheerSkullness.exeString found in binary or memory: https://HTTP/1.0/http=https=
Source: CheerSkullness.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: CheerSkullness.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: CheerSkullness.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: CheerSkullness.exe, 00000000.00000002.11770244633.0000000000BB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/
Source: CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/:
Source: CheerSkullness.exe, 00000000.00000003.11720123646.0000000000BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/?w2UAn1d9PDzAsA0CC1NUSw8URlZR%2B45zjy%2B2wFQa2e7x8Zod5Qtar4%2F1sl8hQzppxV5
Source: CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/R
Source: CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=
Source: CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=2250
Source: CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=y-
Source: CheerSkullness.exeString found in binary or memory: https://www.thawte.com/cps0/
Source: CheerSkullness.exeString found in binary or memory: https://www.thawte.com/repository0W
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0042C0FB0_2_0042C0FB
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0042D26C0_2_0042D26C
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004382800_2_00438280
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004403F70_2_004403F7
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004433BD0_2_004433BD
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043E4560_2_0043E456
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004274C00_2_004274C0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004305620_2_00430562
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004115000_2_00411500
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004156F00_2_004156F0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004386B50_2_004386B5
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004427180_2_00442718
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004197200_2_00419720
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004168F00_2_004168F0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004379740_2_00437974
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043E9C10_2_0043E9C1
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00438AEA0_2_00438AEA
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00401A8D0_2_00401A8D
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041EB5A0_2_0041EB5A
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00427B5D0_2_00427B5D
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043FC4F0_2_0043FC4F
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00431D100_2_00431D10
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00416DD00_2_00416DD0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00437E680_2_00437E68
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00401E030_2_00401E03
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0040FEB00_2_0040FEB0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043EF330_2_0043EF33
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: String function: 00420F40 appears 62 times
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: String function: 00428635 appears 34 times
Source: CheerSkullness.exe, 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCheerSkullness> vs CheerSkullness.exe
Source: CheerSkullness.exe, 00000000.00000001.11715177457.000000000045A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCheerSkullness> vs CheerSkullness.exe
Source: CheerSkullness.exeBinary or memory string: OriginalFilenameCheerSkullness> vs CheerSkullness.exe
Source: CheerSkullness.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00417430 CoInitializeEx,CoInitializeSecurity,CoUninitialize,CoCreateInstance,SysAllocString,SysFreeString,0_2_00417430
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00414610 LoadResource,LockResource,SizeofResource,0_2_00414610
Source: C:\Users\user\Desktop\CheerSkullness.exeCommand line argument: CheerSkullness0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCommand line argument: CheerSkullness0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCommand line argument: CheerSkullness0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCommand line argument: CheerSkullness0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCommand line argument: CheerSkullness0_2_00405485
Source: CheerSkullness.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CheerSkullness.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: CheerSkullness.exeReversingLabs: Detection: 36%
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: prntvpt.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: CheerSkullness.exeStatic PE information: certificate valid
Source: CheerSkullness.exeStatic file information: File size 6044312 > 1048576
Source: CheerSkullness.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x56b400
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00405485 __EH_prolog3_catch_GS,GetTickCount,GetTickCount,GetTickCount,MessageBoxA,_strtoul,MessageBoxA,GetTickCount,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateDialogParamA,GetTickCount,GetTickCount,GetTickCount,ShowWindow,UpdateWindow,SetTimer,GetMessageA,DispatchMessageA,GetMessageA,MessageBoxA,0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0042641F push edi; ret 0_2_00426423
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00426544 push esi; ret 0_2_00426548
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00425F5A push edi; ret 0_2_00425F60
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00425F30 push esi; ret 0_2_00425F34
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00425FEC push ebx; ret 0_2_00425FF6
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00420F85 push ecx; ret 0_2_00420F98
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041EFAD push ecx; ret 0_2_0041EFC0
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041EB5A EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041EB5A
Source: C:\Users\user\Desktop\CheerSkullness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\CheerSkullness.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-34300
Source: C:\Users\user\Desktop\CheerSkullness.exeAPI coverage: 9.3 %
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_004036C1 GetModuleFileNameA,__splitpath_s,__snprintf_s,FindFirstFileA,_wprintf,_wprintf,FindNextFileA,FindClose,0_2_004036C1
Source: CheerSkullness.exe, 00000000.00000003.11765112133.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp, CheerSkullness.exe, 00000000.00000002.11770186586.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\CheerSkullness.exeAPI call chain: ExitProcess graph end nodegraph_0-34301
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043C8A4 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0043C8A4
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0043C8A4 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0043C8A4
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00405485 __EH_prolog3_catch_GS,GetTickCount,GetTickCount,GetTickCount,MessageBoxA,_strtoul,MessageBoxA,GetTickCount,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,CreateDialogParamA,GetTickCount,GetTickCount,GetTickCount,ShowWindow,UpdateWindow,SetTimer,GetMessageA,DispatchMessageA,GetMessageA,MessageBoxA,0_2_00405485
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_00404114 GetProcessHeap,GetTickCount,0_2_00404114
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041FA40 SetUnhandledExceptionFilter,0_2_0041FA40
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041FA71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041FA71
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041FAA1 cpuid 0_2_0041FAA1
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,0_2_0043B09F
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0043B36F
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: EnumSystemLocalesW,0_2_0043B313
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_0043B3EC
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_0043B46F
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_0043B664
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0043B78E
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_0043B83B
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,0_2_0043B90F
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,0_2_00426BA6
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: EnumSystemLocalesW,0_2_0043BCB4
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: GetLocaleInfoW,0_2_0043BD3A
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_0043BF92
Source: C:\Users\user\Desktop\CheerSkullness.exeCode function: 0_2_0041922A GetSystemTimeAsFileTime,0_2_0041922A

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Obfuscated Files or Information		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS22
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CheerSkullness.exe37%ReversingLabsWin32.Trojan.Generic
CheerSkullness.exe100%AviraHEUR/AGEN.1357312
CheerSkullness.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://HTTP/1.0/http=https=0%Avira URL Cloudsafe
https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=0%Avira URL Cloudsafe
https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=22500%Avira URL Cloudsafe
https://softfantastic.com/:0%Avira URL Cloudsafe
https://softfantastic.com/R0%Avira URL Cloudsafe
https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=y-0%Avira URL Cloudsafe
https://softfantastic.com/?w2UAn1d9PDzAsA0CC1NUSw8URlZR%2B45zjy%2B2wFQa2e7x8Zod5Qtar4%2F1sl8hQzppxV50%Avira URL Cloudsafe
https://softfantastic.com/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    		high
    softfantastic.com
    		unknown
    		unknownfalse
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://HTTP/1.0/http=https=CheerSkullness.exefalse
      • Avira URL Cloud: safe
      		unknown
      https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=2250CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.thawte.com/ThawteTimestampingCA.crl0CheerSkullness.exefalse
        		high
        https://softfantastic.com/RCheerSkullness.exe, 00000000.00000002.11770119537.0000000000B44000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.thawte.com/cps0/CheerSkullness.exefalse
          		high
          https://softfantastic.com/?w2UAn1d9PDzAsA0CC1NUSw8URlZR%2B45zjy%2B2wFQa2e7x8Zod5Qtar4%2F1sl8hQzppxV5CheerSkullness.exe, 00000000.00000003.11720123646.0000000000BA5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://softfantastic.com/CheerSkullness.exe, 00000000.00000002.11770244633.0000000000BB6000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.thawte.com/repository0WCheerSkullness.exefalse
            		high
            http://ocsp.thawte.com0CheerSkullness.exefalse
              		high
              https://softfantastic.com/installer.php?CODE=PUTGQ&UID=01234567891&action=y-CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B6B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://softfantastic.com/:CheerSkullness.exe, 00000000.00000002.11770119537.0000000000B44000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1584576
              Start date and time:2025-01-05 22:06:02 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 2m 18s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:CheerSkullness.exe
              Detection:MAL
              Classification:mal60.winEXE@1/0@1/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 18
              • Number of non-executed functions: 130
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 204.79.197.203, 4.245.163.56, 23.56.254.164
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, sls.update.microsoft.com, oneocsp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: CheerSkullness.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              fp2e7a.wpc.phicdn.netInsomia.exeGet hashmaliciousLummaCBrowse
              • 192.229.221.95
              Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
              • 192.229.221.95
              3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
              • 192.229.221.95
              Your File Is Ready To Download.exeGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              http://www.klim.comGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              EwpsQzeky5.msiGet hashmaliciousUnknownBrowse
              • 192.229.221.95
              https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
              • 192.229.221.95
              hcxmivKYfL.exeGet hashmaliciousRedLineBrowse
              • 192.229.221.95
              Bo6uO5gKL4.exeGet hashmaliciousUnknownBrowse
              • 192.229.221.95

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.5372200565608605
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:CheerSkullness.exe
              File size:6'044'312 bytes
              MD5:f9e101b2d9f6671484e6f6010e159cb9
              SHA1:25c09df4f73610d5953d6a08cdf5a5183fa3e4b6
              SHA256:0dcdf7c63a9e5dbf789c3c7eed54a2d5968be59fef0275e3925d8677a7b2b1b4
              SHA512:bcdccaba207ca88b7ceda0f6d1cdb48be45d1008178c4c67267e15f823994e8db8f5f258c998e794c7afeec4128fad48f3acd056c8a77d778ad1fad354506601
              SSDEEP:98304:1TTof67eeueehKFnnQ+9FVw7u6+P1jqzJXIg0LzNh6GS53AFXC8Q2jnWrfc84xU9:5Tof67eeueehEQ+9FuJujpgihlS53AFA
              TLSH:8656DF92F1819E1EE1270F77ED68A411815B2FE50F10C37A3199776D27F2E812E68BD2
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n..:*fyi*fyi*fyi...i+fyil7.i(fyi...i)fyi'4.i.fyi'4.i.fyi'4.i.fyi...i fyi...i1fyi*fxi.fyi...i8fyi'4.i+fyi*f.i+fyi...i+fyiRich*fy

              File Icon

              Icon Hash:07655ebab264318e

              Static PE Info

              General

              Entrypoint:0x41a747
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x5E9050C7 [Fri Apr 10 10:56:07 2020 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:ab3bd7a6f13c0121f557b35180c0f9cf

              Authenticode Signature

              Signature Valid:true
              Signature Issuer:CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 04/07/2019 20:00:00 04/07/2020 19:59:59
              Subject Chain
              • CN=METACHU LIMITED, O=METACHU LIMITED, L=Romford, C=GB
              Version:3
              Thumbprint MD5:F4993BC876229F363FD0D1FB9162E6B5
              Thumbprint SHA-1:33C4A2BCA018F6AB9325708D00F3765C004367A9
              Thumbprint SHA-256:E6999254C64B91747DC01F21F8AAD9FBDDF8A334AFB9E0B355159102D1FF8188
              Serial:255F56746AFEB1038E4EE178FCE10337

              Entrypoint Preview

              Instruction
              call 00007F6C6481C738h
              jmp 00007F6C6480D9A5h
              push 00000014h
              push 00453560h
              call 00007F6C64814188h
              call 00007F6C648128CBh
              movzx esi, ax
              push 00000002h
              call 00007F6C6481C6CBh
              pop ecx
              mov eax, 00005A4Dh
              cmp word ptr [00400000h], ax
              je 00007F6C6480D9A6h
              xor ebx, ebx
              jmp 00007F6C6480D9D5h
              mov eax, dword ptr [0040003Ch]
              cmp dword ptr [eax+00400000h], 00004550h
              jne 00007F6C6480D98Dh
              mov ecx, 0000010Bh
              cmp word ptr [eax+00400018h], cx
              jne 00007F6C6480D97Fh
              xor ebx, ebx
              cmp dword ptr [eax+00400074h], 0Eh
              jbe 00007F6C6480D9ABh
              cmp dword ptr [eax+004000E8h], ebx
              setne bl
              mov dword ptr [ebp-1Ch], ebx
              call 00007F6C648154A1h
              test eax, eax
              jne 00007F6C6480D9AAh
              push 0000001Ch
              call 00007F6C6480DAC7h
              pop ecx
              call 00007F6C648165D4h
              test eax, eax
              jne 00007F6C6480D9AAh
              push 00000010h
              call 00007F6C6480DAB6h
              pop ecx
              call 00007F6C6481C744h
              and dword ptr [ebp-04h], 00000000h
              call 00007F6C6481BE15h
              test eax, eax
              jns 00007F6C6480D9AAh
              push 0000001Bh
              call 00007F6C6480DA9Ch
              pop ecx
              call dword ptr [004461B4h]
              mov dword ptr [004598E8h], eax
              call 00007F6C6481C75Fh
              mov dword ptr [00457B38h], eax
              call 00007F6C6481C102h
              test eax, eax
              jns 00007F6C6480D9AAh

              Rich Headers

              Programming Language:
              • [ASM] VS2013 build 21005
              • [ C ] VS2013 build 21005
              • [C++] VS2013 build 21005
              • [C++] VS2013 UPD5 build 40629
              • [RES] VS2013 build 21005
              • [LNK] VS2013 UPD5 build 40629

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x53dec0x118.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x56b220.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x5c0a000x3098.rsrc
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x518180x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x460000x350.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x447170x4480032f41a1c2316a2fb2527843301b34604False0.5371271954835767data6.645371979949562IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x460000xf0ca0xf200090e8907cc3c22de8a937117104e4448False0.4077188791322314data5.332136835342513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x560000x38ec0x1800578bf5a6375697549fbe6389d633226eFalse0.3274739583333333data3.8379469052520983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x5a0000x56b2200x56b400ec5fcf93732c7e07fbe92f09b1bda6ddunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              WAVE0x1e37a00x3cc9f0RIFF (little-endian) data, WAVE audio, Microsoft PCM, 32 bit, stereo 44100 HzEnglishUnited States0.9141445159912109
              RT_BITMAP0x5b01900x14c5cDevice independent bitmap graphic, 497 x 57 x 24, image size 85044, resolution 5668 x 5668 px/mEnglishUnited States0.10242818861360538
              RT_BITMAP0x637780x180028Device independent bitmap graphic, 1024 x 512 x 24, image size 1572864, resolution 11811 x 11811 px/mEnglishUnited States0.08836555480957031
              RT_ICON0x5a5580x5488Device independent bitmap graphic, 72 x 144 x 32, image size 0EnglishUnited States0.2571164510166359
              RT_ICON0x5f9f80x1d47Device independent bitmap graphic, 60 x 60 x 32, image size 14400EnglishUnited States0.0485657104736491
              RT_ICON0x617580x1d47Device independent bitmap graphic, 60 x 60 x 32, image size 14400EnglishUnited States0.03962641761174116
              RT_DIALOG0x5a4580xfadataEnglishUnited States0.576
              RT_DIALOG0x5a3400x112dataEnglishUnited States0.5912408759124088
              RT_GROUP_ICON0x5f9e00x14dataEnglishUnited States1.1
              RT_GROUP_ICON0x617400x14dataEnglishUnited States1.25
              RT_GROUP_ICON0x634a00x14dataEnglishUnited States1.25
              RT_VERSION0x634b80x2bcdataEnglishUnited States0.45571428571428574
              RT_MANIFEST0x5c4df00x42eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1010), with CRLF line terminatorsEnglishUnited States0.5046728971962616

              Imports

              DLLImport
              KERNEL32.dllCreateFileA, WriteFile, FreeResource, OpenProcess, GetCurrentProcessId, EnumResourceTypesA, EnumResourceNamesA, GetTickCount, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, GetProcAddress, DecodePointer, DeleteFileA, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, LoadLibraryA, RemoveDirectoryA, GetEnvironmentVariableA, LocalAlloc, LocalFree, lstrlenA, SetLastError, SizeofResource, SetEndOfFile, OutputDebugStringW, WriteConsoleW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, SetConsoleCtrlHandler, SetStdHandle, CreateFileW, SetFilePointerEx, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetModuleFileNameW, GetFileType, GetStdHandle, GetStringTypeW, FatalAppExitA, FlushFileBuffers, GetConsoleCP, GetCurrentThread, GetCPInfo, GetOEMCP, GetACP, LockResource, LoadResource, FindResourceA, FindClose, FindNextFileA, GetModuleFileNameA, FindFirstFileA, CloseHandle, CreateThread, GetCurrentThreadId, GetModuleHandleA, VirtualAlloc, Sleep, IsValidCodePage, ReadConsoleW, VirtualFree, VirtualProtect, GetConsoleMode, CreateSemaphoreW, GetModuleHandleW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, TerminateProcess, GetCurrentProcess, CreateEventW, InitializeCriticalSectionAndSpinCount, SetUnhandledExceptionFilter, UnhandledExceptionFilter, AreFileApisANSI, GetModuleHandleExW, ExitProcess, FreeLibrary, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, GetCommandLineA, LoadLibraryExW, GetSystemTimeAsFileTime, EncodePointer, IsProcessorFeaturePresent, IsDebuggerPresent, MultiByteToWideChar, lstrcatA, WideCharToMultiByte, FindResourceW, FindResourceExW, ReadFile, GetFileSize, CreateDirectoryA, GetThreadLocale, IsBadReadPtr, GetNativeSystemInfo
              USER32.dllPostQuitMessage, AttachThreadInput, PostMessageA, IsWindow, CreateDialogParamA, WaitMessage, MessageBoxA, EnumWindows, GetWindowThreadProcessId, GetWindowTextA, GetClassNameA, GetMessageA, UnregisterClassA, GetDC, ReleaseDC, GetWindowRect, PeekMessageA, wsprintfA, ShowWindow, GetSystemMetrics, DestroyWindow, SetTimer, UpdateWindow, DispatchMessageA, SetWindowTextA, SendMessageA, LoadImageA, EnableWindow, GetDlgItem, MoveWindow, ScreenToClient
              GDI32.dllSetBitmapDimensionEx, GetTextCharacterExtra, SaveDC, OffsetClipRgn, GetSystemPaletteUse, GetDeviceCaps
              ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegEnumKeyExA, RegQueryInfoKeyA, RegQueryValueExA
              SHELL32.dllSHGetSpecialFolderPathA
              MSACM32.dllacmGetVersion
              prntvpt.dll
              SHLWAPI.dllStrPBrkA, StrCatBuffW, PathFindOnPathW, SHEnumValueW, PathAppendA, PathFileExistsA, PathFindFileNameA
              WININET.dllInternetCloseHandle, HttpQueryInfoA, InternetOpenUrlA, InternetReadFile, HttpSendRequestA, InternetSetOptionA, InternetQueryOptionA, HttpOpenRequestA, SetUrlCacheEntryInfoW, GopherGetAttributeA, CommitUrlCacheEntryA, InternetGetLastResponseInfoW, InternetFindNextFileA, InternetCrackUrlA, InternetOpenA, InternetConnectA
              PSAPI.DLLGetPerformanceInfo, EnumProcessModules, GetModuleBaseNameA, GetModuleFileNameExW, GetWsChangesEx, EnumProcesses, EnumProcessModulesEx, GetDeviceDriverBaseNameA, GetModuleFileNameExA
              WTSAPI32.dllWTSFreeMemory, WTSEnumerateProcessesA
              ole32.dllCoInitializeSecurity, CoCreateInstance, CoInitializeEx, CoUninitialize
              OLEAUT32.dllSysFreeString, SysAllocString

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 5, 2025 22:06:56.553530931 CET5891453192.168.2.241.1.1.1
              Jan 5, 2025 22:06:56.562012911 CET53589141.1.1.1192.168.2.24

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 5, 2025 22:06:56.553530931 CET192.168.2.241.1.1.10xc43Standard query (0)softfantastic.comA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 5, 2025 22:06:49.603513002 CET1.1.1.1192.168.2.240xed59No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
              Jan 5, 2025 22:06:49.603513002 CET1.1.1.1192.168.2.240xed59No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
              Jan 5, 2025 22:06:56.562012911 CET1.1.1.1192.168.2.240xc43Name error (3)softfantastic.comnonenoneA (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              System Behavior

              General

              Target ID:0
              Start time:16:06:55
              Start date:05/01/2025
              Path:C:\Users\user\Desktop\CheerSkullness.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\CheerSkullness.exe"
              Imagebase:0x400000
              File size:6'044'312 bytes
              MD5 hash:F9E101B2D9F6671484E6F6010E159CB9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:2.7%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:22.6%
                Total number of Nodes:906
                Total number of Limit Nodes:59
                execution_graph 33814 41a747 33854 4294df 33814->33854 33816 41a74c __commit 33858 41f688 GetStartupInfoW 33816->33858 33818 41a762 33860 4222b6 GetProcessHeap 33818->33860 33820 41a7ba 33821 41a7c5 33820->33821 34222 41a8e7 58 API calls 3 library calls 33820->34222 33861 4233fa 33821->33861 33824 41a7cb 33825 41a7d6 __RTC_Initialize 33824->33825 34223 41a8e7 58 API calls 3 library calls 33824->34223 33882 428c55 33825->33882 33828 41a7e5 33829 41a7f1 GetCommandLineA 33828->33829 34224 41a8e7 58 API calls 3 library calls 33828->34224 33901 4295bb GetEnvironmentStringsW 33829->33901 33832 41a7f0 33832->33829 33836 41a816 33925 429197 33836->33925 33840 41a827 33941 41ea56 33840->33941 33843 41a82f 33844 41a83a 33843->33844 34227 41ea1c 58 API calls 3 library calls 33843->34227 33947 429648 33844->33947 33849 41a84e 33850 41a85d 33849->33850 34219 41ed2b 33849->34219 34228 41ea47 58 API calls _doexit 33850->34228 33853 41a862 __commit 33855 429502 33854->33855 33856 42950f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 33854->33856 33855->33856 33857 429506 33855->33857 33856->33857 33857->33816 33859 41f69e 33858->33859 33859->33818 33860->33820 34229 41eb5a 36 API calls 2 library calls 33861->34229 33863 4233ff 34230 4285fc InitializeCriticalSectionAndSpinCount ___lock_fhandle 33863->34230 33865 423404 33866 423408 33865->33866 34232 41f57c TlsAlloc 33865->34232 34231 423470 61 API calls 2 library calls 33866->34231 33869 42340d 33869->33824 33870 42341a 33870->33866 33871 423425 33870->33871 34233 422304 33871->34233 33874 423467 34241 423470 61 API calls 2 library calls 33874->34241 33877 423446 33877->33874 33879 42344c 33877->33879 33878 42346c 33878->33824 34240 423347 58 API calls 4 library calls 33879->34240 33881 423454 GetCurrentThreadId 33881->33824 33883 428c61 __commit 33882->33883 34253 4284ab 33883->34253 33885 428c68 33886 422304 __calloc_crt 58 API calls 33885->33886 33887 428c79 33886->33887 33888 428ce4 GetStartupInfoW 33887->33888 33890 428c84 __commit @_EH4_CallFilterFunc@8 33887->33890 33889 428e28 33888->33889 33891 428cf9 33888->33891 33892 428ef0 33889->33892 33895 428e75 GetStdHandle 33889->33895 33896 428e88 GetFileType 33889->33896 34261 41f6c3 InitializeCriticalSectionAndSpinCount 33889->34261 33890->33828 33891->33889 33894 422304 __calloc_crt 58 API calls 33891->33894 33898 428d47 33891->33898 34262 428f00 LeaveCriticalSection _doexit 33892->34262 33894->33891 33895->33889 33896->33889 33897 428d7b GetFileType 33897->33898 33898->33889 33898->33897 34260 41f6c3 InitializeCriticalSectionAndSpinCount 33898->34260 33902 41a801 33901->33902 33903 4295ce WideCharToMultiByte 33901->33903 33914 428f68 33902->33914 33905 429601 33903->33905 33906 429638 FreeEnvironmentStringsW 33903->33906 34265 42234c 33905->34265 33906->33902 33909 42960e WideCharToMultiByte 33910 429624 33909->33910 33911 42962d FreeEnvironmentStringsW 33909->33911 34271 418e0e 58 API calls 2 library calls 33910->34271 33911->33902 33913 42962a 33913->33911 33915 428f76 33914->33915 33916 428f7b GetModuleFileNameA 33914->33916 34310 4227bc 70 API calls __setmbcp 33915->34310 33918 428fa8 33916->33918 34304 42901b 33918->34304 33921 42234c __malloc_crt 58 API calls 33922 428fe1 33921->33922 33923 42901b _parse_cmdline 58 API calls 33922->33923 33924 41a80b 33922->33924 33923->33924 33924->33836 34225 41ea1c 58 API calls 3 library calls 33924->34225 33926 4291a0 33925->33926 33929 4291a5 _strlen 33925->33929 34313 4227bc 70 API calls __setmbcp 33926->34313 33928 422304 __calloc_crt 58 API calls 33937 4291db _strlen 33928->33937 33929->33928 33932 41a81c 33929->33932 33930 42922d 34323 418e0e 58 API calls 2 library calls 33930->34323 33932->33840 34226 41ea1c 58 API calls 3 library calls 33932->34226 33933 422304 __calloc_crt 58 API calls 33933->33937 33934 429254 34324 418e0e 58 API calls 2 library calls 33934->34324 33937->33930 33937->33932 33937->33933 33937->33934 33938 42926b 33937->33938 34314 41a1fd 33937->34314 34325 41fe4a 8 API calls 2 library calls 33938->34325 33940 429277 33943 41ea62 __IsNonwritableInCurrentImage 33941->33943 34329 42bdd5 33943->34329 33944 41ea80 __initterm_e 33946 41ea9f _doexit __IsNonwritableInCurrentImage 33944->33946 34332 419057 67 API calls __cinit 33944->34332 33946->33843 33948 429654 33947->33948 33951 429659 33947->33951 34333 4227bc 70 API calls __setmbcp 33948->34333 33950 41a840 33953 405485 33950->33953 33951->33950 34334 422152 58 API calls x_ismbbtype_l 33951->34334 33954 405494 __EH_prolog3_catch_GS 33953->33954 34335 418424 33954->34335 33956 4054b3 33957 4054c0 GetTickCount 33956->33957 33958 4054c6 33956->33958 33957->33958 33959 4054e0 33958->33959 33960 4054ce GetTickCount 33958->33960 34345 4111e0 33959->34345 33960->33959 33961 4054d5 33960->33961 34495 403421 136 API calls 6 library calls 33961->34495 33969 405510 33972 40d9c0 61 API calls 33969->33972 33970 40554d 34405 4123f0 33970->34405 33974 405520 33972->33974 33977 40de90 61 API calls 33974->33977 33975 412ab0 61 API calls 33976 405565 33975->33976 33978 405586 33976->33978 33979 405569 33976->33979 33980 405532 MessageBoxA 33977->33980 34434 411340 33978->34434 33981 40d9c0 61 API calls 33979->33981 34028 405548 33980->34028 33981->33974 33984 412ab0 61 API calls 33985 40559e 33984->33985 33986 4055c2 33985->33986 33987 4055a2 33985->33987 33989 418424 _Allocate 59 API calls 33986->33989 33990 40d9c0 61 API calls 33987->33990 33992 4055c9 33989->33992 33990->33974 33993 4055df 33992->33993 34496 4073be 81 API calls 2 library calls 33992->34496 34452 4135d0 33993->34452 33999 405df5 34464 4077bf 33999->34464 34002 405dff 34476 40d9c0 34002->34476 34003 405629 34498 41938e 58 API calls __mbscmp_l 34003->34498 34006 405634 34006->33999 34009 413c60 84 API calls 34006->34009 34011 40564e 34009->34011 34010 405e21 MessageBoxA 34010->34028 34011->33999 34499 413bf0 84 API calls 34011->34499 34013 405668 34500 4196f2 61 API calls strtoxl 34013->34500 34015 40566e 34015->33999 34016 40567c 34015->34016 34017 4077bf 196 API calls 34016->34017 34018 405686 34017->34018 34501 4068a9 65 API calls 3 library calls 34018->34501 34020 40569a 34021 4056a9 34020->34021 34022 4056ce 34020->34022 34023 4077bf 196 API calls 34021->34023 34502 405034 61 API calls _rand 34022->34502 34023->34028 34025 4056d3 34026 4077bf 196 API calls 34025->34026 34027 4056dd 34026->34027 34503 40781d 186 API calls 2 library calls 34027->34503 34567 41efd0 6 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 34028->34567 34030 4056f7 34031 405712 34030->34031 34032 405765 34030->34032 34034 4077bf 196 API calls 34031->34034 34504 40442c GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 34032->34504 34036 40571c 34034->34036 34035 40576a 34505 40924f 66 API calls 34035->34505 34038 40d9c0 61 API calls 34036->34038 34040 40572c 34038->34040 34039 405771 34041 405775 GetTickCount 34039->34041 34042 405788 34039->34042 34043 40de90 61 API calls 34040->34043 34044 4077bf 196 API calls 34041->34044 34507 403363 9 API calls 34042->34507 34046 40573e MessageBoxA 34043->34046 34047 405781 34044->34047 34053 405755 34046->34053 34506 4051b2 85 API calls 3 library calls 34047->34506 34048 40578d 34508 404114 34048->34508 34053->34028 34054 40579e 34055 4057f1 34054->34055 34056 4057b1 34054->34056 34058 4077bf 196 API calls 34055->34058 34057 4077bf 196 API calls 34056->34057 34059 4057bb 34057->34059 34060 4057fb 34058->34060 34519 4050c6 72 API calls __EH_prolog3_GS 34059->34519 34521 4050c6 72 API calls __EH_prolog3_GS 34060->34521 34063 405809 34522 4060a6 60 API calls 34063->34522 34064 4057c8 34520 4060a6 60 API calls 34064->34520 34067 4057d8 34068 4077bf 196 API calls 34067->34068 34069 405835 34068->34069 34523 406260 60 API calls _memcpy_s 34069->34523 34071 405853 34524 404ef7 152 API calls __EH_prolog3_catch 34071->34524 34073 40585e 34074 4077bf 196 API calls 34073->34074 34076 405874 34073->34076 34074->34076 34075 4077bf 196 API calls 34077 4058ac 34075->34077 34076->34075 34078 4077bf 196 API calls 34077->34078 34079 4058b6 34078->34079 34525 408fac 95 API calls 4 library calls 34079->34525 34081 4058bd 34082 4077bf 196 API calls 34081->34082 34083 4058c7 34082->34083 34084 40d9c0 61 API calls 34083->34084 34085 4058d7 34084->34085 34086 40de90 61 API calls 34085->34086 34087 4058e2 LoadLibraryA 34086->34087 34088 405900 34087->34088 34089 405975 CreateDialogParamA 34088->34089 34092 40d9c0 61 API calls 34088->34092 34090 4059c5 34089->34090 34091 405996 GetTickCount 34089->34091 34093 4077bf 196 API calls 34090->34093 34094 4077bf 196 API calls 34091->34094 34095 405914 34092->34095 34096 4059cf 34093->34096 34097 4059a6 34094->34097 34098 40de90 61 API calls 34095->34098 34103 4077bf 196 API calls 34096->34103 34528 404fa3 199 API calls __EH_prolog3_catch 34097->34528 34100 40591f GetProcAddress 34098->34100 34102 40593d 34100->34102 34101 4059ab 34529 4051b2 85 API calls 3 library calls 34101->34529 34107 40d9c0 61 API calls 34102->34107 34105 405a40 34103->34105 34531 408ed1 71 API calls 2 library calls 34105->34531 34106 4059b0 34530 4033eb 7 API calls 34106->34530 34110 40594d 34107->34110 34111 40de90 61 API calls 34110->34111 34113 405958 GetProcAddress 34111->34113 34112 405a4c 34114 405a50 GetTickCount 34112->34114 34122 405aa4 34112->34122 34526 40db80 34113->34526 34116 405a62 34114->34116 34117 405a5d 34114->34117 34118 4077bf 196 API calls 34116->34118 34532 4036c1 89 API calls 4 library calls 34117->34532 34121 405a6c 34118->34121 34120 4059b5 34120->33849 34533 404fa3 199 API calls __EH_prolog3_catch 34121->34533 34124 404114 68 API calls 34122->34124 34126 405ac0 34124->34126 34125 405a71 34534 4051b2 85 API calls 3 library calls 34125->34534 34128 40607d 2 API calls 34126->34128 34129 405acc 34128->34129 34536 406455 34129->34536 34130 405a76 34535 4033eb 7 API calls 34130->34535 35064 41ebfc 34219->35064 34221 41ed3a 34221->33850 34222->33821 34223->33825 34224->33832 34228->33853 34229->33863 34230->33865 34231->33869 34232->33870 34235 42230b 34233->34235 34236 422346 34235->34236 34237 422329 34235->34237 34242 42bff1 34235->34242 34236->33874 34239 41f5d8 TlsSetValue 34236->34239 34237->34235 34237->34236 34250 41fa4e Sleep 34237->34250 34239->33877 34240->33881 34241->33878 34243 42bffc 34242->34243 34247 42c017 34242->34247 34244 42c008 34243->34244 34243->34247 34251 41e222 58 API calls __getptd_noexit 34244->34251 34246 42c027 HeapAlloc 34246->34247 34248 42c00d 34246->34248 34247->34246 34247->34248 34252 41fc65 DecodePointer 34247->34252 34248->34235 34250->34237 34251->34248 34252->34247 34254 4284cf EnterCriticalSection 34253->34254 34255 4284bc 34253->34255 34254->33885 34263 428553 58 API calls 10 library calls 34255->34263 34257 4284c2 34257->34254 34264 41ea1c 58 API calls 3 library calls 34257->34264 34260->33898 34261->33889 34262->33890 34263->34257 34267 42235a 34265->34267 34268 42238c 34267->34268 34269 42236d 34267->34269 34272 41c496 34267->34272 34268->33906 34268->33909 34269->34267 34269->34268 34289 41fa4e Sleep 34269->34289 34271->33913 34273 41c511 34272->34273 34277 41c4a2 34272->34277 34298 41fc65 DecodePointer 34273->34298 34275 41c517 34299 41e222 58 API calls __getptd_noexit 34275->34299 34276 41c4ad 34276->34277 34290 429278 58 API calls __NMSG_WRITE 34276->34290 34291 4292d5 58 API calls 5 library calls 34276->34291 34292 41e8f9 34276->34292 34277->34276 34280 41c4d5 RtlAllocateHeap 34277->34280 34283 41c4fd 34277->34283 34287 41c4fb 34277->34287 34295 41fc65 DecodePointer 34277->34295 34280->34277 34281 41c509 34280->34281 34281->34267 34296 41e222 58 API calls __getptd_noexit 34283->34296 34297 41e222 58 API calls __getptd_noexit 34287->34297 34289->34269 34290->34276 34291->34276 34300 41e8c5 GetModuleHandleExW 34292->34300 34295->34277 34296->34287 34297->34281 34298->34275 34299->34281 34301 41e8f5 ExitProcess 34300->34301 34302 41e8de GetProcAddress 34300->34302 34302->34301 34303 41e8f0 34302->34303 34303->34301 34306 42903d 34304->34306 34309 4290a1 34306->34309 34311 422152 58 API calls x_ismbbtype_l 34306->34311 34307 428fbe 34307->33921 34307->33924 34309->34307 34312 422152 58 API calls x_ismbbtype_l 34309->34312 34310->33916 34311->34306 34312->34309 34313->33929 34315 41a208 34314->34315 34317 41a216 34314->34317 34315->34317 34320 41a22c 34315->34320 34326 41e222 58 API calls __getptd_noexit 34317->34326 34318 41a21d 34327 41fe1f 9 API calls __invalid_parameter_noinfo_noreturn 34318->34327 34321 41a227 34320->34321 34328 41e222 58 API calls __getptd_noexit 34320->34328 34321->33937 34323->33932 34324->33932 34325->33940 34326->34318 34327->34321 34328->34318 34330 42bdd8 EncodePointer 34329->34330 34330->34330 34331 42bdf2 34330->34331 34331->33944 34332->33946 34333->33951 34334->33951 34336 41842c 34335->34336 34337 41c496 _malloc 58 API calls 34336->34337 34338 418446 34336->34338 34340 41844a std::exception::exception 34336->34340 34568 41fc65 DecodePointer 34336->34568 34337->34336 34338->33956 34569 41a90e RaiseException 34340->34569 34342 418474 34570 419ae3 58 API calls __vscwprintf_helper 34342->34570 34344 418484 34344->33956 34346 411227 34345->34346 34347 40d9c0 61 API calls 34346->34347 34351 41123b _memmove 34347->34351 34348 40de90 61 API calls 34348->34351 34350 411300 34578 4179ca 34350->34578 34351->34348 34351->34350 34571 402f67 34351->34571 34353 4054f2 34354 412610 34353->34354 34355 40d9c0 61 API calls 34354->34355 34356 412652 34355->34356 34357 40d9c0 61 API calls 34356->34357 34358 412665 34357->34358 34359 40de90 61 API calls 34358->34359 34360 412674 LoadLibraryA 34359->34360 34361 412681 34360->34361 34365 412696 _memset 34360->34365 34362 40de90 61 API calls 34361->34362 34363 41268c GetProcAddress 34362->34363 34363->34365 34364 412770 34367 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34364->34367 34365->34364 34366 4126e1 PathFindFileNameA 34365->34366 34368 412710 34366->34368 34369 405500 34367->34369 34368->34368 34370 402f67 59 API calls 34368->34370 34398 412ab0 34369->34398 34371 412736 34370->34371 34372 412745 34371->34372 34377 412790 34371->34377 34374 40d9c0 61 API calls 34372->34374 34373 412914 34375 40d9c0 61 API calls 34373->34375 34376 412755 34374->34376 34378 412924 34375->34378 34380 40de90 61 API calls 34376->34380 34377->34373 34379 40d9c0 61 API calls 34377->34379 34381 40de90 61 API calls 34378->34381 34382 412801 34379->34382 34383 412764 34380->34383 34397 4128d6 34381->34397 34384 40de90 61 API calls 34382->34384 34385 40301c 59 API calls 34383->34385 34386 412810 34384->34386 34385->34364 34387 40301c 59 API calls 34386->34387 34390 41281c 34387->34390 34388 402f67 59 API calls 34388->34364 34389 41290a 34606 4178c6 59 API calls 3 library calls 34389->34606 34390->34389 34392 412872 34390->34392 34392->34373 34393 4128b7 34392->34393 34394 40d9c0 61 API calls 34393->34394 34395 4128c7 34394->34395 34396 40de90 61 API calls 34395->34396 34396->34397 34397->34388 34399 40d9c0 61 API calls 34398->34399 34404 412aea 34399->34404 34400 40de90 61 API calls 34400->34404 34401 412bc4 34402 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34401->34402 34403 40550c 34402->34403 34403->33969 34403->33970 34404->34400 34404->34401 34406 40d9c0 61 API calls 34405->34406 34407 412432 34406->34407 34408 40d9c0 61 API calls 34407->34408 34409 412445 34408->34409 34410 40de90 61 API calls 34409->34410 34411 412454 LoadLibraryA 34410->34411 34412 412461 34411->34412 34415 412476 34411->34415 34413 40de90 61 API calls 34412->34413 34414 41246c GetProcAddress 34413->34414 34414->34415 34416 412568 34415->34416 34417 412546 34415->34417 34418 4124af GetTickCount 34415->34418 34423 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34416->34423 34420 40d9c0 61 API calls 34417->34420 34418->34417 34419 4124c5 34418->34419 34419->34417 34421 4124db 34419->34421 34422 412553 34420->34422 34424 40d9c0 61 API calls 34421->34424 34425 40de90 61 API calls 34422->34425 34426 405558 34423->34426 34427 4124e8 34424->34427 34428 41255f 34425->34428 34426->33975 34429 40de90 61 API calls 34427->34429 34430 40301c 59 API calls 34428->34430 34431 4124f4 34429->34431 34430->34416 34432 40301c 59 API calls 34431->34432 34433 4124fd 34432->34433 34433->34416 34607 417020 34434->34607 34437 411422 34439 40d9c0 61 API calls 34437->34439 34438 41137c 34440 40d9c0 61 API calls 34438->34440 34441 411432 34439->34441 34442 411389 34440->34442 34443 40de90 61 API calls 34441->34443 34444 40de90 61 API calls 34442->34444 34447 411444 34443->34447 34445 411398 34444->34445 34446 402f67 59 API calls 34445->34446 34449 4113d3 34446->34449 34448 402f67 59 API calls 34447->34448 34448->34449 34450 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34449->34450 34451 405591 34450->34451 34451->33984 34453 404114 68 API calls 34452->34453 34454 413605 34453->34454 34455 41361c 34454->34455 34672 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34454->34672 34660 414680 34455->34660 34459 4055fd 34461 413c60 34459->34461 34678 414de0 34461->34678 34465 4077cb __EH_prolog3 34464->34465 34466 404114 68 API calls 34465->34466 34467 4077d6 34466->34467 34468 40607d 2 API calls 34467->34468 34469 4077df 34468->34469 34470 406455 80 API calls 34469->34470 34471 4077f4 34470->34471 34472 40301c 59 API calls 34471->34472 34473 407802 34472->34473 34474 407741 185 API calls 34473->34474 34475 407809 34474->34475 34475->34002 34477 40da1d 34476->34477 34478 402f67 59 API calls 34477->34478 34479 40da39 34478->34479 34480 402f67 59 API calls 34479->34480 34481 40da6c 34480->34481 34717 415f00 34481->34717 34484 40de90 34485 415f00 61 API calls 34484->34485 34486 40dea8 34485->34486 34728 40dce0 59 API calls 2 library calls 34486->34728 34488 40dec0 34489 40df35 34488->34489 34490 40df46 34488->34490 34491 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34489->34491 34492 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34490->34492 34493 40df42 34491->34493 34494 40df53 34492->34494 34493->34010 34494->34010 34495->33959 34496->33993 34497 413bf0 84 API calls 34497->34003 34498->34006 34499->34013 34500->34015 34501->34020 34502->34025 34503->34030 34504->34035 34505->34039 34506->34053 34507->34048 34729 403308 8 API calls 34507->34729 34730 4032db 14 API calls 34507->34730 34509 40411d GetProcessHeap 34508->34509 34511 40414b 34508->34511 34731 419057 67 API calls __cinit 34509->34731 34513 4041a5 34511->34513 34732 419057 67 API calls __cinit 34511->34732 34514 40607d 34513->34514 34515 40609b 34514->34515 34517 40608a 34514->34517 34733 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34515->34733 34517->34054 34518 4060a5 34519->34064 34520->34067 34521->34063 34522->34067 34523->34071 34524->34073 34525->34081 34527 40db88 34526->34527 34527->34089 34528->34101 34529->34106 34530->34120 34531->34112 34532->34116 34533->34125 34534->34130 34535->34120 34734 40649e 34536->34734 34538 405ae2 34539 40301c 34538->34539 34540 403038 34539->34540 34541 402f67 59 API calls 34540->34541 34542 403044 34541->34542 34543 407741 34542->34543 34544 40774d __EH_prolog3_GS 34543->34544 34756 402bd3 34544->34756 34548 407784 34771 40760b 34548->34771 34550 407790 34782 41efc1 34550->34782 34568->34336 34569->34342 34570->34344 34572 402f77 34571->34572 34573 402f97 34572->34573 34574 402f7b 34572->34574 34599 402f04 59 API calls _memmove 34573->34599 34585 402d1d 34574->34585 34577 402f95 _memmove 34577->34351 34579 4179d2 34578->34579 34580 4179d4 IsProcessorFeaturePresent 34578->34580 34579->34353 34582 417af9 34580->34582 34605 417aa8 5 API calls ___raise_securityfailure 34582->34605 34584 417bdc 34584->34353 34586 402d32 34585->34586 34587 402da6 34585->34587 34588 402d56 34586->34588 34589 402d3f 34586->34589 34603 4178c6 59 API calls 3 library calls 34587->34603 34602 402f04 59 API calls _memmove 34588->34602 34600 402c53 59 API calls 34589->34600 34593 402db0 34604 417898 59 API calls 2 library calls 34593->34604 34594 402d47 34601 402c9b 59 API calls 34594->34601 34598 402d54 _memmove 34598->34577 34599->34577 34600->34594 34602->34598 34603->34593 34605->34584 34606->34373 34608 40d9c0 61 API calls 34607->34608 34609 417068 34608->34609 34610 40de90 61 API calls 34609->34610 34614 41707a _strlwr_s_l_stat 34610->34614 34611 4170c3 34634 417430 CoInitializeEx 34611->34634 34613 4170d2 34615 40d9c0 61 API calls 34613->34615 34630 4170da 34613->34630 34614->34611 34617 4170a7 MultiByteToWideChar 34614->34617 34616 4170f1 34615->34616 34618 40d9c0 61 API calls 34616->34618 34617->34611 34619 417102 34618->34619 34621 40de90 61 API calls 34619->34621 34620 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34622 411374 34620->34622 34628 41710e _strlwr_s_l_stat 34621->34628 34622->34437 34622->34438 34623 417134 34624 40de90 61 API calls 34623->34624 34632 417159 _strlwr_s_l_stat 34624->34632 34625 417178 34642 417210 SysAllocString SysAllocString 34625->34642 34628->34623 34649 416fe0 MultiByteToWideChar 34628->34649 34629 4171b1 CoUninitialize 34629->34630 34630->34620 34632->34625 34650 416fe0 MultiByteToWideChar 34632->34650 34635 417449 CoInitializeSecurity 34634->34635 34636 41746b 34634->34636 34637 417471 CoCreateInstance 34635->34637 34638 417465 CoUninitialize 34635->34638 34636->34613 34637->34638 34639 41748d SysAllocString 34637->34639 34638->34636 34640 4174b3 SysFreeString 34639->34640 34641 4174ca 34640->34641 34641->34613 34647 417266 34642->34647 34643 4172d9 SysFreeString SysFreeString 34644 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34643->34644 34645 4171a2 34644->34645 34645->34629 34645->34630 34646 4172d0 34646->34643 34647->34643 34647->34646 34651 417300 34647->34651 34649->34623 34650->34625 34652 40d9c0 61 API calls 34651->34652 34653 417345 34652->34653 34654 40de90 61 API calls 34653->34654 34655 417354 _strlwr_s_l_stat 34654->34655 34656 417385 MultiByteToWideChar 34655->34656 34657 41735a 34655->34657 34656->34657 34658 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34657->34658 34659 417402 34658->34659 34659->34647 34661 418424 _Allocate 59 API calls 34660->34661 34662 414687 std::exception::exception 34661->34662 34663 413644 34662->34663 34674 41a90e RaiseException 34662->34674 34663->34459 34673 413e10 84 API calls __mbsinc 34663->34673 34665 417845 Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception 34675 41a90e RaiseException 34665->34675 34667 417869 34676 41ee6f 58 API calls std::exception::_Copy_str 34667->34676 34669 417882 34677 41a90e RaiseException 34669->34677 34671 417897 34672->34455 34673->34459 34674->34665 34675->34667 34676->34669 34677->34671 34689 413480 34678->34689 34681 414e27 34701 4147c0 34681->34701 34685 405611 34685->33999 34685->34497 34686 414e53 34710 41938e 58 API calls __mbscmp_l 34686->34710 34690 404114 68 API calls 34689->34690 34691 4134af 34690->34691 34692 4134c6 34691->34692 34711 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34691->34711 34694 4134e6 34692->34694 34695 413503 34692->34695 34712 413a20 7 API calls 34694->34712 34695->34695 34696 413501 34695->34696 34714 4061ca 60 API calls 5 library calls 34695->34714 34696->34681 34708 413db0 64 API calls 34696->34708 34699 4134f1 34699->34696 34713 413cf0 66 API calls 34699->34713 34702 4147f9 34701->34702 34707 4147d0 34701->34707 34702->34685 34702->34686 34709 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34702->34709 34703 414802 34716 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34703->34716 34706 41480c 34707->34702 34707->34703 34715 41938e 58 API calls __mbscmp_l 34707->34715 34708->34681 34709->34686 34710->34685 34711->34692 34712->34699 34713->34696 34714->34696 34715->34707 34716->34706 34718 415f24 34717->34718 34719 416026 34717->34719 34720 402f67 59 API calls 34718->34720 34721 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34719->34721 34724 415f35 34720->34724 34722 405e0f 34721->34722 34722->34484 34724->34719 34726 41ca80 59 API calls 2 library calls 34724->34726 34727 41cf50 60 API calls 2 library calls 34724->34727 34726->34724 34727->34724 34728->34488 34731->34511 34732->34513 34733->34518 34735 4064ab 34734->34735 34737 4064be 34734->34737 34750 419ae3 58 API calls __vscwprintf_helper 34735->34750 34754 403d86 InitializeCriticalSectionEx RaiseException __CxxThrowException@8 34737->34754 34738 4064b6 34738->34737 34740 4064c5 34738->34740 34751 40632b 60 API calls 34740->34751 34741 4064f8 34755 419ae3 58 API calls __vscwprintf_helper 34741->34755 34744 406500 34744->34538 34745 4064cd 34752 419ac8 78 API calls swprintf 34745->34752 34747 4064dd 34753 406177 InitializeCriticalSectionEx RaiseException 34747->34753 34749 4064e8 34749->34538 34750->34738 34751->34745 34752->34747 34753->34749 34754->34741 34755->34744 34757 402d1d 59 API calls 34756->34757 34758 402bf2 34757->34758 34759 40654f 34758->34759 34760 4065e0 34759->34760 34761 406564 34759->34761 34786 4178c6 59 API calls 3 library calls 34760->34786 34762 4065ea 34761->34762 34763 40657d 34761->34763 34787 417898 59 API calls 2 library calls 34762->34787 34770 40658e _memmove 34763->34770 34785 402f04 59 API calls _memmove 34763->34785 34770->34548 34772 40765d 34771->34772 34773 41a1fd __setenvp 58 API calls 34772->34773 34774 40766f 34773->34774 34788 406fd0 34774->34788 34776 40301c 59 API calls 34778 40767b 34776->34778 34778->34776 34779 4076ee 34778->34779 34836 4079c1 34778->34836 34780 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34779->34780 34781 407710 34780->34781 34781->34550 34783 4179ca __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 6 API calls 34782->34783 34784 41efcb 34783->34784 34784->34784 34785->34770 34786->34762 34789 406fdf _memset __EH_prolog3_GS 34788->34789 34904 406f83 34789->34904 34791 407011 _memset 34911 419288 DecodePointer 34791->34911 34793 407034 34794 406f83 69 API calls 34793->34794 34795 40704f 6 API calls 34794->34795 34796 407394 LocalFree LocalFree LocalFree LocalFree LocalFree 34795->34796 34797 407129 34795->34797 34798 41efc1 6 API calls 34796->34798 34799 40301c 59 API calls 34797->34799 34801 4073bd 34798->34801 34800 40713b 34799->34800 34938 408d86 59 API calls _memmove 34800->34938 34801->34778 34803 40715b 34804 40301c 59 API calls 34803->34804 34805 40716c 34804->34805 34806 4071a0 34805->34806 34939 402c9b 59 API calls 34805->34939 34808 40654f 59 API calls 34806->34808 34809 4071b6 34808->34809 34810 40301c 59 API calls 34809->34810 34811 4071c7 34810->34811 34814 4071fb 34811->34814 34940 402c9b 59 API calls 34811->34940 34813 407236 34942 408d86 59 API calls _memmove 34813->34942 34814->34813 34941 408d86 59 API calls _memmove 34814->34941 34817 407220 34819 40654f 59 API calls 34817->34819 34818 407252 34943 408d86 59 API calls _memmove 34818->34943 34819->34813 34821 407272 34822 402bd3 59 API calls 34821->34822 34823 40728f 34822->34823 34944 402322 82 API calls 4 library calls 34823->34944 34825 4072a1 34826 40301c 59 API calls 34825->34826 34827 4072c5 34826->34827 34945 408d86 59 API calls _memmove 34827->34945 34829 4072e7 34946 408d86 59 API calls _memmove 34829->34946 34831 407303 34832 40654f 59 API calls 34831->34832 34833 407319 _memset 34832->34833 34834 41a1fd __setenvp 58 API calls 34833->34834 34835 407349 34834->34835 34835->34796 34837 4079d0 __EH_prolog3_GS 34836->34837 34986 4075a1 34837->34986 34840 407cff 34847 41efc1 6 API calls 34840->34847 34843 407a6b 34846 402bd3 59 API calls 34843->34846 34844 407a5d 35010 408547 67 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 34844->35010 34849 407a83 34846->34849 34850 407d28 34847->34850 34848 407a64 34848->34843 35011 407515 34849->35011 34850->34778 34852 407a8a 34853 407cf8 34852->34853 35015 407993 34852->35015 35020 407578 InternetCloseHandle InternetCloseHandle 34853->35020 34858 407af9 34859 407cf1 InternetCloseHandle 34858->34859 34860 407b47 34858->34860 34861 407b0a InternetQueryOptionA InternetSetOptionA 34858->34861 34859->34853 34862 407c21 34860->34862 34863 407b56 34860->34863 34861->34860 34862->34859 34864 407c29 HttpSendRequestA 34862->34864 34865 40301c 59 API calls 34863->34865 34866 407c36 34864->34866 34867 407bdf 34865->34867 34866->34859 34873 407c1f 34866->34873 34868 407be8 34867->34868 34869 407bea HttpSendRequestA 34867->34869 34868->34869 34869->34873 34870 407cac InternetReadFile 34871 407cc6 34870->34871 34870->34873 34872 407ce2 34871->34872 34875 402d1d 59 API calls 34871->34875 34872->34859 34873->34866 34873->34870 34873->34871 34874 407d2b 34873->34874 35019 408d86 59 API calls _memmove 34873->35019 35021 417be0 6 API calls ___report_securityfailure 34874->35021 34875->34872 34877 407d30 __EH_prolog3_GS 34879 4075a1 64 API calls 34877->34879 34880 407d97 34879->34880 34881 408635 66 API calls 34880->34881 34886 407f40 34880->34886 34882 407db0 34881->34882 34883 407dbb InternetOpenA 34882->34883 35022 408547 67 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 34882->35022 34883->34886 34887 407de9 lstrlenA InternetOpenUrlA 34883->34887 34893 41efc1 6 API calls 34886->34893 34888 407e51 34887->34888 34889 407f37 InternetCloseHandle 34887->34889 34890 407e97 34888->34890 34891 407e5a InternetQueryOptionA InternetSetOptionA 34888->34891 34889->34886 35023 4186f1 125 API calls 2 library calls 34890->35023 34891->34890 34894 407f7b 34893->34894 34894->34778 34895 407f30 InternetCloseHandle 34895->34889 34896 407efc InternetReadFile 34897 407ebb 34896->34897 34898 407f16 34896->34898 34897->34895 34897->34896 34897->34898 35024 41a3ab 80 API calls 3 library calls 34897->35024 35025 41a4e0 84 API calls 4 library calls 34898->35025 34901 407f21 35026 418a2e 83 API calls 5 library calls 34901->35026 34903 407f2c 34903->34895 34947 41922a GetSystemTimeAsFileTime 34904->34947 34906 406f95 34949 41921a 34906->34949 34908 406f9b 34909 406fc5 34908->34909 34910 419288 _rand_s 68 API calls 34908->34910 34909->34791 34910->34908 34912 4192a3 34911->34912 34913 4192b9 34911->34913 34978 41e222 58 API calls __getptd_noexit 34912->34978 34914 4192c5 LoadLibraryExW 34913->34914 34922 419365 34913->34922 34916 4192e6 GetLastError 34914->34916 34917 41930e GetProcAddress 34914->34917 34920 4192fb 34916->34920 34921 4192ed LoadLibraryExW 34916->34921 34923 419320 34917->34923 34924 419342 EncodePointer EncodePointer 34917->34924 34918 4192a8 34979 41fe1f 9 API calls __invalid_parameter_noinfo_noreturn 34918->34979 34980 41e222 58 API calls __getptd_noexit 34920->34980 34921->34917 34921->34920 34937 4192b2 _rand_s 34922->34937 34984 41e222 58 API calls __getptd_noexit 34922->34984 34982 41e222 58 API calls __getptd_noexit 34923->34982 34924->34922 34925 41935c FreeLibrary 34924->34925 34925->34922 34928 419300 34981 41fe1f 9 API calls __invalid_parameter_noinfo_noreturn 34928->34981 34930 419325 GetLastError 34933 41932f _rand_s 34930->34933 34932 419376 34985 41e222 58 API calls __getptd_noexit 34932->34985 34983 41fe1f 9 API calls __invalid_parameter_noinfo_noreturn 34933->34983 34936 419337 GetLastError 34936->34937 34937->34793 34938->34803 34941->34817 34942->34818 34943->34821 34944->34825 34945->34829 34946->34831 34948 419258 __time64 34947->34948 34948->34906 34952 4232c0 34949->34952 34957 4232d8 GetLastError 34952->34957 34954 4232c6 34955 419222 34954->34955 34971 41ea1c 58 API calls 3 library calls 34954->34971 34955->34908 34972 41f5b9 34957->34972 34959 4232ed 34960 42333b SetLastError 34959->34960 34961 422304 __calloc_crt 55 API calls 34959->34961 34960->34954 34962 423300 34961->34962 34962->34960 34975 41f5d8 TlsSetValue 34962->34975 34964 423314 34965 423332 34964->34965 34966 42331a 34964->34966 34977 418e0e 58 API calls 2 library calls 34965->34977 34976 423347 58 API calls 4 library calls 34966->34976 34969 423322 GetCurrentThreadId 34969->34960 34970 423338 34970->34960 34973 41f5d0 TlsGetValue 34972->34973 34974 41f5cc 34972->34974 34973->34959 34974->34959 34975->34964 34976->34969 34977->34970 34978->34918 34979->34937 34980->34928 34981->34937 34982->34930 34983->34936 34984->34932 34985->34937 34987 4075ad __EH_prolog3_GS 34986->34987 35027 408239 34987->35027 34991 4075ea 34992 41efc1 6 API calls 34991->34992 34993 40760a 34992->34993 34993->34840 34994 408635 34993->34994 34995 408641 __EH_prolog3_GS 34994->34995 34996 40301c 59 API calls 34995->34996 34997 40871e 34996->34997 34998 40301c 59 API calls 34997->34998 34999 40872f 34998->34999 35043 4087f8 RegOpenKeyExA 34999->35043 35001 408738 35002 40301c 59 API calls 35001->35002 35003 408752 35002->35003 35004 40301c 59 API calls 35003->35004 35005 408767 35004->35005 35047 40887a 35005->35047 35007 408773 35008 41efc1 6 API calls 35007->35008 35009 407a59 35008->35009 35009->34843 35009->34844 35010->34848 35012 407525 InternetOpenA InternetConnectA 35011->35012 35014 40755e 35012->35014 35014->34852 35016 4079a3 35015->35016 35017 40301c 59 API calls 35016->35017 35018 4079ba HttpOpenRequestA 35017->35018 35018->34858 35019->34870 35020->34840 35021->34877 35022->34883 35023->34897 35024->34897 35025->34901 35026->34903 35028 408245 __EH_prolog3_GS 35027->35028 35029 40301c 59 API calls 35028->35029 35030 40825d 35029->35030 35031 4082d0 35030->35031 35040 405e93 59 API calls 35030->35040 35033 41efc1 6 API calls 35031->35033 35035 4075d6 35033->35035 35034 4082ae 35041 4082ff 60 API calls __EH_prolog3 35034->35041 35035->34991 35039 40839d 62 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 35035->35039 35037 4082b6 35037->35031 35042 405e93 59 API calls 35037->35042 35039->34991 35040->35034 35041->35037 35042->35031 35044 408850 RegCloseKey 35043->35044 35045 40882a RegQueryValueExA 35043->35045 35046 408867 35044->35046 35045->35044 35046->35001 35061 41f012 35047->35061 35049 408886 RegOpenKeyExA 35050 4088d3 RegQueryValueExA 35049->35050 35051 408966 RegCloseKey 35049->35051 35052 408903 35050->35052 35060 40894b 35050->35060 35055 40897a 35051->35055 35062 4089cb 59 API calls _memset 35052->35062 35054 40890e RegQueryValueExA 35057 408930 35054->35057 35054->35060 35056 41efc1 6 API calls 35055->35056 35058 40898c 35056->35058 35057->35060 35063 408b47 59 API calls 35057->35063 35058->35007 35060->35051 35061->35049 35062->35054 35063->35060 35065 41ec08 __commit 35064->35065 35066 4284ab __lock 51 API calls 35065->35066 35067 41ec0f 35066->35067 35068 41ecc8 _doexit 35067->35068 35070 41ec3d DecodePointer 35067->35070 35084 41ed16 35068->35084 35070->35068 35072 41ec54 DecodePointer 35070->35072 35077 41ec64 35072->35077 35073 41ed25 __commit 35073->34221 35075 41ec71 EncodePointer 35075->35077 35076 41ed0d 35078 41e8f9 _doexit 3 API calls 35076->35078 35077->35068 35077->35075 35079 41ec81 DecodePointer EncodePointer 35077->35079 35081 41ed16 35078->35081 35082 41ec93 DecodePointer DecodePointer 35079->35082 35080 41ed23 35080->34221 35081->35080 35089 428635 LeaveCriticalSection 35081->35089 35082->35077 35085 41ed1c 35084->35085 35087 41ecf6 35084->35087 35090 428635 LeaveCriticalSection 35085->35090 35087->35073 35088 428635 LeaveCriticalSection 35087->35088 35088->35076 35089->35080 35090->35087

                Executed Functions

                Function 004079C1 Relevance: 72.1, APIs: 18, Strings: 23, Instructions: 385networkfilestringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 4079c1-407a45 call 41f012 call 4075a1 5 407a4b-407a5b call 408635 0->5 6 407cff-407d28 call 4031a7 * 2 call 41efc1 0->6 12 407a6b-407a8e call 402bd3 call 407515 5->12 13 407a5d-407a68 call 408547 5->13 23 407a94-407ace call 407993 12->23 24 407cf8-407cfa call 407578 12->24 13->12 28 407ad0 23->28 29 407ad2-407afb HttpOpenRequestA call 4031a7 23->29 24->6 28->29 32 407cf1-407cf2 InternetCloseHandle 29->32 33 407b01-407b08 29->33 32->24 34 407b47-407b50 33->34 35 407b0a-407b41 InternetQueryOptionA InternetSetOptionA 33->35 36 407c21-407c23 34->36 37 407b56-407be6 call 40301c 34->37 35->34 36->32 38 407c29-407c34 HttpSendRequestA 36->38 43 407be8 37->43 44 407bea-407c1f HttpSendRequestA call 4031a7 37->44 40 407c36-407c38 38->40 40->32 42 407c3e-407c6d 40->42 46 407cac-407cc4 InternetReadFile 42->46 43->44 44->40 48 407cc6-407cd4 46->48 49 407c6f-407c77 46->49 51 407ce2-407cec call 4031a7 48->51 52 407cd6-407cdd call 402d1d 48->52 49->48 50 407c79-407c7e 49->50 54 407c84-407ca7 call 402fe0 call 408d86 50->54 55 407d2b-407d9c call 417be0 call 41f012 call 4075a1 50->55 51->32 52->51 54->46 66 407f40-407f7b call 4031a7 * 4 call 41efc1 55->66 67 407da2-407db2 call 408635 55->67 73 407dc2-407dc6 67->73 74 407db4-407dbf call 408547 67->74 77 407dc8-407dca 73->77 78 407dcc 73->78 74->73 81 407dce-407de3 InternetOpenA 77->81 78->81 81->66 83 407de9-407e4b lstrlenA InternetOpenUrlA 81->83 85 407e51-407e58 83->85 86 407f37-407f3a InternetCloseHandle 83->86 88 407e97-407ec5 call 4186f1 85->88 89 407e5a-407e91 InternetQueryOptionA InternetSetOptionA 85->89 86->66 94 407f30-407f31 InternetCloseHandle 88->94 95 407ec7-407ed4 88->95 89->88 94->86 96 407efc-407f14 InternetReadFile 95->96 97 407ed6-407edd 96->97 98 407f16-407f2e call 41a4e0 call 418a2e 96->98 97->98 99 407edf-407ef9 call 41a3ab 97->99 98->94 99->96
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 004079CB
                  • Part of subcall function 004075A1: __EH_prolog3_GS.LIBCMT ref: 004075A8
                  • Part of subcall function 00408635: __EH_prolog3_GS.LIBCMT ref: 0040863C
                • HttpOpenRequestA.WININET(?,00000000,?,HTTP/1.0,00000000,00000000,00000000,00000000), ref: 00407AE2
                • InternetQueryOptionA.WININET(00000000,0000001F,00000001,?), ref: 00407B25
                • InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 00407B41
                • InternetReadFile.WININET(00000000,00B64FC8,00000400,00000001), ref: 00407CC0
                • InternetCloseHandle.WININET(00000000), ref: 00407CF2
                • __EH_prolog3_GS.LIBCMT ref: 00407D3B
                • HttpSendRequestA.WININET(00000000,?,?,000000FF,?), ref: 00407C08
                  • Part of subcall function 00408547: HttpOpenRequestA.WININET(?,00000000,00451054,HTTP/1.0,00000000,00000000,00000000,00000000), ref: 004085BD
                  • Part of subcall function 00408547: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004085DB
                  • Part of subcall function 00408547: HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004085FE
                  • Part of subcall function 00408547: InternetCloseHandle.WININET(00000000), ref: 00408615
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00407DD5
                • lstrlenA.KERNEL32(Acce,00000000,00000000,?,00000001,00000000,00000000,00000000,?,?,?), ref: 00407E2F
                • InternetOpenUrlA.WININET(00000001,00000010,65636341,00000000,?,00000001), ref: 00407E41
                • InternetQueryOptionA.WININET(00000000,0000001F,00000001,?), ref: 00407E75
                • InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 00407E91
                • __wfopen_s.LIBCMT ref: 00407EB6
                • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00407F10
                • InternetCloseHandle.WININET(00000000), ref: 00407F31
                • InternetCloseHandle.WININET(00407790), ref: 00407F3A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Internet$Http$CloseH_prolog3_HandleOpenOptionRequest$Query$FileReadSend$Info__wfopen_s_memmovelstrlen
                • String ID: */*\$-$/$Acce$C$HTTP/1.0$Ty$at$c$e: a$i$li$nt$on$onte$p$pp$pt: $r\n$r\n\$w$ww-f$x-
                • API String ID: 2483338137-357540842
                • Opcode ID: cb7ebe12e8ac282ba6d2bfc100aa0e417eff956dfbd5682659f27c93961e6101
                • Instruction ID: 738e5883e636cb4c30233806ed2bff3de68d102a2a8a722039e38cf8151097c6
                • Opcode Fuzzy Hash: cb7ebe12e8ac282ba6d2bfc100aa0e417eff956dfbd5682659f27c93961e6101
                • Instruction Fuzzy Hash: CBF151B1905259AFEB24DF54CC85BEE77B8AF05304F0040EAE609B7182DB756A84CF5E
                Function 00405485 Relevance: 46.1, APIs: 20, Strings: 6, Instructions: 585libraryloaderwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 146 405485-4054be call 41f07e call 418424 151 4054c0-4054c4 GetTickCount 146->151 152 4054c6-4054c8 146->152 153 4054ca-4054cc 151->153 152->153 154 4054e0-40550e call 4179d9 call 4111e0 call 412610 call 412ab0 153->154 155 4054ce-4054d3 GetTickCount 153->155 166 405510-405526 call 40d9c0 154->166 167 40554d-405567 call 4123f0 call 412ab0 154->167 155->154 157 4054d5-4054db call 403421 155->157 157->154 173 40552b-405548 call 40de90 MessageBoxA call 40db80 166->173 176 405586-4055a0 call 411340 call 412ab0 167->176 177 405569-405584 call 40d9c0 167->177 185 405e46-405e5c call 411330 call 41efd0 173->185 189 4055c2-4055d6 call 418424 176->189 190 4055a2-4055bd call 40d9c0 176->190 177->173 198 4055e1 189->198 199 4055d8-4055df call 4073be 189->199 190->173 201 4055e3-405613 call 4135d0 call 413c60 198->201 199->201 207 405df5-405e33 call 4077bf call 40d9c0 call 40de90 MessageBoxA call 40db80 201->207 208 405619-405638 call 413bf0 call 41938e 201->208 224 405e38 207->224 208->207 217 40563e-405650 call 413c60 208->217 217->207 223 405656-405676 call 413bf0 call 4196f2 217->223 223->207 231 40567c-4056a7 call 4077bf call 40663b call 4068a9 call 406a95 223->231 226 405e3b-405e41 call 413710 224->226 226->185 240 4056a9-4056ae call 4077bf 231->240 241 4056ce-405710 call 405034 call 4077bf call 40781d call 402fe0 call 405fec 231->241 244 4056b3-4056c9 call 4069e9 call 406c14 240->244 258 405712-405750 call 4077bf call 40d9c0 call 40de90 MessageBoxA call 40db80 241->258 259 405765-405773 call 40442c call 40924f 241->259 244->224 279 405755-405760 call 4031a7 258->279 268 405775-405786 GetTickCount call 4077bf call 4051b2 259->268 269 405788-4057af call 403363 call 404114 call 40607d call 406aca 259->269 268->279 288 4057f1-40582b call 4077bf call 4050c6 call 4060a6 call 40409d 269->288 289 4057b1-4057ef call 4077bf call 4050c6 call 4060a6 call 40409d 269->289 279->244 306 405830-405868 call 4077bf call 406260 call 404ef7 288->306 289->306 313 4058a2 306->313 314 40586a-405876 call 4077bf 306->314 315 4058a7-405902 call 4077bf * 2 call 408fac call 4077bf call 40d9c0 call 40de90 LoadLibraryA call 40db80 313->315 320 405878-40587f call 403bf7 314->320 321 40589b-4058a0 314->321 340 405904-405970 call 40d9c0 call 40de90 GetProcAddress call 40db80 call 40d9c0 call 40de90 GetProcAddress call 40db80 315->340 341 405975-405994 CreateDialogParamA 315->341 326 405881-405886 320->326 327 405888-40588b 320->327 321->315 326->315 329 405894-405899 327->329 330 40588d-405892 327->330 329->315 330->315 340->341 342 4059c5-4059da call 4077bf 341->342 343 405996-4059b5 GetTickCount call 4077bf call 404fa3 call 4051b2 call 4033eb 341->343 351 4059dc-405a2c call 403b63 342->351 352 405a2f-405a4e call 4077bf call 408ed1 342->352 375 4059bb-4059c0 call 40409d 343->375 351->352 373 405a50-405a5b GetTickCount 352->373 374 405aa4-405ab3 call 403bf7 352->374 378 405a62-405a7e call 4077bf call 404fa3 call 4051b2 call 4033eb 373->378 379 405a5d call 4036c1 373->379 386 405ab5 374->386 387 405abb-405b01 call 404114 call 40607d call 406455 call 40301c call 407741 374->387 378->375 379->378 386->387 404 405b03-405b1d GetTickCount call 4077bf call 404fa3 call 4051b2 call 4033eb 387->404 405 405b5d-405b8f call 4077bf * 2 call 4033eb 387->405 423 405b22-405b58 call 40409d * 2 call 4031a7 call 4069e9 call 406c14 404->423 418 405b91-405b96 call 403b85 405->418 419 405b98-405bab call 4077bf 405->419 418->419 430 405bb1-405c07 call 4077bf call 408fac call 4077bf * 3 call 408ed1 call 4077bf call 404fa3 call 4051b2 419->430 431 405c3a-405cae call 4077bf call 404484 ShowWindow UpdateWindow SetTimer call 4077bf 419->431 423->226 430->423 450 405cca-405cda GetMessageA 431->450 454 405cb0-405cc4 DispatchMessageA 450->454 455 405cdc-405d11 call 4077bf call 408fac call 4077bf * 2 450->455 454->450 474 405d13-405d23 call 4053d7 call 407741 455->474 475 405d28-405d31 455->475 474->475 477 405d33-405d43 call 40542e call 407741 475->477 478 405d48-405d4f 475->478 477->478 482 405d51-405d60 call 4077bf * 2 478->482 483 405d65-405d9a call 4077bf call 408ed1 call 4077bf * 2 478->483 482->483 498 405da1-405dcb call 4077bf * 2 call 404fa3 call 4077bf 483->498 499 405d9c call 403ba8 483->499 499->498
                APIs
                • __EH_prolog3_catch_GS.LIBCMT ref: 0040548F
                  • Part of subcall function 00418424: _malloc.LIBCMT ref: 0041843C
                • GetTickCount.KERNEL32 ref: 004054C0
                  • Part of subcall function 004123F0: LoadLibraryA.KERNEL32(00000000,004467F0,004467D8,83575E26,00000000,75E5DC60,00000000), ref: 00412455
                  • Part of subcall function 004123F0: GetProcAddress.KERNEL32(00000000,00000000), ref: 0041246E
                  • Part of subcall function 004123F0: GetTickCount.KERNEL32 ref: 004124AF
                • GetTickCount.KERNEL32 ref: 004054CE
                • MessageBoxA.USER32(00000000,00000000,CheerSkullness,00000010), ref: 00405534
                • _strtoul.LIBCMT ref: 00405669
                  • Part of subcall function 00405034: GetTickCount.KERNEL32 ref: 00405042
                  • Part of subcall function 00405034: GetTickCount.KERNEL32 ref: 00405044
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 00405057
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 0040505C
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 00405061
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 00405069
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 00405087
                  • Part of subcall function 00405034: _rand.LIBCMT ref: 004050AE
                  • Part of subcall function 00405034: GetTickCount.KERNEL32 ref: 004050B9
                  • Part of subcall function 004077BF: __EH_prolog3.LIBCMT ref: 004077C6
                  • Part of subcall function 0040781D: swprintf.LIBCMT ref: 004078B6
                  • Part of subcall function 0040781D: Sleep.KERNEL32(00000064,?,000008CC,?,?), ref: 0040793D
                • MessageBoxA.USER32(00000000,00000000,CheerSkullness,00000010), ref: 00405740
                • GetTickCount.KERNEL32 ref: 00405775
                • LoadLibraryA.KERNEL32(00000000,00450C30,00000A73,00000003,000006E3,0000070D,0000072D,00000000,000007FA,00000000,0000004B,00450AEC,00000000,00000000,?), ref: 004058E3
                  • Part of subcall function 004050C6: __EH_prolog3_GS.LIBCMT ref: 004050CD
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00405927
                • GetProcAddress.KERNEL32(?,00000000), ref: 0040595F
                • CreateDialogParamA.USER32(?,00000082,00000000,004047AD,00000000), ref: 00405987
                • GetTickCount.KERNEL32 ref: 00405996
                • GetTickCount.KERNEL32 ref: 00405A50
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CountTick$_rand$AddressProc$LibraryLoadMessage$CreateDialogH_prolog3H_prolog3_H_prolog3_catch_ParamSleep_malloc_strtoulswprintf
                • String ID: CheerSkullness$CheerSkullness$CheerSkullness$CheerSkullness$CheerSkullness$E
                • API String ID: 3098268959-2359045515
                • Opcode ID: 149936d478775d9022f46c1d1d39e06a61ebc9331344640ad05e07a9af2b240c
                • Instruction ID: 1b8922e57ce4b67a01081314b6715f66818a11ad56d7fce12ac0bd505b75f5d3
                • Opcode Fuzzy Hash: 149936d478775d9022f46c1d1d39e06a61ebc9331344640ad05e07a9af2b240c
                • Instruction Fuzzy Hash: 8622AB70948604AAEB10FBB5CC46B9E7664AF11748F1041BFF509771D2DEBC6A488F2E
                Function 00417430 Relevance: 9.1, APIs: 6, Instructions: 67commemoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 690 417430-417447 CoInitializeEx 691 417449-417463 CoInitializeSecurity 690->691 692 41746b-417470 690->692 693 417471-41748b CoCreateInstance 691->693 694 417465 CoUninitialize 691->694 693->694 695 41748d-4174af SysAllocString 693->695 694->692 696 4174b3-4174d1 SysFreeString 695->696
                APIs
                • CoInitializeEx.COMBASE(00000000,00000002,?,?,004170D2,00000000,00000000,00446D5C,83575E26), ref: 0041743F
                • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,004170D2,00000000,00000000,00446D5C,83575E26), ref: 0041745B
                • CoUninitialize.OLE32(?,?,004170D2,00000000,00000000,00446D5C,83575E26), ref: 00417465
                • CoCreateInstance.COMBASE(0044F9F8,00000000,00000001,0044FA58,00000000,?,?,004170D2,00000000,00000000,00446D5C,83575E26), ref: 00417483
                • SysAllocString.OLEAUT32(75E5DC60), ref: 00417492
                • SysFreeString.OLEAUT32(00000000), ref: 004174BB
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: InitializeString$AllocCreateFreeInstanceSecurityUninitialize
                • String ID:
                • API String ID: 703461086-0
                • Opcode ID: 3b984e902b8bcf3ad2385c7dd832c5ea183f4ef1cc346ee8fafe8c0cd53f62cb
                • Instruction ID: 2cfbc5aeac33ae23d8d21c49a5a1dd82779cac0ec7f57e92d42ed2a0305424fe
                • Opcode Fuzzy Hash: 3b984e902b8bcf3ad2385c7dd832c5ea183f4ef1cc346ee8fafe8c0cd53f62cb
                • Instruction Fuzzy Hash: E9113034384304BBF7209FA4DC4AF96BBA8EB06B15F204265FA18ED1D0D6B1AD408699
                Function 00408635 Relevance: 56.1, APIs: 1, Strings: 31, Instructions: 123COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 106 408635-4087b3 call 41f012 call 40301c * 2 call 4087f8 call 40301c * 2 call 40887a call 402fe0 call 405fec call 402fe0 call 405fec 129 4087d5 106->129 130 4087b5-4087b7 106->130 133 4087d7-4087e3 call 4031a7 129->133 131 4087b9-4087bb 130->131 132 4087cd-4087cf 130->132 131->132 135 4087bd-4087cb call 4031a7 131->135 136 4087d1-4087d3 132->136 137 4087eb-4087ee 132->137 141 4087e5-4087ea call 41efc1 133->141 135->141 136->129 136->135 137->129 139 4087f0-4087f2 137->139 139->129 142 4087f4-4087f6 139->142 142->133
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 0040863C
                  • Part of subcall function 004087F8: RegOpenKeyExA.KERNEL32(80000001,00408738,00000000,00020019,00408738), ref: 00408820
                  • Part of subcall function 004087F8: RegQueryValueExA.KERNEL32(00408738,?,00000000,00000000,?,?), ref: 0040884A
                  • Part of subcall function 004087F8: RegCloseKey.ADVAPI32(00408738), ref: 00408853
                  • Part of subcall function 0040887A: __EH_prolog3_GS.LIBCMT ref: 00408881
                  • Part of subcall function 0040887A: RegOpenKeyExA.KERNEL32(80000001,0000000F,00000000,00020019,000000FF,0000003C,00408773,Softw\Micr), ref: 004088C5
                  • Part of subcall function 0040887A: RegQueryValueExA.KERNEL32(000000FF,786F7250,00000000,00000000,00000000,00444B53), ref: 004088F9
                  • Part of subcall function 0040887A: RegQueryValueExA.ADVAPI32(00000000,000000FF,00000000,00000000,n\Int,00000010,00000010), ref: 00408926
                  • Part of subcall function 0040887A: RegCloseKey.ADVAPI32(000000FF), ref: 00408969
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: QueryValue$CloseH_prolog3_Open$_memmove
                • String ID: Curr$Prox$Proxy$S$Sett$Softw\Micr$Vers$\$\Int$\Mic$b$en$erne$erve$http=$https=$ings$io$le$n$na$nd$o$osof$r$r$t$t $t\Wi$ws$yE
                • API String ID: 2963481350-3862053628
                • Opcode ID: 48169d99760be1ed4a08f259de10a31865d97d2fae8704e80ab98c20ec823fa1
                • Instruction ID: 530c7558611755d4737cbb8fbca583961e796c3c2aba50d7c966a9b392d8df9c
                • Opcode Fuzzy Hash: 48169d99760be1ed4a08f259de10a31865d97d2fae8704e80ab98c20ec823fa1
                • Instruction Fuzzy Hash: DC519C30D04388DADF10EFE98942BDDBB71AF12354F20412EE4543B2D9DB794A08C75A
                Function 00406FD0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 261memorynetworkCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00406FDA
                • _memset.LIBCMT ref: 00406FFB
                  • Part of subcall function 00406F83: __time64.LIBCMT ref: 00406F90
                  • Part of subcall function 00406F83: _rand_s.LIBCMT ref: 00406FA7
                • _memset.LIBCMT ref: 00407020
                • _rand_s.LIBCMT ref: 0040702F
                  • Part of subcall function 00419288: DecodePointer.KERNEL32(00000010,?,00000000,?,00406FAC,00407011,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419294
                • LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040705D
                • LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 00407064
                • LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040706F
                • LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040707E
                • LocalAlloc.KERNEL32(00000040,00000400,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040708D
                • InternetCrackUrlA.WININET(?,00000000,00000000,0000003C), ref: 0040711B
                • _memset.LIBCMT ref: 00407321
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                • LocalFree.KERNEL32(00000000,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040739B
                • LocalFree.KERNEL32(00000000,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 0040739E
                • LocalFree.KERNEL32(?,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 004073A6
                • LocalFree.KERNEL32(?,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 004073AE
                • LocalFree.KERNEL32(?,?,?,?,?,000002DC,0040767B,00B64FC8,?,00000000), ref: 004073B6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Local$AllocFree$_memset$_rand_s$CrackDecodeH_prolog3_InternetPointer__time64_memmove
                • String ID: &rnd=$<$http://$https://$script=
                • API String ID: 315664385-828825030
                • Opcode ID: 4df3a1992546a4e26ebda798777528f938187a57593a7c506b37304d7ce63802
                • Instruction ID: 1ca4d1279ebe2d2dd63147dd241f4062ceec82fe7de13add9f068d377de9d2bc
                • Opcode Fuzzy Hash: 4df3a1992546a4e26ebda798777528f938187a57593a7c506b37304d7ce63802
                • Instruction Fuzzy Hash: 75A15C71D41228AAEB20EB61DC4AFDEB778AF14354F1001EAF508B61D1DEB85FC48E58
                Function 0041A747 Relevance: 24.1, APIs: 16, Instructions: 89COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __amsg_exit_fast_error_exit$___crt$CommandEnvironmentInfoInitializeLineModeShowStartupStringsWindow___security_init_cookie__cinit__ioinit__setargv__setenvp__wincmdln
                • String ID:
                • API String ID: 722230336-0
                • Opcode ID: 19fe3fa9b8ab9d739a917460744ad0f521a6238f1b11fee5333a7ffb49be9bd7
                • Instruction ID: 55e627b8aac6530a96b250cad0afb0e766cfd09b9e61803ef51ca237afccca7e
                • Opcode Fuzzy Hash: 19fe3fa9b8ab9d739a917460744ad0f521a6238f1b11fee5333a7ffb49be9bd7
                • Instruction Fuzzy Hash: 3121B43074232199EA20BBB27946BEE22A05F00749F50407FF915A61D3EFBCC9D1865F
                Function 0040887A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00408881
                • RegOpenKeyExA.KERNEL32(80000001,0000000F,00000000,00020019,000000FF,0000003C,00408773,Softw\Micr), ref: 004088C5
                • RegQueryValueExA.KERNEL32(000000FF,786F7250,00000000,00000000,00000000,00444B53), ref: 004088F9
                  • Part of subcall function 004089CB: _memset.LIBCMT ref: 004089FC
                • RegQueryValueExA.ADVAPI32(00000000,000000FF,00000000,00000000,n\Int,00000010,00000010), ref: 00408926
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                • RegCloseKey.ADVAPI32(000000FF), ref: 00408969
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: QueryValue$CloseH_prolog3_Open_memmove_memset
                • String ID: n\Int
                • API String ID: 2054543651-2997275496
                • Opcode ID: cd885fefae569d75d479c3a13631ac0c0a59947ab1c9644cb24dd6fd89d55ba5
                • Instruction ID: a02c65bdbae4447418acc61cf14db8f5ea3d2456a61ec8201d8d555431e48be8
                • Opcode Fuzzy Hash: cd885fefae569d75d479c3a13631ac0c0a59947ab1c9644cb24dd6fd89d55ba5
                • Instruction Fuzzy Hash: AC3125B0910209EFEB14EF95DD91AEDBBB8FF08308F40002EF945A2191DB799E05CB15
                Function 00412610 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 270libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 698 412610-41267f call 40d9c0 * 2 call 40de90 LoadLibraryA 705 412681-412694 call 40de90 GetProcAddress 698->705 706 412696-4126ae call 40dc90 * 2 698->706 705->706 713 4126b4-41270e call 41b3d0 PathFindFileNameA 706->713 714 412a07-412a43 call 40db80 * 2 call 4179ca 706->714 723 412710-412712 713->723 724 412714-412719 713->724 725 412729-412743 call 402f67 723->725 726 412720-412725 724->726 731 412790-412795 725->731 732 412745-412774 call 40d9c0 call 40de90 call 40301c 725->732 726->726 728 412727 726->728 728->725 733 412914-412953 call 40d9c0 call 40de90 731->733 734 41279b-4127d3 731->734 758 41277a-41277e 732->758 759 4129af-4129b6 732->759 751 412955-412957 733->751 752 412959-41295e 733->752 736 4127f1-412820 call 40d9c0 call 40de90 call 40301c 734->736 737 4127d5-4127ee call 411120 734->737 770 412822-412828 736->770 737->736 755 412969-41297e call 402f67 751->755 756 412960-412965 752->756 755->759 773 412980-412984 755->773 756->756 762 412967 756->762 765 412780-412787 call 4179d9 758->765 766 41278a-41278b 758->766 760 4129c6-4129dc call 40db80 759->760 761 4129b8-4129c3 call 4179d9 759->761 784 4129ec-412a00 760->784 785 4129de-4129e9 call 4179d9 760->785 761->760 762->755 765->766 767 412997-4129aa call 4030c8 766->767 767->759 778 41290a-41290f call 4178c6 770->778 779 41282e-412870 call 405fec 770->779 781 412990-412996 773->781 782 412986-41298d call 4179d9 773->782 778->733 779->770 790 412872-412879 779->790 781->767 782->781 784->714 785->784 792 412889-4128b5 call 40db80 790->792 793 41287b-412886 call 4179d9 790->793 792->733 798 4128b7-4128f6 call 40d9c0 call 40de90 792->798 793->792 803 4128f8-4128fa 798->803 804 4128fc-4128fe 798->804 803->755 805 412901-412906 804->805 805->805 806 412908 805->806 806->762
                APIs
                • LoadLibraryA.KERNEL32(00000000,00446774,00446758,83575E26,00000000,75E5DC60,00000000), ref: 00412675
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0041268E
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 004178D9
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 004178EE
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 00417907
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041791C
                  • Part of subcall function 004178C6: std::regex_error::regex_error.LIBCPMT ref: 0041792E
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041793C
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 00417955
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041796A
                • _memset.LIBCMT ref: 004126C9
                • PathFindFileNameA.SHLWAPI(00000000), ref: 004126E8
                Strings
                • invalid string position, xrefs: 0041290A
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Exception@8Throw$std::exception::exception$AddressFileFindLibraryLoadNamePathProc_memsetstd::regex_error::regex_error
                • String ID: invalid string position
                • API String ID: 2868261553-1799206989
                • Opcode ID: 5047bc0f698edb01fe34e278417f79409cb4762aee5642331f234474ad6aec08
                • Instruction ID: 147145d9b5a800cd05a187029d6a5f5dcf65f5f3879ac8526a4ef7d107f7d9a3
                • Opcode Fuzzy Hash: 5047bc0f698edb01fe34e278417f79409cb4762aee5642331f234474ad6aec08
                • Instruction Fuzzy Hash: 56B1D2B09002589BEF25EB64CD55BEEB7B5AB15308F1000EED54DA32C1DBB91B88CF55
                Function 00417210 Relevance: 6.1, APIs: 4, Instructions: 96memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 807 417210-417268 SysAllocString * 2 809 4172d9-4172fa SysFreeString * 2 call 4179ca 807->809 810 41726a-41726f 807->810 810->809 811 417271-41727d 810->811 813 417280-417282 811->813 815 4172d0-4172d6 813->815 816 417284-41729b 813->816 815->809 819 4172cb-4172ce 816->819 820 41729d-4172a2 816->820 819->813 819->815 821 4172a4-4172a6 820->821 822 4172c9 820->822 823 4172c3-4172c6 821->823 824 4172a8-4172ac call 417300 821->824 822->819 823->822 825 4172ae-4172c1 824->825 825->821 825->823
                APIs
                • SysAllocString.OLEAUT32(00417300), ref: 00417247
                • SysAllocString.OLEAUT32(00000000), ref: 0041724D
                • SysFreeString.OLEAUT32(00000000), ref: 004172E0
                • SysFreeString.OLEAUT32(?), ref: 004172E5
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 5a1523add524e8167a399101306d7ca3a11e81f46786bfe4b9e1f20dfc9ab2fe
                • Instruction ID: 7ed6470b83e7cce21e0ed741785e38215d74326828aa8bbfe12499c846212fd4
                • Opcode Fuzzy Hash: 5a1523add524e8167a399101306d7ca3a11e81f46786bfe4b9e1f20dfc9ab2fe
                • Instruction Fuzzy Hash: E3313CB1A00219ABCB14DFE9EC84ADEBBB9FF48310F11416AF905A7250D774AD41CB94
                Function 004087F8 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 828 4087f8-408828 RegOpenKeyExA 829 408850-408879 RegCloseKey call 4031a7 * 2 828->829 830 40882a-40884a RegQueryValueExA 828->830 830->829
                APIs
                • RegOpenKeyExA.KERNEL32(80000001,00408738,00000000,00020019,00408738), ref: 00408820
                • RegQueryValueExA.KERNEL32(00408738,?,00000000,00000000,?,?), ref: 0040884A
                • RegCloseKey.ADVAPI32(00408738), ref: 00408853
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID:
                • API String ID: 3677997916-0
                • Opcode ID: 35108c49fa40cb9071f0a128c61ca47fefa9cc078a3db3568927ad5effc5eadb
                • Instruction ID: 7062ec8fa22300630cb5887099f0200ba131d35b11b96a60a01da4b8a5f700b8
                • Opcode Fuzzy Hash: 35108c49fa40cb9071f0a128c61ca47fefa9cc078a3db3568927ad5effc5eadb
                • Instruction Fuzzy Hash: 4B016976600108FFDB10DF95DC44EEE7BBCEB89709F00016DF906A6091D7759A44CBA0
                Function 00407515 Relevance: 3.0, APIs: 2, Instructions: 45networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 835 407515-407523 836 407525-407527 835->836 837 407529 835->837 838 40752b-40755c InternetOpenA InternetConnectA 836->838 837->838 839 407564-407575 call 4031a7 838->839 840 40755e-407562 838->840 840->839
                APIs
                • InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00407532
                • InternetConnectA.WININET(00000000,00407A8A,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00407551
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Internet$ConnectOpen
                • String ID:
                • API String ID: 2790792615-0
                • Opcode ID: 3eae5116ce2656cd52fbe8fd9642897b88a0c97494c3694204c788344cbaca82
                • Instruction ID: f3d0728ec23b9ca03b4b137660592f4ce78b265370b128145b6ee8197fd6860e
                • Opcode Fuzzy Hash: 3eae5116ce2656cd52fbe8fd9642897b88a0c97494c3694204c788344cbaca82
                • Instruction Fuzzy Hash: 93014BB0100348BEE7148F55DCD4EE777ACEB15788F40052AF94296681D7B5ED44CBA5
                Function 00406F83 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 843 406f83-406fa1 call 41922a call 41921a 848 406fa3-406fa7 call 419288 843->848 849 406fc5-406fcf 843->849 851 406fac-406fc3 848->851 851->848 851->849
                APIs
                • __time64.LIBCMT ref: 00406F90
                  • Part of subcall function 0041922A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00406F95,00000000,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419233
                • _rand_s.LIBCMT ref: 00406FA7
                  • Part of subcall function 00419288: DecodePointer.KERNEL32(00000010,?,00000000,?,00406FAC,00407011,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419294
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Time$DecodeFilePointerSystem__time64_rand_s
                • String ID:
                • API String ID: 3108019664-0
                • Opcode ID: 58f9e1c6cac22e7f2287efd2683b30acb067d541f55193c999a9d664bbef120f
                • Instruction ID: eb26b9ecefd86afc2a43d23cab847b0f5145e3129223b2371c882265354d4c6f
                • Opcode Fuzzy Hash: 58f9e1c6cac22e7f2287efd2683b30acb067d541f55193c999a9d664bbef120f
                • Instruction Fuzzy Hash: 00F02E3360424936D329959BA841B9BF78CDBD6760F1005EFF408DB1C2D9745D9041E8
                Function 0041E8F9 Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 852 41e8f9-41e908 call 41e8c5 ExitProcess
                APIs
                • ___crtCorExitProcess.LIBCMT ref: 0041E8FF
                  • Part of subcall function 0041E8C5: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000001,?,?,0041E904,00000000,?,0041C4C3,000000FF,0000001E,00000000,00000000,00000000,?,00422362), ref: 0041E8D4
                  • Part of subcall function 0041E8C5: GetProcAddress.KERNEL32(00000001,CorExitProcess), ref: 0041E8E6
                • ExitProcess.KERNEL32 ref: 0041E908
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ExitProcess$AddressHandleModuleProc___crt
                • String ID:
                • API String ID: 2427264223-0
                • Opcode ID: cb8c88d19a900d4a7ba7a6bc04a8f0d4ca4bd556571e49540930841b014dc3af
                • Instruction ID: a48ecf3f22984647a9201e180da3e9a26931061793cd5909d78212bbe88309c0
                • Opcode Fuzzy Hash: cb8c88d19a900d4a7ba7a6bc04a8f0d4ca4bd556571e49540930841b014dc3af
                • Instruction Fuzzy Hash: 4FB09234000108BFDF013F13DC0A8883F29EB02295B404035F8040A032DB72A9929A99
                Function 00417020 Relevance: 2.7, APIs: 2, Instructions: 161COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 855 417020-41707e call 40d9c0 call 40de90 860 417080-417082 855->860 861 4170c3 855->861 862 417085-41708a 860->862 863 4170c5-4170d8 call 417430 861->863 862->862 864 41708c-417097 862->864 868 4170e1-417112 call 40d9c0 * 2 call 40de90 863->868 869 4170da-4170dc 863->869 864->861 867 417099-4170a5 call 41d1e0 864->867 867->861 876 4170a7-4170c1 MultiByteToWideChar 867->876 884 417114-417119 868->884 885 41714e-41715d call 40de90 868->885 871 4171d8-41720d call 40db80 call 4179ca 869->871 876->863 887 417120-417125 884->887 890 417190-4171af call 417210 885->890 891 41715f-417161 885->891 887->887 889 417127-417132 887->889 892 417134-417136 889->892 893 417138-41714c call 41d1e0 call 416fe0 889->893 900 4171b1-4171b4 CoUninitialize 890->900 901 4171b7 890->901 894 417164-417169 891->894 892->885 893->885 894->894 897 41716b-417176 894->897 903 417178-41717a 897->903 904 41717c-41718b call 41d1e0 call 416fe0 897->904 900->901 907 4171bd-4171d3 call 40db80 * 2 901->907 903->890 904->890 907->871
                APIs
                • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,?,00000002,00446D5C,83575E26), ref: 004170B4
                • CoUninitialize.COMBASE(00446D74,?,?,00446D80,00446D74,75E5DC60,00000000), ref: 004171B4
                  • Part of subcall function 00416FE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000003,000000FF,00446D80,00000002,00000000,?,00417190,?,00000000,00000002,00000003,00446D80,00446D74,75E5DC60), ref: 00417002
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ByteCharMultiWide$Uninitialize
                • String ID:
                • API String ID: 812078898-0
                • Opcode ID: b06d406a44260cdd5bb25e8e751ae8f663b018399927c6cf2707b913c922d68f
                • Instruction ID: 0ac0851805cb256ce43de6b7214e79a134bc36801e31ae3b191013b6bf54d8e0
                • Opcode Fuzzy Hash: b06d406a44260cdd5bb25e8e751ae8f663b018399927c6cf2707b913c922d68f
                • Instruction Fuzzy Hash: EF515871908314ABCB21DB64CC55BEFBB75EF06318F1002AEE81567382DB3A4E49CB95
                Function 00407741 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00407748
                  • Part of subcall function 0040654F: _memmove.LIBCMT ref: 004065B7
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove$H_prolog3_
                • String ID:
                • API String ID: 4009893447-0
                • Opcode ID: fb79ab3757c289b036e87c5f7191eb5cccd67368e3800e06aa8af2abc8a69a04
                • Instruction ID: d1a18e508c5d6cdb59635f146cb29d8fec253b9beccf60cbed15ce233a298966
                • Opcode Fuzzy Hash: fb79ab3757c289b036e87c5f7191eb5cccd67368e3800e06aa8af2abc8a69a04
                • Instruction Fuzzy Hash: 2C01B171801118AEDB10EF96CC91EDEBF78AF14314F00412EF4017B1C2DAB85B49CBA5
                Function 004077BF Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3.LIBCMT ref: 004077C6
                  • Part of subcall function 00404114: GetProcessHeap.KERNEL32(00413605,83575E26,00000000,75E5DC60,?,00000000,00445346,000000FF,?,004055FD,?,00000000,00000002,00000001,00000000,0000027C), ref: 00404125
                  • Part of subcall function 00407741: __EH_prolog3_GS.LIBCMT ref: 00407748
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: H_prolog3H_prolog3_HeapProcess
                • String ID:
                • API String ID: 2650797985-0
                • Opcode ID: 28ef3013f7a35d5c27fc77b9c68321e4545ee0fbebedb76db67f034d3cfbb8e2
                • Instruction ID: 7070f21a0c3bb30adca50db22ada99f49a1da9309c061c4d7bd4c8d4ecd035a0
                • Opcode Fuzzy Hash: 28ef3013f7a35d5c27fc77b9c68321e4545ee0fbebedb76db67f034d3cfbb8e2
                • Instruction Fuzzy Hash: 29F01C75940108ABCB00FB628816AAD7765AF90308F04042EFA213B1D2CE3DA9599A6D
                Function 0041ED2B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                • _doexit.LIBCMT ref: 0041ED35
                  • Part of subcall function 0041EBFC: __lock.LIBCMT ref: 0041EC0A
                  • Part of subcall function 0041EBFC: DecodePointer.KERNEL32(004536A0,0000001C,0041EAE9,00000000,00000001,00000000,?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC49
                  • Part of subcall function 0041EBFC: DecodePointer.KERNEL32(?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC5A
                  • Part of subcall function 0041EBFC: EncodePointer.KERNEL32(00000000,?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC73
                  • Part of subcall function 0041EBFC: DecodePointer.KERNEL32(-00000004,?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC83
                  • Part of subcall function 0041EBFC: EncodePointer.KERNEL32(00000000,?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC89
                  • Part of subcall function 0041EBFC: DecodePointer.KERNEL32(?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041EC9F
                  • Part of subcall function 0041EBFC: DecodePointer.KERNEL32(?,0041EA37,000000FF,?,004284CE,00000011,00000000,?,00423390,0000000D), ref: 0041ECAA
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Pointer$Decode$Encode$__lock_doexit
                • String ID:
                • API String ID: 2158581194-0
                • Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                • Instruction ID: 6de702a9c1e461bfcf1ccfe948df92bd825854432ab8f443d6035d68b3c8f23b
                • Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
                • Instruction Fuzzy Hash: DAB012319C430C33D9102543EC03F453B0C4740B54F100021FE0C1C1E1A5A3B5E444CD
                Function 00417300 Relevance: 1.3, APIs: 1, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000003,00000000,00000000,000000FF,?,00000002,00446D48,83575E26), ref: 00417392
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ByteCharMultiWide
                • String ID:
                • API String ID: 626452242-0
                • Opcode ID: 1f75e8b673b24b555d47a68046a71f0a1d0909cbc077d5d11aac7fae5b6777d4
                • Instruction ID: c0a132df0c9305a30716ad5bbbaf1b562b4098e4c4409843f629ceb38872adfa
                • Opcode Fuzzy Hash: 1f75e8b673b24b555d47a68046a71f0a1d0909cbc077d5d11aac7fae5b6777d4
                • Instruction Fuzzy Hash: 0531E4719043189BDB20CFA5CC85BEEB7B8EF45724F20422EEC29AB281D7755D48C794

                Non-executed Functions

                Function 00411500 Relevance: 55.1, APIs: 28, Strings: 3, Instructions: 896filesleepCOMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 004115A1
                • _rand_s.LIBCMT ref: 004115B3
                • _rand_s.LIBCMT ref: 004115C5
                • _rand_s.LIBCMT ref: 00411652
                • _rand_s.LIBCMT ref: 004116DF
                • _rand_s.LIBCMT ref: 0041179D
                  • Part of subcall function 00419288: DecodePointer.KERNEL32(00000010,?,00000000,?,00406FAC,00407011,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419294
                • _rand_s.LIBCMT ref: 0041182D
                • _rand_s.LIBCMT ref: 004118BD
                • _rand_s.LIBCMT ref: 0041194D
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 004178D9
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 004178EE
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 00417907
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041791C
                  • Part of subcall function 004178C6: std::regex_error::regex_error.LIBCPMT ref: 0041792E
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041793C
                  • Part of subcall function 004178C6: std::exception::exception.LIBCMT ref: 00417955
                  • Part of subcall function 004178C6: __CxxThrowException@8.LIBCMT ref: 0041796A
                • _memset.LIBCMT ref: 00411A65
                • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000001,?,?,?,?,?,?,?,83575E26), ref: 00411A7A
                • PathAppendA.SHLWAPI(00000000,?), ref: 00411A93
                • _memmove.LIBCMT ref: 00411B4C
                • PathFileExistsA.SHLWAPI(00000000,00000000,00000001), ref: 00411BAC
                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00411BBE
                • PathAppendA.SHLWAPI(00000000,00000000), ref: 00411BE0
                • _memmove.LIBCMT ref: 00411C93
                • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001), ref: 00411D02
                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00446888), ref: 00411DBA
                • CloseHandle.KERNEL32(00000000), ref: 00411DC1
                • Sleep.KERNEL32(00000000,?,?,?,004468D8), ref: 00411F7A
                • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000004,00000000,00000000,?,?,?,004468D8), ref: 00412047
                • GetFileSize.KERNEL32(00000000,00000000), ref: 00412065
                • ReadFile.KERNEL32(?,00000000,?,00000023,00000000), ref: 0041209D
                • CloseHandle.KERNEL32(?), ref: 0041210E
                • DeleteFileA.KERNEL32(?), ref: 0041216F
                • RemoveDirectoryA.KERNEL32(?), ref: 0041218D
                • _memmove.LIBCMT ref: 004122A7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _rand_s$File$Exception@8PathThrow$Create_memmovestd::exception::exception$AppendCloseDirectoryHandle$DecodeDeleteExistsFolderPointerReadRemoveSizeSleepSpecialWrite__time64_memsetstd::regex_error::regex_error
                • String ID: #$000000$invalid string position
                • API String ID: 3328921985-2602965877
                • Opcode ID: 66d6b9b6d4c515a99c83f54dab8ea608fad80a0edd31ab3bd8d591d7804264d8
                • Instruction ID: edd8a9490ad62fde8fa36a8088f9076ab6bd3ddfe1d035f6a90d1f136a20847e
                • Opcode Fuzzy Hash: 66d6b9b6d4c515a99c83f54dab8ea608fad80a0edd31ab3bd8d591d7804264d8
                • Instruction Fuzzy Hash: FF92AB708002699FEB21DF24CC55BDDB7B4AF06344F1082EAE509B6292EBB46BC5CF55
                Function 004036C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 79fileCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004036EC
                • __splitpath_s.LIBCMT ref: 0040371B
                • __snprintf_s.LIBCMT ref: 0040373D
                  • Part of subcall function 004184C9: __vsnprintf_s_l.LIBCMT ref: 004184DE
                • FindFirstFileA.KERNEL32(?,?), ref: 00403752
                • _wprintf.LIBCMT ref: 00403770
                • _wprintf.LIBCMT ref: 00403787
                • FindNextFileA.KERNEL32(00000000,?), ref: 00403795
                • FindClose.KERNEL32(00000000), ref: 004037A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: FileFind$_wprintf$CloseFirstModuleNameNext__snprintf_s__splitpath_s__vsnprintf_s_l
                • String ID: %s%ld$%s%s*
                • API String ID: 3098940076-3159374274
                • Opcode ID: 0ea6dc694fbf65be2665ed7fa5c88f18da9c1163f8034dd76a247af34ddece28
                • Instruction ID: 4c493de665d2d3db457fb579b3bcf4cae5024baeb1f2fc7acaa8f37cd99b73cc
                • Opcode Fuzzy Hash: 0ea6dc694fbf65be2665ed7fa5c88f18da9c1163f8034dd76a247af34ddece28
                • Instruction Fuzzy Hash: A52195F24096146BD220DB61CC49EEB7BDCEF49365F00462EF999D2091EB38964486AA
                Function 00426BA6 Relevance: 15.2, APIs: 10, Instructions: 162COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___crtGetLocaleInfoA.LIBCMT ref: 00426BF8
                  • Part of subcall function 0043BF92: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043BF9E
                  • Part of subcall function 0043BF92: __crtGetLocaleInfoA_stat.LIBCMT ref: 0043BFB3
                • GetLastError.KERNEL32 ref: 00426C0A
                • ___crtGetLocaleInfoA.LIBCMT ref: 00426C2A
                • ___crtGetLocaleInfoA.LIBCMT ref: 00426C6C
                • __calloc_crt.LIBCMT ref: 00426C3F
                  • Part of subcall function 00422304: __calloc_impl.LIBCMT ref: 00422313
                • __calloc_crt.LIBCMT ref: 00426C81
                • _free.LIBCMT ref: 00426C99
                • _free.LIBCMT ref: 00426CD9
                • __calloc_crt.LIBCMT ref: 00426D03
                • _free.LIBCMT ref: 00426D29
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Locale$Info$___crt__calloc_crt_free$A_statErrorLastUpdateUpdate::___calloc_impl__crt
                • String ID:
                • API String ID: 1754018987-0
                • Opcode ID: e39510c9d84b150a91ae8fda303486be7c8a4339b83009492bf155c200bec0a7
                • Instruction ID: b2e3da1d508418420360f2b636ee5e67fc260e9bb0a74feffcea5b01407ca1f0
                • Opcode Fuzzy Hash: e39510c9d84b150a91ae8fda303486be7c8a4339b83009492bf155c200bec0a7
                • Instruction Fuzzy Hash: 3751BAB1B00229ABEF24AF369D41BAB7779EF04314F50449AF94CD2241EF39DD548B64
                Function 0043B78E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _wcscmp.LIBCMT ref: 0043B7A5
                • _wcscmp.LIBCMT ref: 0043B7B6
                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,0043BA54,?,00000000), ref: 0043B7D2
                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,0043BA54,?,00000000), ref: 0043B7FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: InfoLocale_wcscmp
                • String ID: ACP$OCP
                • API String ID: 1351282208-711371036
                • Opcode ID: 7e70baee39471b36c3731805565d9ddc8050e34b4c68e248fcfe91e5f00ec6fc
                • Instruction ID: 09fcb4ad26fa1f651edeae0b24bac4b6bc44f508aae15adf19c2190ed348e408
                • Opcode Fuzzy Hash: 7e70baee39471b36c3731805565d9ddc8050e34b4c68e248fcfe91e5f00ec6fc
                • Instruction Fuzzy Hash: AA01D231201205BBEB10AF18EC85FD73798EF097A4F14902BFA04CA290E738DD8187D9
                Function 00414610 Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • LoadResource.KERNEL32(004143FC,?,?,00413A64,00000000,00000000,004143FC,?,004134F1,00000010,00000000,?,004143FC), ref: 00414619
                • LockResource.KERNEL32(00000000,00000000,?,00413A64,00000000,00000000,004143FC,?,004134F1,00000010,00000000,?,004143FC), ref: 00414627
                • SizeofResource.KERNEL32(004143FC,?,?,00413A64,00000000,00000000,004143FC,?,004134F1,00000010,00000000,?,004143FC), ref: 00414639
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Resource$LoadLockSizeof
                • String ID:
                • API String ID: 2853612939-0
                • Opcode ID: 1438fc039645e33582db1212e27eed33aeee85dd19dd293e1141dd447b2c2205
                • Instruction ID: 8de17ad7ac1adce31fc7aa2ef894726fbc71982850cc2c91ad71a0280db4b7d6
                • Opcode Fuzzy Hash: 1438fc039645e33582db1212e27eed33aeee85dd19dd293e1141dd447b2c2205
                • Instruction Fuzzy Hash: 59F081365002299BCF215F64E8049EA77A9EF9635AB018836FD5D9B120E7399C909788
                Function 0041FA71 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0041FDB3,?,?,?,00000000), ref: 0041FA76
                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0041FA7F
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 188f9fcffb37c2a49058d2b59adbf6d9e40bc72b103cf66b9234b0b16c21a09d
                • Instruction ID: 5965ede39e8ce34d018819581a33468a08d0c9412de91630579d6ad7fc0e55b2
                • Opcode Fuzzy Hash: 188f9fcffb37c2a49058d2b59adbf6d9e40bc72b103cf66b9234b0b16c21a09d
                • Instruction Fuzzy Hash: DCB09235044208ABDB002F91EC09B583F28EB07652F010024F70D44066CB626424CA9A
                Function 0040FEB0 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID: C$b
                • API String ID: 0-4208099284
                • Opcode ID: 19f20ff4ec458d7d083c8481040a351d1d53d37af871703568e995ca71610b9b
                • Instruction ID: 1f8d3c21c633e21affc6e081612e2a094b19809ea2ecddb9cecfc427766d4ec5
                • Opcode Fuzzy Hash: 19f20ff4ec458d7d083c8481040a351d1d53d37af871703568e995ca71610b9b
                • Instruction Fuzzy Hash: 08617071E003498BDF14CFACC584AEDB7B1BF89344F24822AD858AB346E7749A85CB44
                Function 0043BCB4 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • EnumSystemLocalesW.KERNEL32(0043BCA0,00000001,?,0043AC12,0043ACB0,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0043BCE2
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: EnumLocalesSystem
                • String ID:
                • API String ID: 2099609381-0
                • Opcode ID: 9044a65ec44bd96cd45255eb8e2b4f6121414df772ba756ef86a039f202b0a8e
                • Instruction ID: 65c26b7e30f56fdffd015510d0ae9065c69887afbdf23b69359b2eae073bda9a
                • Opcode Fuzzy Hash: 9044a65ec44bd96cd45255eb8e2b4f6121414df772ba756ef86a039f202b0a8e
                • Instruction Fuzzy Hash: 9CE04632150308BFCB12DFA0EC02F9A3BA5FB48712F400029F61C9A1A2CB71E5609B8C
                Function 0043BD3A Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,00426D5C,?,?,?,00000002), ref: 0043BD61
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: fc278e0e78bad5b27ddcc8061be37b362d937b60d4e54bc83f34cb10d521271f
                • Instruction ID: e073af96c278334cce2df371cd730cab8f43a1b062337a17f9363cc1bcddfa71
                • Opcode Fuzzy Hash: fc278e0e78bad5b27ddcc8061be37b362d937b60d4e54bc83f34cb10d521271f
                • Instruction Fuzzy Hash: E5D01732000208FF8F01EFD0FC0996A3BA9FB0D324B44841AFA0C86121CB36E4209B69
                Function 0041FA40 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0041FA46
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 720a24ba9557f12cd683f4746a2d7a2ea6b315ad93fa34f959b065d77def3c31
                • Instruction ID: 26c6440693a1c3a83a238ec55ebbb6dc8d6d1fe89db57af1dd820c121fb6eb5a
                • Opcode Fuzzy Hash: 720a24ba9557f12cd683f4746a2d7a2ea6b315ad93fa34f959b065d77def3c31
                • Instruction Fuzzy Hash: CEA0113000020CAB8B002F82EC088883F2CEA022A2B000020FA0C00022CB22A8208A8A
                Function 00404114 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00413605,83575E26,00000000,75E5DC60,?,00000000,00445346,000000FF,?,004055FD,?,00000000,00000002,00000001,00000000,0000027C), ref: 00404125
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 6b06a65b2ee454aad8a34fe7c1e5842b27858fae4f981e33cbde7755481ce4c7
                • Instruction ID: e642a371c3152a9fe0ce270a69d683a85d21a930a8ac50d0b9139a96a47f6a3c
                • Opcode Fuzzy Hash: 6b06a65b2ee454aad8a34fe7c1e5842b27858fae4f981e33cbde7755481ce4c7
                • Instruction Fuzzy Hash: F901E4B19043108BE744DF98BC49B503BA0E35971BF21803EE514AA6A3CFB8C8458F8D
                Function 004156F0 Relevance: .7, Instructions: 691COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce09b4549b49ffb154dbe730877b3006629246a2582047f28e943a185ebe623a
                • Instruction ID: 8fce5931013051c82a219e6e85c1c37b3231fd41ddd1ac692cfb58297486fab4
                • Opcode Fuzzy Hash: ce09b4549b49ffb154dbe730877b3006629246a2582047f28e943a185ebe623a
                • Instruction Fuzzy Hash: 882271B7F515144BDB0CCA9DCCA23EDB2E3AFD4218B0E813DA80AE3745EA7DD9158644
                Function 004168F0 Relevance: .4, Instructions: 352COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d9979f1de0d0c546b9a2887f4385725bee3457cad07b109ae0c0d0b20d5cc5e
                • Instruction ID: e7e7117e8dca3662c5a4de3b1bd0b5d055caa3165554681bde9e5da4ddd60222
                • Opcode Fuzzy Hash: 6d9979f1de0d0c546b9a2887f4385725bee3457cad07b109ae0c0d0b20d5cc5e
                • Instruction Fuzzy Hash: 26A1FD0A8090E4ABEF455A7E80B63EBAFE9CB27344E76718684D857793C119210FDF50
                Function 004386B5 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: c0024001c64dcae96db2081515a7d5b4ca85d4e48a776ee1b995c729b47b73b2
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 4BC1A43220525349DF2D463A843413FFAA15F967B171A279FF8B3CB2D5EE28C524D618
                Function 00438AEA Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: c033810526968b308b44fb74b2f0cc9010cf42bd6b54fec6ea6967ee73d36b7d
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: E4C1CB321056934ADF1D463AC43403FFAA15BA67B171A279FF8B3CB2D5EE28C524D624
                Function 00438280 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: d1eca3c289a0031506bde214c1f96bf6dab611838b5f8a6d5d4379efc0895050
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: F6C1A8322056534ADF1D463A843403FFAA15BA67B171A279FF8B3CB2D5FE28C524D618
                Function 00437E68 Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: 7e24884abb870694d6827b0db646051b935eb7bba63c35e67da32edeeab1d059
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 81C1A83220965349DF2D463AC43403FFAA15B967B171A279FF8B3CB2D5EE28C524D618
                Function 00401E03 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: adfca633d7fc0e273e5cef39c765a0a8777fe25ab1c7b53c0ecf2df78714bf8c
                • Instruction ID: b82516a38fbf77ecc2fcc96d8152a24d8253cb01d6312d2638816a4e96abdbd5
                • Opcode Fuzzy Hash: adfca633d7fc0e273e5cef39c765a0a8777fe25ab1c7b53c0ecf2df78714bf8c
                • Instruction Fuzzy Hash: F2317330F82184BBDF02ABE59802BBE7F609F8B304F05446AB9447B5E3C6784519EF65
                Function 00401A8D Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c55e51b3449cddcc339fdb39633e8a349c2a73cc65ad7e65b598cbc27c129b26
                • Instruction ID: 84692efbff0989ac7777405f7f75253d59f8d5e9257181a60bb99792c4091b89
                • Opcode Fuzzy Hash: c55e51b3449cddcc339fdb39633e8a349c2a73cc65ad7e65b598cbc27c129b26
                • Instruction Fuzzy Hash: 4D217C31E861C87ACF02A7F988119FEFFB5AF9B300F4954AAE4807B163C2345215DA54
                Function 00416DD0 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6fe5722404efce67c1f845e4b926b82a66000e07c80247ef6fd0034bb34b6bee
                • Instruction ID: 66a1001c0961b1febd4c4bd287a4d05611b8ee244c8ed5b756dc06ed74737018
                • Opcode Fuzzy Hash: 6fe5722404efce67c1f845e4b926b82a66000e07c80247ef6fd0034bb34b6bee
                • Instruction Fuzzy Hash: F6217425408A96AFDB118B3C80215E7FFF4EF1B350B66A286C8D857702C224791FEBD0
                Function 00419720 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                • Instruction ID: cc82e19b168aeb74e9ff2eea40868e0655202b23b35b3d74326a727e48c7ad23
                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                • Instruction Fuzzy Hash: 1311E67B220142C3E6188E2DD9F85F7A395EEC5321B2C427BD1724B7D8D22A9DC59908
                Function 00408FAC Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 186COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00408FDD
                • GetDlgItem.USER32(00000415,00000000), ref: 00408FF7
                • _memset.LIBCMT ref: 00409014
                • _memset.LIBCMT ref: 0040902E
                • GetWindowTextA.USER32(00000000,00000000,00000104), ref: 00409043
                • ShowWindow.USER32(00000000,00000000), ref: 004090A8
                • SetWindowTextA.USER32(00000000,00000000), ref: 004090B6
                  • Part of subcall function 0040922D: EnumWindows.USER32(004090D6,004586E0), ref: 00409237
                  • Part of subcall function 0040922D: IsWindow.USER32 ref: 00409243
                  • Part of subcall function 00417BE0: ___report_securityfailure.LIBCMT ref: 00417BE5
                • __EH_prolog3_GS.LIBCMT ref: 004090E0
                • _memset.LIBCMT ref: 00409100
                • GetClassNameA.USER32(000008CC,00000000,00000104), ref: 00409115
                  • Part of subcall function 0040654F: _memmove.LIBCMT ref: 004065B7
                • GetWindowTextA.USER32(000008CC,00000000,00000104), ref: 00409194
                • GetDlgItem.USER32(000008CC,00000415), ref: 004091D6
                • GetWindowTextA.USER32(00000000,00000000,00000104), ref: 004091ED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Window$Text$_memset$Item$ClassEnumH_prolog3_NameShowWindows___report_securityfailure_memmove
                • String ID: $ $#32770$%s%c%c%c$f$fus$s$u
                • API String ID: 603564375-809261853
                • Opcode ID: 66c71cdfb129c79bfe36b1969794cd9f8a26541871f30b69a9ccdddab2a0d9fa
                • Instruction ID: e45a3f29e9c38084795e8716eb9f47f4e55b67a24ebb5f24269c8579f1c4ee87
                • Opcode Fuzzy Hash: 66c71cdfb129c79bfe36b1969794cd9f8a26541871f30b69a9ccdddab2a0d9fa
                • Instruction Fuzzy Hash: 42612975500219ABDB20EB64DC45FEE7768AB11704F0001FEEA44B61C3DBB85F898B69
                Function 004047AD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 187windowCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_catch_GS.LIBCMT ref: 004047B4
                • DestroyWindow.USER32(?,0000005C), ref: 00404875
                • GetSystemMetrics.USER32(00000032), ref: 00404938
                • GetSystemMetrics.USER32(00000031), ref: 0040493D
                • LoadImageA.USER32(0000006B,00000001,00000000), ref: 00404950
                • SendMessageA.USER32(?,00000080,00000000,00000000), ref: 00404965
                • LoadImageA.USER32(00000084,00000001,00000000,00000000,00000000), ref: 00404979
                • GetDlgItem.USER32(?,000003E9), ref: 00404993
                • SendMessageA.USER32(00000000), ref: 00404996
                • LoadImageA.USER32(00000085,00000001,00000000,00000000,00000000), ref: 004049AA
                • GetDlgItem.USER32(?,000003E8), ref: 004049C2
                • SendMessageA.USER32(00000000), ref: 004049C5
                • SetWindowTextA.USER32(?,CheerSkullness), ref: 004049CD
                • GetDlgItem.USER32(?,000003EA), ref: 004049D9
                  • Part of subcall function 00404697: LoadLibraryA.KERNEL32(00000000,0045008C,83575E26,00000002), ref: 00404704
                  • Part of subcall function 00404697: GetProcAddress.KERNEL32(00000000,00000000), ref: 00404731
                • DestroyWindow.USER32(?,0000005C), ref: 00404A43
                • PostQuitMessage.USER32(00000000,0000005C), ref: 00404A70
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: LoadMessage$ImageItemSendWindow$DestroyMetricsSystem$AddressH_prolog3_catch_LibraryPostProcQuitText
                • String ID: CheerSkullness$CheerSkullness
                • API String ID: 2948310788-2492100274
                • Opcode ID: eb280e3b22c731430c279d804b5921ccf2852b9e61208c99b4e9e5d8cb123d58
                • Instruction ID: 00294764cad5714e041be9feeaa5992852f6c15a27540361dc3462e30166dc96
                • Opcode Fuzzy Hash: eb280e3b22c731430c279d804b5921ccf2852b9e61208c99b4e9e5d8cb123d58
                • Instruction Fuzzy Hash: 0D51D5F5640305AAEB21AB718C4AB7F3658AB81715F00417AF705B61D2CFBC9D05DA2E
                Function 00404300 Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 104COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00404307
                • GetLastError.KERNEL32(00000001,?,00000001,?,00000001,00000025), ref: 0040434A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorH_prolog3_Last
                • String ID: $#$$$%$&$+$,$/$0123456789ABCDEF$:$;$=$?$@$[$\$]
                • API String ID: 1018228973-3335811775
                • Opcode ID: ad1f319706ddcb948705d37bb94de7ddf9a3e293c250aefa42be98d88c6e077b
                • Instruction ID: 783392f697d45df3c5d360e7fc38fab845af34be01ced37aa246beff55da0f30
                • Opcode Fuzzy Hash: ad1f319706ddcb948705d37bb94de7ddf9a3e293c250aefa42be98d88c6e077b
                • Instruction Fuzzy Hash: 2E31C7B4B521489EFB24DE56C4897EF37A69B84304F6C5077EF007A2D2C3BD4A818759
                Function 00407F7E Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 186networkfilestringCOMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00407F88
                  • Part of subcall function 004075A1: __EH_prolog3_GS.LIBCMT ref: 004075A8
                  • Part of subcall function 00408635: __EH_prolog3_GS.LIBCMT ref: 0040863C
                • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 0040803E
                • lstrlenA.KERNEL32(Acce,00000000,00000000), ref: 00408098
                • InternetOpenUrlA.WININET(?,?,65636341,00000000), ref: 004080AA
                • InternetQueryOptionA.WININET(00000000,0000001F,?,?), ref: 004080E4
                • InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 00408100
                • InternetReadFile.WININET(00000000,?,00000400,00000001), ref: 0040812F
                • _memmove.LIBCMT ref: 0040816F
                  • Part of subcall function 00408547: HttpOpenRequestA.WININET(?,00000000,00451054,HTTP/1.0,00000000,00000000,00000000,00000000), ref: 004085BD
                  • Part of subcall function 00408547: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004085DB
                  • Part of subcall function 00408547: HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004085FE
                  • Part of subcall function 00408547: InternetCloseHandle.WININET(00000000), ref: 00408615
                • _memmove.LIBCMT ref: 004081AD
                • InternetReadFile.WININET(00000000,?,00000400,00000001), ref: 004081CF
                • InternetCloseHandle.WININET(00000000), ref: 004081F3
                • InternetCloseHandle.WININET(?), ref: 004081FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Internet$CloseH_prolog3_HandleHttpOpen$FileOptionQueryReadRequest_memmove$InfoSendlstrlen
                • String ID: */*\$Acce$pt: $r\n$r\n\
                • API String ID: 734826685-1620885157
                • Opcode ID: 7a3a674e56cd3e178d97786fa34f43c9709da33eaa19aa54b840408f68ea8b91
                • Instruction ID: bbd55b1df72b4712cc8f3a85c00470a8a5ea15846d345fd37cce319bb307add3
                • Opcode Fuzzy Hash: 7a3a674e56cd3e178d97786fa34f43c9709da33eaa19aa54b840408f68ea8b91
                • Instruction Fuzzy Hash: 83715EB19006289FDB24DF51CD85BDABBB8EF09304F0001EAE649A7282DB755E85CF5D
                Function 004099E3 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 289COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc_memmove$___from_strstr_to_strchr_swscanf
                • String ID: %lf$.$0123456789.+-eE$E$e
                • API String ID: 3882034043-1676027922
                • Opcode ID: 0c2fd2e87412abd0359eea96cb80b24d2540b593d6195a98641426885597d827
                • Instruction ID: 5b2682bc9834dd6fe4d849e4581ffd2a5b897eecea636a695479210e5678a711
                • Opcode Fuzzy Hash: 0c2fd2e87412abd0359eea96cb80b24d2540b593d6195a98641426885597d827
                • Instruction Fuzzy Hash: 09C13E706047018FC724CF19C490A26B7E1FF88318F14866EE44A9B792D779E995CF86
                Function 00404D13 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 123filesleepCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00404D3E
                • _memset.LIBCMT ref: 00404D57
                • _memset.LIBCMT ref: 00404D6B
                • _memset.LIBCMT ref: 00404D7F
                • _rand_s.LIBCMT ref: 00404D8B
                  • Part of subcall function 00419288: DecodePointer.KERNEL32(00000010,?,00000000,?,00406FAC,00407011,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419294
                  • Part of subcall function 00406F83: __time64.LIBCMT ref: 00406F90
                  • Part of subcall function 00406F83: _rand_s.LIBCMT ref: 00406FA7
                • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000002A,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404DB8
                  • Part of subcall function 00406469: vswprintf.LIBCMT ref: 0040647B
                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00404E2F
                • WriteFile.KERNEL32(00000000,?,0000001E,?,00000000), ref: 00404E5C
                • CloseHandle.KERNEL32(00000000), ref: 00404E63
                • Sleep.KERNEL32(0000001E), ref: 00404E6B
                • RemoveDirectoryA.KERNEL32(?), ref: 00404E78
                • DeleteFileA.KERNEL32(?), ref: 00404E85
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memset$File$_rand_s$CloseCreateDecodeDeleteDirectoryFolderHandlePathPointerRemoveSleepSpecialWrite__time64vswprintf
                • String ID: %s\%s$%s\%s
                • API String ID: 3565955042-3515709335
                • Opcode ID: a55f8c4952699ae313ec523b2be3cc929a35a386fd8b5b69f6ce82245a4b62ac
                • Instruction ID: 1e61dfb890a7247723f5d98530d4ed4f19160ae265c0d400497071a3c6002877
                • Opcode Fuzzy Hash: a55f8c4952699ae313ec523b2be3cc929a35a386fd8b5b69f6ce82245a4b62ac
                • Instruction Fuzzy Hash: B8414DB690112CAADB20EBA4DC85FEF777CEB45705F0000E7B949A6181DA746FC88F65
                Function 0040C760 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 164COMMON
                Download Yara Rule
                APIs
                • __wopen.LIBCMT ref: 0040C784
                • _calloc.LIBCMT ref: 0040C7C9
                • _malloc.LIBCMT ref: 0040C7E7
                • _free.LIBCMT ref: 0040C7F6
                • __close.LIBCMT ref: 0040C7FF
                  • Part of subcall function 0041E222: __getptd_noexit.LIBCMT ref: 0041E222
                  • Part of subcall function 0041E136: __getptd_noexit.LIBCMT ref: 0041E13A
                  • Part of subcall function 0040CD30: __vfwprintf_p.LIBCMT ref: 0040CD43
                Strings
                • json_object_from_file: printbuf_new failed, xrefs: 0040C804
                • json_object_from_file: error reading file %s: %s, xrefs: 0040C7A6, 0040C90B
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __getptd_noexit$__close__vfwprintf_p__wopen_calloc_free_malloc
                • String ID: json_object_from_file: error reading file %s: %s$json_object_from_file: printbuf_new failed
                • API String ID: 2281471598-572463532
                • Opcode ID: 4815bd4f5f7a1d4845580e7b05f4968145337519317fa561ab94d2e2f08abf7c
                • Instruction ID: c027d1b4326088842068e27bde428e37f637ad2044ec639a1d94a79a2965427d
                • Opcode Fuzzy Hash: 4815bd4f5f7a1d4845580e7b05f4968145337519317fa561ab94d2e2f08abf7c
                • Instruction Fuzzy Hash: 86413BB2A002049BD721BB65DC82BEA73E8DF04305F10447FF849E7242FA7D9D848799
                Function 004090D6 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 004090E0
                • _memset.LIBCMT ref: 00409100
                • GetClassNameA.USER32(000008CC,00000000,00000104), ref: 00409115
                  • Part of subcall function 0040654F: _memmove.LIBCMT ref: 004065B7
                • GetWindowTextA.USER32(000008CC,00000000,00000104), ref: 00409194
                • GetDlgItem.USER32(000008CC,00000415), ref: 004091D6
                • GetWindowTextA.USER32(00000000,00000000,00000104), ref: 004091ED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: TextWindow$ClassH_prolog3_ItemName_memmove_memset
                • String ID: $ $#32770$%s%c%c%c$f$fus$s$u
                • API String ID: 220623237-809261853
                • Opcode ID: 6df41928561cdd737ec49c6ee312c705942e575d0366209749e5884253fa6c85
                • Instruction ID: f75bd968aa71c8ca392041018a586f94fc74f0f3f97a0f61b9cc4dab7069a557
                • Opcode Fuzzy Hash: 6df41928561cdd737ec49c6ee312c705942e575d0366209749e5884253fa6c85
                • Instruction Fuzzy Hash: 3F3104B190411D7AEB24EB60CC06FEA7728AB51714F0041FEEA04B61C3D7B85F998B69
                Function 00423E63 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 131COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__wsetlocale_nolock_wcscmp
                • String ID: 8lE
                • API String ID: 1077091919-449313934
                • Opcode ID: a3e8d97f3a2c1738eead65886879df5852972d7e8179d4742c82d3ea624a6650
                • Instruction ID: cfe41bffbcb0e5aeb40544c9cb1087b6ae68fca15d980bec4d2f3371ac8750ed
                • Opcode Fuzzy Hash: a3e8d97f3a2c1738eead65886879df5852972d7e8179d4742c82d3ea624a6650
                • Instruction Fuzzy Hash: DE415632A04314ABCB10AFA5BD8279E37F0EF4431AF50402FF90496192CBBD96468B1C
                Function 004073BE Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 80COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: H_prolog3_swprintf
                • String ID: )$I$NS$S_In$a$c (M$et$i$ll$oz
                • API String ID: 472742393-1149177782
                • Opcode ID: 2e793eb07d2abd6676406e09b3b012fa16e87a2451e49d848be59e8f390874be
                • Instruction ID: f2d3eefdf47a4140b981b75bd99ba2044a61e377dc2e94fbf3430849bb847962
                • Opcode Fuzzy Hash: 2e793eb07d2abd6676406e09b3b012fa16e87a2451e49d848be59e8f390874be
                • Instruction Fuzzy Hash: D23183B0D05244CADB45DFA5C8857DDBBB49F14304F1440EED50877286DAB84B48CBAD
                Function 00423D8C Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                • String ID:
                • API String ID: 1503006713-0
                • Opcode ID: 71e258a0fea9b3b9609058429732234d0fac7e40c2b44fb0b30353fa77e30cb1
                • Instruction ID: 41c0933df1ecf452b79c88d07f04d69009cc922ff9a5461529844a075b4c64a6
                • Opcode Fuzzy Hash: 71e258a0fea9b3b9609058429732234d0fac7e40c2b44fb0b30353fa77e30cb1
                • Instruction Fuzzy Hash: 44214931300221AAEB217F66FD02A9B77F5EF41765F90442FF88485551DF7D8A50869C
                Function 004037B9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 74fileCOMMON
                Download Yara Rule
                APIs
                • FindResourceA.KERNEL32(00000000,00000089,00000002), ref: 004037D6
                • LoadResource.KERNEL32(00000000,00000000), ref: 004037E0
                • LockResource.KERNEL32(00000000), ref: 004037E9
                • SizeofResource.KERNEL32(00000000,00000000), ref: 004037F4
                • CreateFileA.KERNEL32(img.bmp,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00403813
                • WriteFile.KERNEL32(00000000,?,0000000E,?,00000000), ref: 0040384D
                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040385C
                • CloseHandle.KERNEL32(00000000), ref: 0040385F
                • FreeResource.KERNEL32(00000000), ref: 00403866
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Resource$File$Write$CloseCreateFindFreeHandleLoadLockSizeof
                • String ID: 6$img.bmp
                • API String ID: 92006634-3433094176
                • Opcode ID: 565a7ef94e06cf54e913f418a9255c57ebd7b3081ab7358b2807141b51fe75d0
                • Instruction ID: be26d226a4ed8a600b438e892f4ebcab52cb5200a6213419083ca82f9da15c2c
                • Opcode Fuzzy Hash: 565a7ef94e06cf54e913f418a9255c57ebd7b3081ab7358b2807141b51fe75d0
                • Instruction Fuzzy Hash: DC2181B5900208BFEB109FB4DC89EBF7FBCEB0A751F014566FA05A6281DA344D05CBA5
                Function 0040F400 Relevance: 18.2, APIs: 12, Instructions: 182COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _fseek$__fread_nolock__wfopen_s$_memset
                • String ID:
                • API String ID: 522111778-0
                • Opcode ID: 4e2b7b16933232705f9fa2dd81349438d8872fb1f9b446b7df8b3767042a909d
                • Instruction ID: ce1c03e3d7847b5bd358906b4a3a7e391d6dca22651b90d4cbdde69dc8472721
                • Opcode Fuzzy Hash: 4e2b7b16933232705f9fa2dd81349438d8872fb1f9b446b7df8b3767042a909d
                • Instruction Fuzzy Hash: 2A61E471A00604BBDB21EF65CC42FEEBBB5EF54304F00846EF9456A292D779AA508B58
                Function 0041E90F Relevance: 18.1, APIs: 12, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • DecodePointer.KERNEL32 ref: 0041E917
                • _free.LIBCMT ref: 0041E930
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                • _free.LIBCMT ref: 0041E943
                • _free.LIBCMT ref: 0041E961
                • _free.LIBCMT ref: 0041E973
                • _free.LIBCMT ref: 0041E984
                • _free.LIBCMT ref: 0041E98F
                • _free.LIBCMT ref: 0041E9B3
                • EncodePointer.KERNEL32(00B4EFF0), ref: 0041E9BA
                • _free.LIBCMT ref: 0041E9CF
                • _free.LIBCMT ref: 0041E9E5
                • _free.LIBCMT ref: 0041EA0D
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                • String ID:
                • API String ID: 3064303923-0
                • Opcode ID: 1255d6f4468b62eb02c61657698a98cd9c410246fe73d32e30acd54a7d686900
                • Instruction ID: 3982286b7200145366e41f956b65c3378f21fd8cf1897d2698a0ed3c2e754c5f
                • Opcode Fuzzy Hash: 1255d6f4468b62eb02c61657698a98cd9c410246fe73d32e30acd54a7d686900
                • Instruction Fuzzy Hash: 21216DBAA053129BDB206F56FC4158777A4BB0572A319043FE804A3267DB39ECC08BCC
                Function 0040EB90 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 401COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: 206b04fd217fb647fb7566acc33a0ae19f6574e7361804764e60dce644685dfd
                • Instruction ID: d6ef922f16ee75b7350dcb87e30066eeeec4fca91a417b66dd85785bc056b84f
                • Opcode Fuzzy Hash: 206b04fd217fb647fb7566acc33a0ae19f6574e7361804764e60dce644685dfd
                • Instruction Fuzzy Hash: 71E14D3070420ADBCB24CE1AD9C089AB7BAFF85344720493BE845DB395D735E965CBE9
                Function 00402771 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 354COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: dd3b732e2f7db66c48e10dc15478b23b4635832b0d784db7730cc39fe0f6e4a2
                • Instruction ID: 4183a3a0679bd38531d5c931ade47d2fdfe50b5d204fe958bf0855b9db7c51d5
                • Opcode Fuzzy Hash: dd3b732e2f7db66c48e10dc15478b23b4635832b0d784db7730cc39fe0f6e4a2
                • Instruction Fuzzy Hash: CED16F71B00605DFCB20CF48DA8599AB7F5FF48740B24893AE941E7381D7B8E951CBA9
                Function 00404A80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69fileCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(00000000), ref: 00404A91
                • FindResourceA.KERNEL32(00000000,00000000,WAVE), ref: 00404AA3
                • SizeofResource.KERNEL32(00000000,00000000), ref: 00404AB5
                • LoadResource.KERNEL32(00000000,00000000), ref: 00404AC4
                • LockResource.KERNEL32(00000000), ref: 00404ACF
                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000000,00000000), ref: 00404AEA
                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00404B04
                • CloseHandle.KERNEL32(00000000), ref: 00404B11
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Resource$FileHandle$CloseCreateFindLoadLockModuleSizeofWrite
                • String ID: WAVE
                • API String ID: 218636447-3968942141
                • Opcode ID: beb80ab34a40d30e65a8d4ec699aea9542047fd73b224b127512ce42121e2f33
                • Instruction ID: 9e7db8758355f6f41a26bfd30e8cba135c806873a1cb839bccba8aa7048bcc9b
                • Opcode Fuzzy Hash: beb80ab34a40d30e65a8d4ec699aea9542047fd73b224b127512ce42121e2f33
                • Instruction Fuzzy Hash: 5E11A3B9A412147FD7215B659C48EBB7BBCEB877A1B010176FD05F3291DB388C018AA9
                Function 004178C6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • std::exception::exception.LIBCMT ref: 004178D9
                  • Part of subcall function 0041EE6F: std::exception::_Copy_str.LIBCMT ref: 0041EE88
                • __CxxThrowException@8.LIBCMT ref: 004178EE
                  • Part of subcall function 0041A90E: RaiseException.KERNEL32(?,?,?,L2E,?,?,?,?,?,00418474,?,0045324C,?,00000001), ref: 0041A963
                • std::exception::exception.LIBCMT ref: 00417907
                • __CxxThrowException@8.LIBCMT ref: 0041791C
                • std::regex_error::regex_error.LIBCPMT ref: 0041792E
                  • Part of subcall function 0041769A: std::exception::exception.LIBCMT ref: 004176B4
                • __CxxThrowException@8.LIBCMT ref: 0041793C
                • std::exception::exception.LIBCMT ref: 00417955
                • __CxxThrowException@8.LIBCMT ref: 0041796A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
                • String ID: bad function call
                • API String ID: 2464034642-3612616537
                • Opcode ID: f021ab079d8e8ca74ad86e3e2c21a51ad82670d73f6c2a9670a9f71f1a897b41
                • Instruction ID: a729f487cab917c2a4c82d9e65d17b3a4c64f52d8689bd4fca1f6f243bbde91a
                • Opcode Fuzzy Hash: f021ab079d8e8ca74ad86e3e2c21a51ad82670d73f6c2a9670a9f71f1a897b41
                • Instruction Fuzzy Hash: 5711C174C0420CBBCF01EFA6C845CCDBB7CAA04348F508467BD1457541EB78E7998B99
                Function 0040F9C0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memcpy_s$_memset$_memmove
                • String ID: RIFF$WAVE$data$fmt
                • API String ID: 3840291468-4212202414
                • Opcode ID: ce803105d1afae038f6bdc88785d82b512ac92d339ca522f44eae7f35521e863
                • Instruction ID: a20d9f5ac8fac6220004ec0115a9e9b374b8a502398059f22376fedddeb92ad7
                • Opcode Fuzzy Hash: ce803105d1afae038f6bdc88785d82b512ac92d339ca522f44eae7f35521e863
                • Instruction Fuzzy Hash: C401FBF1680700BAF6309F51EC46F8376E86B04B18F00091EB389AA5C1D7F9A1488B9E
                Function 00405034 Relevance: 15.1, APIs: 10, Instructions: 52COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _rand$CountTick
                • String ID:
                • API String ID: 1267669999-0
                • Opcode ID: 0f6f5cec289977f30596897e5ddefb65a197ed9623b03464561ebf145c9d6fcf
                • Instruction ID: 8b3913db9e2892c778da8b449362461f6555ac90c9b529acbcdb0527967e1e93
                • Opcode Fuzzy Hash: 0f6f5cec289977f30596897e5ddefb65a197ed9623b03464561ebf145c9d6fcf
                • Instruction Fuzzy Hash: 2B01F73291051DA6D602BBBFAC855AFF368EE09354714873BFA0473141FB382DC6499D
                Function 0040C920 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • __wopen.LIBCMT ref: 0040C955
                  • Part of subcall function 0040CD30: __vfwprintf_p.LIBCMT ref: 0040CD43
                Strings
                • json_object_to_file: object is null, xrefs: 0040C933
                • json_object_to_file: error writing file %s: %s, xrefs: 0040CA09
                • json_object_to_file: error opening file %s: %s, xrefs: 0040C971
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __vfwprintf_p__wopen
                • String ID: json_object_to_file: error opening file %s: %s$json_object_to_file: error writing file %s: %s$json_object_to_file: object is null
                • API String ID: 3130648922-1352939834
                • Opcode ID: 8ca7e58323011462861c7635af885d9cc9d96c784b9cec977952902a3195c5ce
                • Instruction ID: 4d90d403e9a7991339e3cc10a92d7e013050ecc4deccbfa0941c51349b976258
                • Opcode Fuzzy Hash: 8ca7e58323011462861c7635af885d9cc9d96c784b9cec977952902a3195c5ce
                • Instruction Fuzzy Hash: 452146B7F0411467D610677FBC82AAE779CCE81338B0007BBFC18E22D2E97A491941E9
                Function 00403421 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0040344F
                • _memset.LIBCMT ref: 00403463
                • __wfopen_s.LIBCMT ref: 00403475
                • __fread_nolock.LIBCMT ref: 00403499
                • swprintf.LIBCMT ref: 0040352E
                • MessageBoxA.USER32(00000000,?,0044FD5C,00000000), ref: 00403546
                • MessageBoxA.USER32(00000000,00000000,0044FD60,00000000), ref: 0040356C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Message_memset$__fread_nolock__wfopen_sswprintf
                • String ID: %s.%d.%lu
                • API String ID: 1492208822-1068351462
                • Opcode ID: 2da8ea61b4ddc38afdec512de2803ec92fe6bf9158442e86228e2352742c4120
                • Instruction ID: 0fe12d625463acd9d02087ddb70c8065281c49248c44c17b91ba78f202d1e5f8
                • Opcode Fuzzy Hash: 2da8ea61b4ddc38afdec512de2803ec92fe6bf9158442e86228e2352742c4120
                • Instruction Fuzzy Hash: 8D317BB0E0011C6BDB20EB658C45FDA77BDEF44704F0080BAB549B7181DE789E898B9C
                Function 00408547 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00407515: InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 00407532
                  • Part of subcall function 00407515: InternetConnectA.WININET(00000000,00407A8A,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00407551
                • HttpOpenRequestA.WININET(?,00000000,00451054,HTTP/1.0,00000000,00000000,00000000,00000000), ref: 004085BD
                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004085DB
                • HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 004085FE
                • InternetCloseHandle.WININET(00000000), ref: 00408615
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: HttpInternet$OpenRequest$CloseConnectHandleInfoQuerySend
                • String ID: .com$HTTP/1.0$go$ogle
                • API String ID: 786402759-1387550399
                • Opcode ID: a3cd678be74478538355fe395a04e705e51fc8db4c0d2303e68901f70d050fd7
                • Instruction ID: 4bc4afcb0273bb142cea163aeb37feb3f85f03272a5d038afc21448b37c08e47
                • Opcode Fuzzy Hash: a3cd678be74478538355fe395a04e705e51fc8db4c0d2303e68901f70d050fd7
                • Instruction Fuzzy Hash: 8721A3B0A012087EEB049FA5DD85EFF777DEB45309B00057EF801A7291DB799E0586A9
                Function 0040F240 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __wfopen_s$_memset$__fsopen
                • String ID: r+b
                • API String ID: 2520679056-2113443889
                • Opcode ID: dea9c80daaa2d6ef8d6f28f9a8f1a9d42dc2874eeeef2229865e418905ecae63
                • Instruction ID: 1c5dbb19c00c673e50ac79ea960d176ce46ba2ed3431294e49854235497d2ee5
                • Opcode Fuzzy Hash: dea9c80daaa2d6ef8d6f28f9a8f1a9d42dc2874eeeef2229865e418905ecae63
                • Instruction Fuzzy Hash: 1221087270171576E610A6629C42FDBB30DAF41798F40013BFE18A21C2EB79B53886ED
                Function 00410D90 Relevance: 13.8, APIs: 9, Instructions: 254COMMON
                Download Yara Rule
                APIs
                • SetLastError.KERNEL32(0000000D,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,004502B8,?,?,00000001), ref: 00410DA4
                • SetLastError.KERNEL32(000000C1,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,004502B8,?,?,00000001), ref: 00410DC4
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: 0bbc310daa2e811905bcfcbe14da387d531674757ff20ef0956babb094ecb374
                • Instruction ID: 7ba819bb0de8ed3dbc7495b240fc051828a5221d78569c3b18a8a547308258a1
                • Opcode Fuzzy Hash: 0bbc310daa2e811905bcfcbe14da387d531674757ff20ef0956babb094ecb374
                • Instruction Fuzzy Hash: FD81D072600209ABDB10CF69EC81BEA77E5FB49314F040166FD08D7641E7B5E9E1CBA5
                Function 0040B110 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: $"$/$\$\u00%c%c
                • API String ID: 4104443479-2123536168
                • Opcode ID: c4c2ebf7e729c97a1280e7de5c9f8646edbe74e5de7776cc7fbe546890533803
                • Instruction ID: 7aeeaac66a610838f52cd22fa7d2958223e42e3ad78a7c9538b00f4fa4b8993e
                • Opcode Fuzzy Hash: c4c2ebf7e729c97a1280e7de5c9f8646edbe74e5de7776cc7fbe546890533803
                • Instruction Fuzzy Hash: B581C070A00605DFDB24CF59C89166AB7E6EF94304B24847FD89AD7792E338ED41CB89
                Function 0040397A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32 ref: 00403993
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004039A2
                • EnumProcessModules.PSAPI(00000000,?,00001000,?), ref: 004039C2
                • GetModuleFileNameExA.PSAPI(00000000,?,?,00000104), ref: 004039EC
                • _wprintf.LIBCMT ref: 00403A02
                • CloseHandle.KERNEL32(00000000), ref: 00403A18
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Process$CloseCurrentEnumFileHandleModuleModulesNameOpen_wprintf
                • String ID: %s
                • API String ID: 3933111794-620797490
                • Opcode ID: 0826addc4f30844dbbe65c7e2d03a8414d8a699091e9aadf0d29a43c6ab373ed
                • Instruction ID: 4d84c5088f9dc928ed4a95cdf964e7b7015192f8478f62702f98a3630d468ca8
                • Opcode Fuzzy Hash: 0826addc4f30844dbbe65c7e2d03a8414d8a699091e9aadf0d29a43c6ab373ed
                • Instruction Fuzzy Hash: B511E775A002186BD721DF54AC45AFF777CEB0A712F0101BAF945E2180DF749EC08EA9
                Function 004236A3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • __lock.LIBCMT ref: 00423C3F
                  • Part of subcall function 004284AB: __mtinitlocknum.LIBCMT ref: 004284BD
                  • Part of subcall function 004284AB: __amsg_exit.LIBCMT ref: 004284C9
                  • Part of subcall function 004284AB: EnterCriticalSection.KERNEL32(00000000,?,00423390,0000000D), ref: 004284D6
                • _free.LIBCMT ref: 00423C65
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                • __lock.LIBCMT ref: 00423C7E
                • ___removelocaleref.LIBCMT ref: 00423C8D
                • ___freetlocinfo.LIBCMT ref: 00423CA6
                • _free.LIBCMT ref: 00423CB9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __lock_free$CriticalEnterErrorFreeHeapLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                • String ID: 8lE
                • API String ID: 626533743-449313934
                • Opcode ID: 6cbfd1e6a22540b58b6514fe62a1b2eae40ec9e0c838e2c0f37155ab9e2a421a
                • Instruction ID: 7210db11bd06a7c7623c849e950c4263dfc43d4f0cc3c84137051200a8114be0
                • Opcode Fuzzy Hash: 6cbfd1e6a22540b58b6514fe62a1b2eae40ec9e0c838e2c0f37155ab9e2a421a
                • Instruction Fuzzy Hash: 03018232341721A6DB34AF6BBA4575A72B05F4072AFA0454FB454A61D1CB7C8A81854C
                Function 0040A0E3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove$_free
                • String ID: *$*
                • API String ID: 2620147621-3771216468
                • Opcode ID: 86a71c2193d78febb65ae53a386f9f26dd0efbeccbaced35ce179232fc00e92d
                • Instruction ID: a7f64d17e15003bd0867a20b2a2e1c2df47945c31f44312bc2a1d5503276dc96
                • Opcode Fuzzy Hash: 86a71c2193d78febb65ae53a386f9f26dd0efbeccbaced35ce179232fc00e92d
                • Instruction Fuzzy Hash: FA715C70604701CFC724CF19C984A26B7E1FF89318F18856EE49A9B792D739E866CF46
                Function 00410750 Relevance: 10.7, APIs: 7, Instructions: 188stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast__wcsnicmp__wcstoi64_free_malloc_mbstowcslstrlenstrtoxl
                • String ID:
                • API String ID: 2860222698-0
                • Opcode ID: ca1af2593cecba4f9216c5525d84fae83ac342bbef3c18a940674b91e990fefb
                • Instruction ID: 2aba39e6db1a2da9152071374e60f49cdeee8a1d1e989a423d90fcb2c07c1a4c
                • Opcode Fuzzy Hash: ca1af2593cecba4f9216c5525d84fae83ac342bbef3c18a940674b91e990fefb
                • Instruction Fuzzy Hash: 2761D576A041199BDF30DF65C8906EAB3B5EF44310F0041ABE849D7345EBB9AEC5CB94
                Function 004051B2 Relevance: 10.6, APIs: 7, Instructions: 134libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,83575E26,?,?), ref: 00405202
                • _memset.LIBCMT ref: 00405231
                • _memset.LIBCMT ref: 0040524B
                • GetEnvironmentVariableA.KERNEL32(00000000,?,00000104,004506D4), ref: 0040527B
                • swprintf.LIBCMT ref: 004052C0
                • LoadLibraryA.KERNEL32(00000000), ref: 004052F9
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00405354
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memset$AddressEnvironmentFileLibraryLoadModuleNameProcVariableswprintf
                • String ID:
                • API String ID: 1438423686-0
                • Opcode ID: 2db0aace810b592ee4fdbdb8853f25bd85c5259fa87e23324ec1f4c3ac9fa16a
                • Instruction ID: 3eb5412ce20bff595ca9179c2bf8a2fdf04c50915b83a9538f17eddf5d75dcd6
                • Opcode Fuzzy Hash: 2db0aace810b592ee4fdbdb8853f25bd85c5259fa87e23324ec1f4c3ac9fa16a
                • Instruction Fuzzy Hash: 475181719187809ED331EBB4CC55BDBB7D8AF95318F00092EA89D972C1DB78650CC69A
                Function 00404B20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • FindResourceA.KERNEL32(00000000,00000080,WAVE), ref: 00404B6D
                • LoadResource.KERNEL32(00000000,00000000,?,?,00000001), ref: 00404B82
                • LockResource.KERNEL32(00000000,?,?,00000001), ref: 00404B8D
                • SizeofResource.KERNEL32(00000000,00000000,?,?,00000001), ref: 00404B9B
                • _memcpy_s.LIBCMT ref: 00404C0C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Resource$FindLoadLockSizeof_memcpy_s
                • String ID: WAVE
                • API String ID: 1698518168-3968942141
                • Opcode ID: e2b9df3a24823f427d4600f74b2df35816ad6f61b8b0a124705ab6b5cabc5909
                • Instruction ID: 78287dcb886b5962c7a607ae146a24c49767285ff97f9dcec3ee8855f7b024dc
                • Opcode Fuzzy Hash: e2b9df3a24823f427d4600f74b2df35816ad6f61b8b0a124705ab6b5cabc5909
                • Instruction Fuzzy Hash: A83185B5508300AFD720DF61DC46E9B7BE8EB45350F01053EF95993291DF38A805CE5A
                Function 0041F14C Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • ___unDName.LIBCMT ref: 0041F17B
                • _strlen.LIBCMT ref: 0041F18E
                • __lock.LIBCMT ref: 0041F1AA
                • _malloc.LIBCMT ref: 0041F1BC
                • _malloc.LIBCMT ref: 0041F1CD
                • _free.LIBCMT ref: 0041F216
                  • Part of subcall function 0041FE4A: IsProcessorFeaturePresent.KERNEL32(00000017,0041FE1E,00000000,?,?,?,?,?,0041FE2B,00000000,00000000,00000000,00000000,00000000,004294DA), ref: 0041FE4C
                • _free.LIBCMT ref: 0041F20F
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free_malloc$ErrorFeatureFreeHeapLastNamePresentProcessor___un__lock_strlen
                • String ID:
                • API String ID: 3704956918-0
                • Opcode ID: 1a4ff5b24771007575a282dc26fe9ecf0f24b1dc1c18ed271583928850cc7f38
                • Instruction ID: eec2000f41d393620f9afaf25c30a94200af2c50ffa822b316d4393953dddc8b
                • Opcode Fuzzy Hash: 1a4ff5b24771007575a282dc26fe9ecf0f24b1dc1c18ed271583928850cc7f38
                • Instruction Fuzzy Hash: 4921B775A40702BAD720AB619D427EBB7D4AB04314F54856FF8089B282DB7CD886C698
                Function 0040387D Relevance: 10.6, APIs: 7, Instructions: 76COMMON
                Download Yara Rule
                APIs
                • EnumProcesses.PSAPI(?,00001000,?), ref: 004038A7
                • _memset.LIBCMT ref: 004038EF
                • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004038FF
                • EnumProcessModules.PSAPI(00000000,?,00000004,00000000), ref: 00403923
                • GetModuleBaseNameA.PSAPI(00000000,?,?,00000104), ref: 00403940
                • _wprintf.LIBCMT ref: 00403952
                • CloseHandle.KERNEL32(00000000), ref: 0040395A
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses_memset_wprintf
                • String ID:
                • API String ID: 1721807758-0
                • Opcode ID: 17248fd2f52803c06d7fa901e91e29ca4c0ae92a88837c1eb5b0658fcc5831e9
                • Instruction ID: bf231926418a0f5ddd7c63dbe353848fb2841ae80f1aad35484a363a77567a87
                • Opcode Fuzzy Hash: 17248fd2f52803c06d7fa901e91e29ca4c0ae92a88837c1eb5b0658fcc5831e9
                • Instruction Fuzzy Hash: CE2188B5A042186BEB10DF54DC85FDAB7ACAB19B01F0000B6B705E6181DBF49EC48E65
                Function 00414680 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00418424: _malloc.LIBCMT ref: 0041843C
                • std::exception::exception.LIBCMT ref: 0041782B
                • __CxxThrowException@8.LIBCMT ref: 00417840
                • __CxxThrowException@8.LIBCMT ref: 00417864
                • std::exception::exception.LIBCMT ref: 0041787D
                • __CxxThrowException@8.LIBCMT ref: 00417892
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Exception@8Throw$std::exception::exception$_malloc
                • String ID: rD
                • API String ID: 3942750879-2290682465
                • Opcode ID: efcbd8ecca72b63c21b7bd6f56ddbe731b85994b918ff55dc7bddf85609876b3
                • Instruction ID: 9b256d530c59532dc1374826a0fae8d79873fa9ee75b6fd488bb17a583cfd95e
                • Opcode Fuzzy Hash: efcbd8ecca72b63c21b7bd6f56ddbe731b85994b918ff55dc7bddf85609876b3
                • Instruction Fuzzy Hash: FB1149B480430CABDB04EF65C8459DEB7B8AF00708F5085ABAC1497251EBBDD749CB99
                Function 004233FA Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                Download Yara Rule
                APIs
                • __init_pointers.LIBCMT ref: 004233FA
                  • Part of subcall function 0041EB5A: EncodePointer.KERNEL32(00000000,?,004233FF,0041A7CB,00453560,00000014), ref: 0041EB5D
                  • Part of subcall function 0041EB5A: __initp_misc_winsig.LIBCMT ref: 0041EB78
                  • Part of subcall function 0041EB5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041F738
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041F74C
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041F75F
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041F772
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041F785
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041F798
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041F7AB
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041F7BE
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0041F7D1
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041F7E4
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041F7F7
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041F80A
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041F81D
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041F830
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041F843
                  • Part of subcall function 0041EB5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041F856
                • __mtinitlocks.LIBCMT ref: 004233FF
                • __mtterm.LIBCMT ref: 00423408
                  • Part of subcall function 00423470: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00428516
                  • Part of subcall function 00423470: _free.LIBCMT ref: 0042851D
                  • Part of subcall function 00423470: DeleteCriticalSection.KERNEL32(00456E48,?,?,0042340D,0041A7CB,00453560,00000014), ref: 0042853F
                • __calloc_crt.LIBCMT ref: 0042342D
                • __initptd.LIBCMT ref: 0042344F
                • GetCurrentThreadId.KERNEL32 ref: 00423456
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                • String ID:
                • API String ID: 3567560977-0
                • Opcode ID: e63c669f654e2e2ee3de6d4a42795a9c6954f13e19d2e9369f77404a2e993d9b
                • Instruction ID: 96ed43ecf4ff47155b1ca5072a0f44afa1ee801caa04b2815060687d80a182cd
                • Opcode Fuzzy Hash: e63c669f654e2e2ee3de6d4a42795a9c6954f13e19d2e9369f77404a2e993d9b
                • Instruction Fuzzy Hash: 5EF0F63230973129E625BF7A7C0365B2AA49F0273ABA1467FF8A0D51D3EF1CDA41495C
                Function 00403AB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44threadCOMMON
                Download Yara Rule
                APIs
                • GetWindowThreadProcessId.USER32(?,?), ref: 00403ACF
                • GetCurrentProcessId.KERNEL32 ref: 00403AD5
                • GetWindowTextA.USER32(?,?,00000400), ref: 00403AF2
                • GetClassNameA.USER32(?,?,00000400), ref: 00403B01
                • _wprintf.LIBCMT ref: 00403B1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ProcessWindow$ClassCurrentNameTextThread_wprintf
                • String ID: %s%s
                • API String ID: 2672858618-3252725368
                • Opcode ID: 230f926435c902082b22d48abce25ec9be34ee6edb413c67d2511aede28b3bc8
                • Instruction ID: af32e8acc265f894c5bb931144fc96109ce361192d5efaa8392f3d651c04a583
                • Opcode Fuzzy Hash: 230f926435c902082b22d48abce25ec9be34ee6edb413c67d2511aede28b3bc8
                • Instruction Fuzzy Hash: 670171B6900018ABDB50EB54DD05DEEB7BCFB46204F0141B6FA49E2110DA345B898BA9
                Function 00413E10 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 404COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __mbsinc
                • String ID: =:
                • API String ID: 2053641954-1810370302
                • Opcode ID: 07ffc5f85367fd23ab6b0289e18427e3f7d89f5745a761ce0abed25ba4dfe330
                • Instruction ID: 544c64930adb85b9deae53a1539e78f3abb0d6e80f07270ec1c0f509d3589aab
                • Opcode Fuzzy Hash: 07ffc5f85367fd23ab6b0289e18427e3f7d89f5745a761ce0abed25ba4dfe330
                • Instruction Fuzzy Hash: 3FE1C170A002059FDB14CF69C884BAEFBB5FF45314F0485AEE8159B392D778AE45CBA4
                Function 00403588 Relevance: 9.1, APIs: 6, Instructions: 93registryCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 004035B2
                • RegQueryInfoKeyA.ADVAPI32(80000001,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00403617
                • __snprintf_s.LIBCMT ref: 00403643
                  • Part of subcall function 004184C9: __vsnprintf_s_l.LIBCMT ref: 004184DE
                • _wprintf.LIBCMT ref: 00403654
                • RegEnumKeyExA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0040368A
                • _wprintf.LIBCMT ref: 004036A0
                  • Part of subcall function 00418B3D: __stbuf.LIBCMT ref: 00418B8D
                  • Part of subcall function 00418B3D: __output_l.LIBCMT ref: 00418BA6
                  • Part of subcall function 00418B3D: __ftbuf.LIBCMT ref: 00418BBA
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _wprintf$EnumInfoQuery__ftbuf__output_l__snprintf_s__stbuf__vsnprintf_s_l_memset
                • String ID:
                • API String ID: 1340146199-0
                • Opcode ID: ddd1b8e970edb3362a01b606bd8608deb7f50c5d8943c1ae09f52d0f324d6b84
                • Instruction ID: c614b009fb1ddd00310fecfa632e89eaf4d6a28a144c002cf3cda5fba4cb7543
                • Opcode Fuzzy Hash: ddd1b8e970edb3362a01b606bd8608deb7f50c5d8943c1ae09f52d0f324d6b84
                • Instruction Fuzzy Hash: 9631EFB684011CAADB21DF54DC81EEBB7BDAB45314F0402EBE509A2141DA766FD88F64
                Function 00408ED1 Relevance: 9.1, APIs: 6, Instructions: 66sleepCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00408EFA
                • _memset.LIBCMT ref: 00408F19
                • GetDlgItem.USER32(00000415), ref: 00408F2C
                • GetWindowTextA.USER32(00000000,00000000,00000104), ref: 00408F3F
                • IsWindow.USER32(00000001), ref: 00408F7D
                • Sleep.KERNEL32(0000000A), ref: 00408F89
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Window$ItemSleepText_memset
                • String ID:
                • API String ID: 3518219805-0
                • Opcode ID: 8dee36d2ecbb81c0982a64b9aa60f16a5c98c76eed9b5f60fae0c37d1d214806
                • Instruction ID: 22e25886f113ab8265d49c3f2c633e3956586730756771396d4592644082d9bb
                • Opcode Fuzzy Hash: 8dee36d2ecbb81c0982a64b9aa60f16a5c98c76eed9b5f60fae0c37d1d214806
                • Instruction Fuzzy Hash: 48213634504309AADF10AF30DD09BEA7B25BB22705F0041BEE8C5B61E2DEB59986CB59
                Function 004092D0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 004092D5
                  • Part of subcall function 0041D9D8: __calloc_impl.LIBCMT ref: 0041D9EB
                • _calloc.LIBCMT ref: 004092E7
                • _free.LIBCMT ref: 004092F7
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                • _calloc.LIBCMT ref: 00409308
                • _malloc.LIBCMT ref: 00409326
                • _free.LIBCMT ref: 00409335
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc$_free$ErrorFreeHeapLast__calloc_impl_malloc
                • String ID:
                • API String ID: 3606796740-0
                • Opcode ID: 7f3d34089bf41e169e298b4f6c72813cd218ae46a37c630c23b3a386e9c53f7b
                • Instruction ID: 0541555b02956802ecd40c5e711c816d31d36366b67d48665ba28ccc5c338f82
                • Opcode Fuzzy Hash: 7f3d34089bf41e169e298b4f6c72813cd218ae46a37c630c23b3a386e9c53f7b
                • Instruction Fuzzy Hash: 3001D6F1E4071222E3202766AC0679B75845F90B14F04413FF809AA3C3FABDD89482DA
                Function 0040EF30 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: 52c1127035bb29ca9a313d167274db0395cada297291682d75d22a8461101cf4
                • Instruction ID: 8eaf4170a6901bd0aa03119894c064f7ecbad4f072b37d59dcf578233efff192
                • Opcode Fuzzy Hash: 52c1127035bb29ca9a313d167274db0395cada297291682d75d22a8461101cf4
                • Instruction Fuzzy Hash: 4771C33170010AABCB24DE59D9808AE77AAFBC4304720493FF905EB781D735E959CB99
                Function 00409871 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 204COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc
                • String ID: false$true
                • API String ID: 1679841372-2658103896
                • Opcode ID: 9dae2cfcd70ef318b2081afd2d97af008dadcf85f060477c0817233c656ebc89
                • Instruction ID: 7aa2a304ab21b7e4725bcd892847f8e51f6ae8ccab6106e7fb749ab666c969da
                • Opcode Fuzzy Hash: 9dae2cfcd70ef318b2081afd2d97af008dadcf85f060477c0817233c656ebc89
                • Instruction Fuzzy Hash: 639137B4600702CFC724DF09C494A22B7E0FF49318F15866EE88A9B792D779E995CF45
                Function 0040A3AC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: f$n$r$t
                • API String ID: 269201875-294713465
                • Opcode ID: 4b4775961e95e2e38a9a9a72fbc5def6a272f26f3811401155d88222ee9f23f0
                • Instruction ID: c9ebe0a3ebb331ad8088ea4b7f255221ba0a4a4f1c642a95b1adaef953d33235
                • Opcode Fuzzy Hash: 4b4775961e95e2e38a9a9a72fbc5def6a272f26f3811401155d88222ee9f23f0
                • Instruction Fuzzy Hash: 64714074604701CFD720CF18C584B22B7E1FB45318F28856ED98A9B792C77AEC66DB46
                Function 0040CAF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 148COMMON
                Download Yara Rule
                APIs
                • _swscanf.LIBCMT ref: 0040CB62
                  • Part of subcall function 0040CA50: _swscanf.LIBCMT ref: 0040CA66
                  • Part of subcall function 0040CA50: _swscanf.LIBCMT ref: 0040CA9B
                  • Part of subcall function 0041E222: __getptd_noexit.LIBCMT ref: 0041E222
                • __snprintf.LIBCMT ref: 0040CBE9
                • _strncmp.LIBCMT ref: 0040CC19
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _swscanf$__getptd_noexit__snprintf_strncmp
                • String ID: %I64d$-
                • API String ID: 3936233580-2189389342
                • Opcode ID: dcc07702bfa7aa1d5e7c3686b4ddcbd236e8e3e80a4129de40648af726247442
                • Instruction ID: 643e51499262d1d43d8b7133120760cd7f95ffa6f435c964c4e416413cbb288f
                • Opcode Fuzzy Hash: dcc07702bfa7aa1d5e7c3686b4ddcbd236e8e3e80a4129de40648af726247442
                • Instruction Fuzzy Hash: 595108B0904204DAEB34DF75D8C57AEBBB5EB41304F24027FD849A33D2EA399985CB59
                Function 004025E6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: 40908766126fcc5832d2c593e2f27fd69855dff81e7bc9530f6de18f19e95223
                • Instruction ID: 2761ba33dc9dc43358c208da52baae1d48339f97e688c9eaab617627c07c98c8
                • Opcode Fuzzy Hash: 40908766126fcc5832d2c593e2f27fd69855dff81e7bc9530f6de18f19e95223
                • Instruction Fuzzy Hash: 1C41F331300204DBCF25CE68DB88A6A77A5EF41344B14093EF842A72C1C7BAE845CBA9
                Function 0041A252 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                • String ID: r\n
                • API String ID: 2782032738-338705195
                • Opcode ID: 6d89d4333e256d8d9e64d47cffa29f3cc5f407d4c93c963c883933670123dc36
                • Instruction ID: b36ab1ae02fd65e4de7275379bd041d7dba140b0c1192b77eb4e33eee16552bd
                • Opcode Fuzzy Hash: 6d89d4333e256d8d9e64d47cffa29f3cc5f407d4c93c963c883933670123dc36
                • Instruction Fuzzy Hash: 6041E53070270A9BDF18CEA9D8806EF77A6AF40360B24856FEC15C7750D6799DE1874A
                Function 004068A9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 004068B0
                • WTSEnumerateProcessesA.WTSAPI32(00000000,00000000,00000001,?,?,0000004C,0040569A,000008C1), ref: 004068C6
                • _memcpy_s.LIBCMT ref: 004069AD
                • WTSFreeMemory.WTSAPI32(?), ref: 004069DD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: EnumerateFreeH_prolog3_MemoryProcesses_memcpy_s
                • String ID: ????
                • API String ID: 3564864459-1216582215
                • Opcode ID: a88a847d212989737400f9129f83ee8de46bd91dd2d77ce238a2a23c52049202
                • Instruction ID: 5f08f6111a3b140d2139d7f204a1c2fc9524a0d859311502720a120ee95c2ab3
                • Opcode Fuzzy Hash: a88a847d212989737400f9129f83ee8de46bd91dd2d77ce238a2a23c52049202
                • Instruction Fuzzy Hash: 1B411771900208ABDF05DFA4D851BEDB776EF45304F10412EF5427B681DB7A2A07CB58
                Function 00402322 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 0040232C
                • _memset.LIBCMT ref: 0040236E
                • _memmove.LIBCMT ref: 00402383
                • swprintf.LIBCMT ref: 004023D2
                  • Part of subcall function 0040138C: _memmove.LIBCMT ref: 004013D0
                  • Part of subcall function 0040138C: _memmove.LIBCMT ref: 00401409
                  • Part of subcall function 00401F90: __EH_prolog3_GS.LIBCMT ref: 00401F97
                  • Part of subcall function 0040211D: __EH_prolog3_GS.LIBCMT ref: 00402124
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove$H_prolog3_$_memsetswprintf
                • String ID:
                • API String ID: 3963047462-399585960
                • Opcode ID: 480906e902051a40515e45e4386047ed662b3be5e22f1451237ffdf8f46cd7f1
                • Instruction ID: 8ac36e4b5a6c86ac6b7c39cc6864a3f3a6d09dd56169992f9bb296dc972a02cc
                • Opcode Fuzzy Hash: 480906e902051a40515e45e4386047ed662b3be5e22f1451237ffdf8f46cd7f1
                • Instruction Fuzzy Hash: A1415571A00318AFDF10EFA5CC52BDE77B9AF05314F0040AEF508BB282DB795A998B55
                Function 0040CE70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc$__calloc_impl
                • String ID: lh_table_new: calloc failed
                • API String ID: 770366589-2821893458
                • Opcode ID: 505a792d53ba133a7a86631be071b7353dfc519ea7d7213e49e4e9596f53e491
                • Instruction ID: 1a68e44c2d4e2f1b9aee822782d615ed4c46985d21a0a78d5c4c6ee690bd41f6
                • Opcode Fuzzy Hash: 505a792d53ba133a7a86631be071b7353dfc519ea7d7213e49e4e9596f53e491
                • Instruction Fuzzy Hash: 4421D5B0540B058BD3305F568881747BAD0EF04B65F104B3FE98A6BBD2D7B9E4458B99
                Function 0041E136 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                Download Yara Rule
                APIs
                • __getptd_noexit.LIBCMT ref: 0041E13A
                  • Part of subcall function 004232D8: GetLastError.KERNEL32(00456E48,00456E48,0041E227,00418E32,00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 004232DA
                  • Part of subcall function 004232D8: __calloc_crt.LIBCMT ref: 004232FB
                  • Part of subcall function 004232D8: __initptd.LIBCMT ref: 0042331D
                  • Part of subcall function 004232D8: GetCurrentThreadId.KERNEL32 ref: 00423324
                  • Part of subcall function 004232D8: SetLastError.KERNEL32(00000000,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 0042333C
                • __calloc_crt.LIBCMT ref: 0041E15D
                • __get_sys_err_msg.LIBCMT ref: 0041E17B
                • __get_sys_err_msg.LIBCMT ref: 0041E1CA
                Strings
                • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 0041E145, 0041E16B
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast__calloc_crt__get_sys_err_msg$CurrentThread__getptd_noexit__initptd
                • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                • API String ID: 3123740607-798102604
                • Opcode ID: 2498142d86c7f1ab6d19cac831c8ea64e420b7288e0d62b670b3625f845496a0
                • Instruction ID: 95303ffbfec43d88da5d5ce392ac2836db84c5089c4c83595eca0c2d54108696
                • Opcode Fuzzy Hash: 2498142d86c7f1ab6d19cac831c8ea64e420b7288e0d62b670b3625f845496a0
                • Instruction Fuzzy Hash: BA11C8766002147BEB223A279C01AFF729CDF00B64F40046BFD0496252DB7E9D9142ED
                Function 0040CA50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • _swscanf.LIBCMT ref: 0040CA66
                  • Part of subcall function 0041DBF9: _vscan_fn.LIBCMT ref: 0041DC0D
                  • Part of subcall function 0041E222: __getptd_noexit.LIBCMT ref: 0041E222
                • _swscanf.LIBCMT ref: 0040CA9B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _swscanf$__getptd_noexit_vscan_fn
                • String ID: -01234567890123456789012345$ 01234567890123456789012345$%I64d
                • API String ID: 4281729179-2266697255
                • Opcode ID: e950dcc3485bf2d4284f51d1579a9fef49e8162ef7e7b6cd081f625f844007a5
                • Instruction ID: 88413d07e13f524330bfc629238e041da62a2b44ce921166c6ed2f1a8a6843c5
                • Opcode Fuzzy Hash: e950dcc3485bf2d4284f51d1579a9fef49e8162ef7e7b6cd081f625f844007a5
                • Instruction Fuzzy Hash: F001B572F4120CE7CF20D7A598C17EE3768D791725F240377DC02722D1E5B95A858A9A
                Function 00418424 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0041843C
                  • Part of subcall function 0041C496: __FF_MSGBANNER.LIBCMT ref: 0041C4AD
                  • Part of subcall function 0041C496: __NMSG_WRITE.LIBCMT ref: 0041C4B4
                  • Part of subcall function 0041C496: RtlAllocateHeap.NTDLL(00B40000,00000000,00000001,00000000,00000000,00000000,?,00422362,00000000,00000000,00000000,00000000,?,00428595,00000018,00453958), ref: 0041C4D9
                • std::exception::exception.LIBCMT ref: 0041845A
                • __CxxThrowException@8.LIBCMT ref: 0041846F
                  • Part of subcall function 0041A90E: RaiseException.KERNEL32(?,?,?,L2E,?,?,?,?,?,00418474,?,0045324C,?,00000001), ref: 0041A963
                • __vwprintf_p.LIBCMT ref: 0041847F
                  • Part of subcall function 00419AE3: __vscwprintf_helper.LIBCMT ref: 00419AF3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: AllocateExceptionException@8HeapRaiseThrow__vscwprintf_helper__vwprintf_p_mallocstd::exception::exception
                • String ID: L2E
                • API String ID: 3118168687-1829194968
                • Opcode ID: afed9d5a8c8c412ab16b9d6252162ea722cb104b255ff15ce1014ecb6ebd1c50
                • Instruction ID: 59af3ad250f96d534c2d17c0ddf81e82a8ab30f9426af2ed691ff15b00e6648b
                • Opcode Fuzzy Hash: afed9d5a8c8c412ab16b9d6252162ea722cb104b255ff15ce1014ecb6ebd1c50
                • Instruction Fuzzy Hash: DAF0627540820EAA9B00AE55EC029EE77ACAB00358F10455BFC0855181EF799A9595D9
                Function 00418751 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                • String ID:
                • API String ID: 1559183368-0
                • Opcode ID: d33cb7387eff5d3027b4dbf09245fc5c3f1014c76b9b4a7132bc3f42691b7673
                • Instruction ID: 589fec1b646224054dc914a9cb009ae878946c88ee358ac2e8253caed6a77527
                • Opcode Fuzzy Hash: d33cb7387eff5d3027b4dbf09245fc5c3f1014c76b9b4a7132bc3f42691b7673
                • Instruction Fuzzy Hash: 8A51D130A003099BDB249F698C806EFB7A5AF51320F64872FF835962D1DF789DD18B49
                Function 00404484 Relevance: 7.6, APIs: 5, Instructions: 94libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(00000000,?), ref: 004044D3
                • GetSystemMetrics.USER32(00000000), ref: 004044E1
                • GetSystemMetrics.USER32(00000001), ref: 004044F0
                • LoadLibraryA.KERNEL32(00000000), ref: 0040452B
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00404558
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: MetricsSystem$AddressLibraryLoadProcRectWindow
                • String ID:
                • API String ID: 3960742296-0
                • Opcode ID: b4287f7ef8682682a4eefd7ddf227a8d34143032c5eb2d249c9afcf4a93b3c03
                • Instruction ID: c56ac54a9131504712e7ee8d38b59cafb4acef79f290fdc0281b772f4fcdad43
                • Opcode Fuzzy Hash: b4287f7ef8682682a4eefd7ddf227a8d34143032c5eb2d249c9afcf4a93b3c03
                • Instruction Fuzzy Hash: 0A319E715087409FD324DB75DC46B6BB7E8EB84715F000A2EB549A22E1DB34A808CA5A
                Function 00410A90 Relevance: 7.6, APIs: 5, Instructions: 92threadCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetLastError.KERNEL32(00000714), ref: 00410AAE
                • GetThreadLocale.KERNEL32 ref: 00410AC1
                • SetLastError.KERNEL32(00000715), ref: 00410AEC
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast$LocaleThread
                • String ID:
                • API String ID: 2451566642-0
                • Opcode ID: 878a83b8988a99fe53d701f51bf596709242ab89a67ab148b9d2f04c7dd2f86a
                • Instruction ID: 7c365a421d895ee660a70ea3bbb24c21021ca2ae96f83cf9d8c135ec8737228c
                • Opcode Fuzzy Hash: 878a83b8988a99fe53d701f51bf596709242ab89a67ab148b9d2f04c7dd2f86a
                • Instruction Fuzzy Hash: D821A2776002089FDB00DFA5EC45BE677E8FB54369F098022F92DC6291D674E4908B94
                Function 0040C640 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$__vsnprintf_l__vwprintf_p_malloc_memmovevswprintf
                • String ID:
                • API String ID: 2493236908-0
                • Opcode ID: 8cd9a09d97d701a6a70c9e6f70723bd5f6395d59e0cf3c944ce16a2b6f886514
                • Instruction ID: 34567ef76c717d155a0cfa301d268560996726dfca008ef628992c22dc2b5c4b
                • Opcode Fuzzy Hash: 8cd9a09d97d701a6a70c9e6f70723bd5f6395d59e0cf3c944ce16a2b6f886514
                • Instruction Fuzzy Hash: 62210772A0011997CB10EB659C91AFE7368EF80224F04467FFC1DE7282ED399E5947D5
                Function 0041C528 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 0041C534
                  • Part of subcall function 0041C496: __FF_MSGBANNER.LIBCMT ref: 0041C4AD
                  • Part of subcall function 0041C496: __NMSG_WRITE.LIBCMT ref: 0041C4B4
                  • Part of subcall function 0041C496: RtlAllocateHeap.NTDLL(00B40000,00000000,00000001,00000000,00000000,00000000,?,00422362,00000000,00000000,00000000,00000000,?,00428595,00000018,00453958), ref: 0041C4D9
                • _free.LIBCMT ref: 0041C547
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: 86709a4531617062c58572dad7e1206c33964caea40f7013e8a866a4849a4d08
                • Instruction ID: 92937d088e8cab4275729747b622ead928e79975c9a25ebf085360494a9d10b0
                • Opcode Fuzzy Hash: 86709a4531617062c58572dad7e1206c33964caea40f7013e8a866a4849a4d08
                • Instruction Fuzzy Hash: 4E112E32444225BACB302B767C847DA379A6F05364B10487BFD4586251DA3CD8C1869D
                Function 0040F360 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memset$__fread_nolock_fseek_memcpy_s
                • String ID:
                • API String ID: 274836412-0
                • Opcode ID: b1e7ef7aeb051feba50f91c8ee82ff32346841e55047437483f34d9e60bde48d
                • Instruction ID: fd9ac1f64760b438368bf17aa1df7d0ee6996ed3547783dc9790794cad4238ae
                • Opcode Fuzzy Hash: b1e7ef7aeb051feba50f91c8ee82ff32346841e55047437483f34d9e60bde48d
                • Instruction Fuzzy Hash: BA01B57274030576E610AA659C02FEBF359EB84B14F00402EFB14EA1C1DBB5B57447E9
                Function 0040C300 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 0b07fc205a96c97f5db7b7567f8eda4f4b4c11affacf702d8f4c72739c91ae32
                • Instruction ID: 17095f803696a341f13dabca3cd9be3e64619d0a900041c179523d21e6ed9ce5
                • Opcode Fuzzy Hash: 0b07fc205a96c97f5db7b7567f8eda4f4b4c11affacf702d8f4c72739c91ae32
                • Instruction Fuzzy Hash: 34F0C2B2A01212ABDB10AF16DC8288BB358BF44754345453EFC09E3602DB39FD6186E5
                Function 00403363 Relevance: 7.5, APIs: 5, Instructions: 40threadsleepCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00403365
                • CreateThread.KERNEL32(00000000,00000000,00403308,00000000,00000000,00458668), ref: 00403393
                • Sleep.KERNEL32(0000000A,?,?,?,?,00000000,00000000), ref: 004033B9
                • CreateThread.KERNEL32(00000000,00000000,004032DB,00000000,00458668), ref: 004033D6
                • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000), ref: 004033E2
                  • Part of subcall function 00403214: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403229
                  • Part of subcall function 00403214: ShowWindow.USER32(00000000,00000005), ref: 0040324A
                  • Part of subcall function 00403214: DispatchMessageA.USER32(?), ref: 00403254
                  • Part of subcall function 00403214: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403263
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: MessageThread$CreatePeek$CloseCurrentDispatchHandleShowSleepWindow
                • String ID:
                • API String ID: 3854727848-0
                • Opcode ID: 370220c6152055b1a0b341fbd33db0bfe72c23a9ba51a7faf50de33a4be09e3c
                • Instruction ID: a4150c3d8f750212cbdb6c3f41f177110295945162cb2ad9333a0c6511979680
                • Opcode Fuzzy Hash: 370220c6152055b1a0b341fbd33db0bfe72c23a9ba51a7faf50de33a4be09e3c
                • Instruction Fuzzy Hash: 1201E4B0541780AED7215F26AC89C277FBCE7E6B03751043FE801B11A2CF388850CB2A
                Function 0040B900 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: b36d7f0238af2b286261093e0d4915628ef3d54166aa12b6294bd821db7f7cfd
                • Instruction ID: fcaed8252ebea7df472eb44235837367f153800d2b8bbe796ecfb81beaa545a1
                • Opcode Fuzzy Hash: b36d7f0238af2b286261093e0d4915628ef3d54166aa12b6294bd821db7f7cfd
                • Instruction Fuzzy Hash: B5F096B2E0162567CA216F12DC4199BB358FE44724709043EED08B7B05DB29FD6086ED
                Function 0040A4FA Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 472COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ___from_strstr_to_strchr_free
                • String ID: 0123456789abcdefABCDEF$9
                • API String ID: 1473423270-1292485051
                • Opcode ID: e363794aaf8a85f22413c0c3e339520de562aa617072812c210265aea8a72490
                • Instruction ID: fa1bef5db4d0ac9ff8b6ea4d7dbf9be2460144579dcbb5546b8cdc1b0d76681c
                • Opcode Fuzzy Hash: e363794aaf8a85f22413c0c3e339520de562aa617072812c210265aea8a72490
                • Instruction Fuzzy Hash: 60125D742047418FC324CF18C590A62BBF1FF59318F188A6ED89A9B792D335E896DB46
                Function 0040B680 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040C640: vswprintf.LIBCMT ref: 0040C66B
                • _memset.LIBCMT ref: 0040B785
                  • Part of subcall function 0040C640: __vwprintf_p.LIBCMT ref: 0040C6AB
                  • Part of subcall function 0040C640: _malloc.LIBCMT ref: 0040C6B2
                  • Part of subcall function 0040C640: _free.LIBCMT ref: 0040C6D5
                  • Part of subcall function 0040C640: _free.LIBCMT ref: 0040C6F2
                • _memset.LIBCMT ref: 0040B874
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free_memset$__vwprintf_p_mallocvswprintf
                • String ID: ": $null
                • API String ID: 175645185-3842043903
                • Opcode ID: 666a5b72b358287ddfa9a888f8b74054499ec825693f10f0511f1483739c46e7
                • Instruction ID: 7665bd380e4eff2c24d35c5e071cda2e5738b7c7b71052aff9fba87553d70e34
                • Opcode Fuzzy Hash: 666a5b72b358287ddfa9a888f8b74054499ec825693f10f0511f1483739c46e7
                • Instruction Fuzzy Hash: 62619175900205ABCB10DF18DC81BAE77A4EF44309F14843BE805A7392E779AA55CBEE
                Function 0040A282 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 195COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove$_free
                • String ID: \
                • API String ID: 2620147621-2967466578
                • Opcode ID: db0dc40294e92fa84571a2e15b9e0d4452e121ee38c74865c3ac8ef89c58d8b7
                • Instruction ID: de1bfbf05ffebe291469904c73c9bd0c4631e0c27e8080213e5c730c98ef8e1c
                • Opcode Fuzzy Hash: db0dc40294e92fa84571a2e15b9e0d4452e121ee38c74865c3ac8ef89c58d8b7
                • Instruction Fuzzy Hash: 4B8107742007018FC724CF18C594E26B7E1BF49318F148A6DE88A9BB92D739F956CF46
                Function 0040A9B2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove$_free
                • String ID: \
                • API String ID: 2620147621-2967466578
                • Opcode ID: 44c98235f40499fef0dc97d69f9333c76c14a4fac2c81d7f8938526300b73e12
                • Instruction ID: 45f4e9cb77cdb91684d32c9faa646c32c1f93271f630c40852f14669f26b071b
                • Opcode Fuzzy Hash: 44c98235f40499fef0dc97d69f9333c76c14a4fac2c81d7f8938526300b73e12
                • Instruction Fuzzy Hash: 678118742007018FC724CF18C594A26B7E1BF49314F198A6EE48A9B792D735F966CF46
                Function 0040A966 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: "$'$}
                • API String ID: 269201875-2955743058
                • Opcode ID: 9de067a052d1e44e15972b4b256050fadb1b91be9b60eab72c2688735d37ba48
                • Instruction ID: dc26c661b29fdd7716a5b86df335155fe19625fc54c6be9375aaf5dfb808f9f7
                • Opcode Fuzzy Hash: 9de067a052d1e44e15972b4b256050fadb1b91be9b60eab72c2688735d37ba48
                • Instruction Fuzzy Hash: 2A41F8742007028FD734CF09C494A66B7E0FF49368F04896ED88A5BB92D739E966CB46
                Function 00423636 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _wcsnlen
                • String ID: U
                • API String ID: 3628947076-3372436214
                • Opcode ID: a5dffafca63cfddbf0f4c652de0311d695fb32899b04eb3e774a1feef373f04c
                • Instruction ID: 42abd49870d4817f2ff006ddbcc3959db84dddb85093249c0afc758edb2338c5
                • Opcode Fuzzy Hash: a5dffafca63cfddbf0f4c652de0311d695fb32899b04eb3e774a1feef373f04c
                • Instruction Fuzzy Hash: 792126727042187AEB10AF65BC01BBB73BCDB45752F90016BF908C7290EAADDF408699
                Function 00413CF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • FindResourceW.KERNEL32(00000000,8DCA8B1B,00000006,00000010,?,00000000,?,00413501,00000000,00000010,004143FC), ref: 00413D0B
                  • Part of subcall function 00414610: LoadResource.KERNEL32(004143FC,?,?,00413A64,00000000,00000000,004143FC,?,004134F1,00000010,00000000,?,004143FC), ref: 00414619
                • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,00000000,00000000,00000000,00000000,00413501,00000000,00000010,004143FC), ref: 00413D3E
                • WideCharToMultiByte.KERNEL32(00000003,00000000,00000002,?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00413501,00000000,00000010), ref: 00413D78
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ByteCharMultiResourceWide$FindLoad
                • String ID: =:
                • API String ID: 861045882-1810370302
                • Opcode ID: 7c763fe3d7627e0dd2609f55e29e39846c033d3dc0fe8a75bb454b1767f64260
                • Instruction ID: 1863098e007211134f06478ca76768fcc02f20be5a42d0e9fd4338734dd44e4e
                • Opcode Fuzzy Hash: 7c763fe3d7627e0dd2609f55e29e39846c033d3dc0fe8a75bb454b1767f64260
                • Instruction Fuzzy Hash: 5021C076340224ABE7209B559C89FBAB79CEB45B15F10002AFA05DF2C1DAA5B94087A9
                Function 00404C6A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • __EH_prolog3_GS.LIBCMT ref: 00404C71
                • __time64.LIBCMT ref: 00404C86
                  • Part of subcall function 0041922A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00406F95,00000000,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419233
                • _rand.LIBCMT ref: 00404CBF
                  • Part of subcall function 0040654F: _memmove.LIBCMT ref: 004065B7
                  • Part of subcall function 004031A7: _memmove.LIBCMT ref: 004031C7
                Strings
                • 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00404C93
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Time_memmove$FileH_prolog3_System__time64_rand
                • String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                • API String ID: 4233836734-3592501980
                • Opcode ID: 8d7d29446d23b0bc9b98c1cd9c40dd73bc68d2f14478f4ba5066f1a3da78460d
                • Instruction ID: e304622d965a762dd107dfbd097c2054f450cc6850e0f4e0e0ec01797ca730f6
                • Opcode Fuzzy Hash: 8d7d29446d23b0bc9b98c1cd9c40dd73bc68d2f14478f4ba5066f1a3da78460d
                • Instruction Fuzzy Hash: 4E119071A00205AAEB14EFA5C802BEDBAB8AF44315F14057FE100B72C1DBB85A818798
                Function 0043AF83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _wcscmp
                • String ID: ACP$OCP
                • API String ID: 856254489-711371036
                • Opcode ID: 16dc2f978c639924efae6548fab109ed7c7be2592b7c52f9d02039ce45512424
                • Instruction ID: bfb04eb22cc6d2306069e188103c301a66b31c1984a86c9e9b36ac6e50782eea
                • Opcode Fuzzy Hash: 16dc2f978c639924efae6548fab109ed7c7be2592b7c52f9d02039ce45512424
                • Instruction Fuzzy Hash: C4016D712442057AE715AA59DC82FEB339CDF0C368F045417FA44D6282F73CD95086CE
                Function 0040B570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc_free_malloc
                • String ID: null
                • API String ID: 2273345086-634125391
                • Opcode ID: a2a62a3aafb61c9e851c06488092cdca0d35c950987c8c0bc596bc6226dbcce1
                • Instruction ID: 65617b6eeaf46e973cf41f621f0d9ea68388a407999cc8635d1c63f985ef6598
                • Opcode Fuzzy Hash: a2a62a3aafb61c9e851c06488092cdca0d35c950987c8c0bc596bc6226dbcce1
                • Instruction Fuzzy Hash: 3511E1B2700B126BE7218B69DC40B57B7E4FF40718F0405AAE804AB381D7BAE99086D9
                Function 004235D8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • __lock.LIBCMT ref: 004235F3
                  • Part of subcall function 004284AB: __mtinitlocknum.LIBCMT ref: 004284BD
                  • Part of subcall function 004284AB: __amsg_exit.LIBCMT ref: 004284C9
                  • Part of subcall function 004284AB: EnterCriticalSection.KERNEL32(00000000,?,00423390,0000000D), ref: 004284D6
                • __updatetlocinfoEx_nolock.LIBCMT ref: 00423603
                  • Part of subcall function 00422771: ___addlocaleref.LIBCMT ref: 0042278D
                  • Part of subcall function 00422771: ___removelocaleref.LIBCMT ref: 00422798
                  • Part of subcall function 00422771: ___freetlocinfo.LIBCMT ref: 004227AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__amsg_exit__lock__mtinitlocknum__updatetlocinfo
                • String ID: 8lE$8lE
                • API String ID: 236788210-588460454
                • Opcode ID: d8f43b075afee0603a23c602de12c1bac88f41a542a19b90f9a72290550f9fb6
                • Instruction ID: 5d6b859d72f18a1a549f2be06c7fdbfabce53d4680e2532bfe2cd32ce3b07305
                • Opcode Fuzzy Hash: d8f43b075afee0603a23c602de12c1bac88f41a542a19b90f9a72290550f9fb6
                • Instruction Fuzzy Hash: CEE04F21787325B6D231BBA97A4374C22A0DB40B2BFE2829FB484571D38EAC0504465D
                Function 004101A0 Relevance: 6.4, APIs: 5, Instructions: 143COMMON
                Download Yara Rule
                APIs
                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004101CF
                • SetLastError.KERNEL32(0000007E,?,?,?,?,00000000), ref: 004102F4
                  • Part of subcall function 0041C528: _malloc.LIBCMT ref: 0041C534
                • IsBadReadPtr.KERNEL32(?,00000014), ref: 004102A3
                • SetLastError.KERNEL32(0000007F), ref: 004102C6
                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,00000000), ref: 004102E3
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast$Read$_malloc
                • String ID:
                • API String ID: 3154491256-0
                • Opcode ID: d5733ee362dbc65c0a9fa8ec5a80e2a3690fa5aeb9050abe851faafc9c5ef9e7
                • Instruction ID: 6fffe07412698074146b26a282a60b32517d17826e2f88360aa6f88f91c869ef
                • Opcode Fuzzy Hash: d5733ee362dbc65c0a9fa8ec5a80e2a3690fa5aeb9050abe851faafc9c5ef9e7
                • Instruction Fuzzy Hash: 1F418E31601219ABCB10CF99DC84BAAB7A8FF49359F0440AAED09DB701D775EDA1CBD4
                Function 0042A21E Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: AdjustPointer_memmove
                • String ID:
                • API String ID: 1721217611-0
                • Opcode ID: 8653c46805a60af91ebbeb6a6443025651475c67d1e2f8f748b0ef14832aa20e
                • Instruction ID: 3ef36c601aa84dfe3d6bb61873be60af9d5eec8d46284333d5989699b4964f4b
                • Opcode Fuzzy Hash: 8653c46805a60af91ebbeb6a6443025651475c67d1e2f8f748b0ef14832aa20e
                • Instruction Fuzzy Hash: 2E4126363043169FEB24EE11F881B6B37A59F14720FA4041FFC00962D2EB39D8A5D31A
                Function 0040FAA0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memcpy_s
                • String ID:
                • API String ID: 2001391462-0
                • Opcode ID: e9cf0f69fa3f2c3ac26271b3fd482314db68950712f5c012293af6c04f7f17c3
                • Instruction ID: 9a0ecc59c4318c6f406cba206602b3c0d333677a171ba5b37a4623c8584b0be6
                • Opcode Fuzzy Hash: e9cf0f69fa3f2c3ac26271b3fd482314db68950712f5c012293af6c04f7f17c3
                • Instruction Fuzzy Hash: 2E315C72A04200ABCF31AE58CC91EAA77799F85354F1840BEFD04AB343D63AED55CB95
                Function 00410C30 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,00404EBD,00000001,00404F12,00000004,0040585E), ref: 00410C48
                • SetLastError.KERNEL32(0000007F), ref: 00410D34
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ErrorLast
                • String ID:
                • API String ID: 1452528299-0
                • Opcode ID: f32e0f81230f1adab6d6e60bedea106f11ef2161f5e1c9d73177231b3fadd526
                • Instruction ID: 1a46fa1e4818535833f2f995405d991a93d7652ce7fcafb120a7abc3c57c4387
                • Opcode Fuzzy Hash: f32e0f81230f1adab6d6e60bedea106f11ef2161f5e1c9d73177231b3fadd526
                • Instruction Fuzzy Hash: CA411431600604DFDB24CF69D880AA6B3E4FF48314F15866EE84A8B711E775F981CB94
                Function 0040FBE0 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memcpy_s$__fread_nolock_fseek
                • String ID:
                • API String ID: 113024383-0
                • Opcode ID: cd4ef6beafe8544a82673e08a024acf43586cc81e16628300073f449194227eb
                • Instruction ID: 98b577f6e1516bec9390f8d93875cc481c54ae5118c5cdddcdb5d90cd0dd7d34
                • Opcode Fuzzy Hash: cd4ef6beafe8544a82673e08a024acf43586cc81e16628300073f449194227eb
                • Instruction Fuzzy Hash: 23316E71608214ABDB219F59CC82ABB7769EF91314F1840BEFC05AB743D639AD10C7A4
                Function 00415360 Relevance: 6.1, APIs: 4, Instructions: 97fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004153EB
                • ReadFile.KERNEL32(00000000,?,00000400,?,00000000), ref: 00415412
                • ReadFile.KERNEL32(00000000,?,00000400,?,00000000,?,?), ref: 00415455
                • CloseHandle.KERNEL32(00000000), ref: 0041546B
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: File$Read$CloseCreateHandle
                • String ID:
                • API String ID: 1724936099-0
                • Opcode ID: 38596d0eb1564fbb1a5c75db2cdfa89cb12aaf079ad92dc8068917da30ec2e76
                • Instruction ID: e2559d4c588920e7d8fd30940d997ee884708e1209451eaf085ca28995b24e3a
                • Opcode Fuzzy Hash: 38596d0eb1564fbb1a5c75db2cdfa89cb12aaf079ad92dc8068917da30ec2e76
                • Instruction Fuzzy Hash: D231A5F1600218ABEB20CF64DC45BEAB7BCEB45704F400199E749A7281DB749B85CF69
                Function 0043C38C Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0043C3C2
                • __isleadbyte_l.LIBCMT ref: 0043C3F0
                • MultiByteToWideChar.KERNEL32(00000080,00000009,004198C4,00000001,00000000,00000000), ref: 0043C41E
                • MultiByteToWideChar.KERNEL32(00000080,00000009,004198C4,00000001,00000000,00000000), ref: 0043C454
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: a34a4565a4c6af88e23756133d91f30544958016c6445cd1a51ca0e49a05e46d
                • Instruction ID: 19437838814bf5e2af79c2eb7719dd5e3a5854865d45f5265d07da1fd80746cd
                • Opcode Fuzzy Hash: a34a4565a4c6af88e23756133d91f30544958016c6445cd1a51ca0e49a05e46d
                • Instruction Fuzzy Hash: 8C31CF31600216AFDB218F35C885BBB7BA5FF49310F15902AF864A72A0D739D851DB99
                Function 0040BD90 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ___from_strstr_to_strchr$__snprintf_memmove
                • String ID:
                • API String ID: 541609289-0
                • Opcode ID: efd7077a4499a1512418dd56dcf5fb8f5df6725a7d8ea51d6930041c8bfe4183
                • Instruction ID: 99497e586997436f3cb33bd4da666fdd6ec932fc63e4d3bd0e265dd6e166264d
                • Opcode Fuzzy Hash: efd7077a4499a1512418dd56dcf5fb8f5df6725a7d8ea51d6930041c8bfe4183
                • Instruction Fuzzy Hash: 9131D571A002099FCB10DF24DD81BA6B7EAEF45304F04846EE989D7282EB35ED49C794
                Function 004094E0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004092D0: _calloc.LIBCMT ref: 004092D5
                  • Part of subcall function 004092D0: _calloc.LIBCMT ref: 004092E7
                  • Part of subcall function 004092D0: _free.LIBCMT ref: 004092F7
                • _free.LIBCMT ref: 00409542
                • _free.LIBCMT ref: 00409548
                • _free.LIBCMT ref: 00409558
                • _free.LIBCMT ref: 00409561
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$_calloc
                • String ID:
                • API String ID: 3857016397-0
                • Opcode ID: 823dc196d606b326f2038ee56c26ad93ab6e083b462583f70e8f0137c92ed7a6
                • Instruction ID: 9fbdd0483e71e21ca38c7303aa7963917316b4b315c029942a4fc3654e243d5b
                • Opcode Fuzzy Hash: 823dc196d606b326f2038ee56c26ad93ab6e083b462583f70e8f0137c92ed7a6
                • Instruction Fuzzy Hash: 430108B3B0161123CA22676B9C8196B7399AF84310708443EE809E3782EF3CED1183D9
                Function 00410B90 Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00410BB9
                • _free.LIBCMT ref: 00410BEF
                • GetProcessHeap.KERNEL32(00000000,00410FD9,00000000), ref: 00410C15
                • HeapFree.KERNEL32(00000000), ref: 00410C1C
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Heap_free$FreeProcess
                • String ID:
                • API String ID: 1072109031-0
                • Opcode ID: 897eff395079f8a8d945761978e1e5a2dbd13f0fa63f5763e90c1b75e76f5627
                • Instruction ID: b19d3907a48af6893b912bdff49fc077f7d2719f8e37fca29ec9ac04392dbe3e
                • Opcode Fuzzy Hash: 897eff395079f8a8d945761978e1e5a2dbd13f0fa63f5763e90c1b75e76f5627
                • Instruction Fuzzy Hash: CE116A31640700ABD7309B99CD01F97B3E8BF04B14F044829E59AD7AA1DAA9F8C0CB99
                Function 004045C2 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(00000000,?), ref: 004045DB
                • ScreenToClient.USER32(00000000,?), ref: 004045EC
                • ScreenToClient.USER32(00000000,?), ref: 004045F3
                • MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 00404639
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: ClientScreenWindow$MoveRect
                • String ID:
                • API String ID: 2422405346-0
                • Opcode ID: c9d2b3622f95edcf1eaa0d55512add986b54895438880d21e36e0804435cb106
                • Instruction ID: 94d5c2e5b018403258d1295a1c9ea3309a284524b3f9464bfee73e4c8a8e36ca
                • Opcode Fuzzy Hash: c9d2b3622f95edcf1eaa0d55512add986b54895438880d21e36e0804435cb106
                • Instruction Fuzzy Hash: FA015EB5910219AEDB02DB74DC548BFB7BCEF86654B01426AE801F3250FB70AA41CA61
                Function 0042B2DA Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction ID: cde3abd2d2a17bd9145adce598f1c472ed3bfce9f75808062226511fac1d90da
                • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction Fuzzy Hash: E101407210415AFBCF129E85EC118EE3F66FB18354B988416FE1859131D73AC9B1ABC5
                Function 004236A8 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004232C0: __getptd_noexit.LIBCMT ref: 004232C1
                  • Part of subcall function 004232C0: __amsg_exit.LIBCMT ref: 004232CE
                • __calloc_crt.LIBCMT ref: 00423CF6
                  • Part of subcall function 00422304: __calloc_impl.LIBCMT ref: 00422313
                • __lock.LIBCMT ref: 00423D2C
                • ___addlocaleref.LIBCMT ref: 00423D38
                • __lock.LIBCMT ref: 00423D4C
                  • Part of subcall function 0041E222: __getptd_noexit.LIBCMT ref: 0041E222
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __getptd_noexit__lock$___addlocaleref__amsg_exit__calloc_crt__calloc_impl
                • String ID:
                • API String ID: 2580527540-0
                • Opcode ID: f11b191ca825f653cea09ffb154ef2c6fba3694cc26a9d45c03e577031cbc232
                • Instruction ID: 96c8b9583af55c9f31428e1dec466a3edcda84782f994ea63eb4a55619a91232
                • Opcode Fuzzy Hash: f11b191ca825f653cea09ffb154ef2c6fba3694cc26a9d45c03e577031cbc232
                • Instruction Fuzzy Hash: D2018431741320ABD720FFB6A502B1D77F09F41B25FA1414FB4559B182CABC4A418A69
                Function 00429A84 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___BuildCatchObject.LIBCMT ref: 00429A9B
                  • Part of subcall function 0042A190: ___AdjustPointer.LIBCMT ref: 0042A1D9
                • _UnwindNestedFrames.LIBCMT ref: 00429AB2
                • ___FrameUnwindToState.LIBCMT ref: 00429AC4
                • CallCatchBlock.LIBCMT ref: 00429AE8
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                • String ID:
                • API String ID: 2633735394-0
                • Opcode ID: 0e229a682c5f74fded0fd7464990930e460ad1b8336248f1d6181498bc5e8290
                • Instruction ID: d9d68cc2772eaa45cbe80c6265f6649886052fa23208bda14d14efa55ad2fa72
                • Opcode Fuzzy Hash: 0e229a682c5f74fded0fd7464990930e460ad1b8336248f1d6181498bc5e8290
                • Instruction Fuzzy Hash: 78016932100249BBCF12AF56DC01EDA3BBAEF48718F44401AFD1865121D73AE8B1DBA9
                Function 00403214 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403229
                • ShowWindow.USER32(00000000,00000005), ref: 0040324A
                • DispatchMessageA.USER32(?), ref: 00403254
                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00403263
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Message$Peek$DispatchShowWindow
                • String ID:
                • API String ID: 3828714055-0
                • Opcode ID: b7e13b6b9eb49bbfb85c465fd2011bbed301fa72534a35f27cd8a96e929426dc
                • Instruction ID: f56d0f037ce40d9c4b37cacd8da4c8bc7fcf8363c6f0aca055dd7f8dc3415dc6
                • Opcode Fuzzy Hash: b7e13b6b9eb49bbfb85c465fd2011bbed301fa72534a35f27cd8a96e929426dc
                • Instruction Fuzzy Hash: A4F068B1A0021D7FDF10AFE49C88EBB776CEB01346F0040B9B604E1140E6B5DD018BA5
                Function 0040C360 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 0040C365
                  • Part of subcall function 0041D9D8: __calloc_impl.LIBCMT ref: 0041D9EB
                • _calloc.LIBCMT ref: 0040C39A
                • _calloc.LIBCMT ref: 0040C3C1
                • _free.LIBCMT ref: 0040C3D0
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc$ErrorFreeHeapLast__calloc_impl_free
                • String ID:
                • API String ID: 4266404413-0
                • Opcode ID: dc7554b61e4d303bc16805c8623a6de89d34e9733a7d8f6f6827a35c152a44fe
                • Instruction ID: 0f2db29c0f7dbe61b8afc0fae55739227f51936efd00df4d3685394c9d5fb601
                • Opcode Fuzzy Hash: dc7554b61e4d303bc16805c8623a6de89d34e9733a7d8f6f6827a35c152a44fe
                • Instruction Fuzzy Hash: 8101FDF1A50B0296E3100F15A84678BB6D0AB40709F00C23EE808AB7C1E7FEA484CBC8
                Function 00403308 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(00000000,00000088,?,004031FC,00000000), ref: 0040331D
                • CreateDialogParamA.USER32(00000000), ref: 00403324
                • IsWindow.USER32(00000000), ref: 00403352
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CreateDialogHandleModuleParamWindow
                • String ID:
                • API String ID: 3337458971-0
                • Opcode ID: 5fc44c4d915e71dbc1a65ebc9e50a9e971e03a6cd61081386e8e1b27c06d9027
                • Instruction ID: 0b48b425f555221a4d5bb0230598ecdaa9eb0587f56b397d4d6269d75af749d4
                • Opcode Fuzzy Hash: 5fc44c4d915e71dbc1a65ebc9e50a9e971e03a6cd61081386e8e1b27c06d9027
                • Instruction Fuzzy Hash: 2AF03075640715ABDB213FA29C09B5A3E6CAB12757F014136FD04B5291DFB8C500979E
                Function 0040464F Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00404668
                • EnableWindow.USER32(00000000,?,?,?,?,00404A08,0000005C), ref: 00404673
                • GetDlgItem.USER32(?,000003E8), ref: 00404681
                • EnableWindow.USER32(00000000,?,?,?,?,00404A08,0000005C), ref: 00404689
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: EnableItemWindow
                • String ID:
                • API String ID: 3833022359-0
                • Opcode ID: c14670897d802c525f123c2a6a43f6505c2156a52f2e14f3a2164e6d035be825
                • Instruction ID: 9ae0c8874abe647800e0a994e48cb391c9a5cd9bcc9ca69c86603df948f346f9
                • Opcode Fuzzy Hash: c14670897d802c525f123c2a6a43f6505c2156a52f2e14f3a2164e6d035be825
                • Instruction Fuzzy Hash: CFE09A75584244BFC7006BAABC4DC1ABBACFB97702F0000AAB408C32A0C6B14A109725
                Function 00403275 Relevance: 6.0, APIs: 4, Instructions: 24threadwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00408E42: _memset.LIBCMT ref: 00408E6A
                  • Part of subcall function 00408E42: GetDlgItem.USER32(00000415), ref: 00408E7D
                  • Part of subcall function 00408E42: GetWindowTextA.USER32(00000000,00000000,00000104), ref: 00408E90
                • AttachThreadInput.USER32(00000001,004032EA), ref: 00403295
                • PostMessageA.USER32(00000401,00000000,00000000), ref: 004032AE
                • AttachThreadInput.USER32(00000000), ref: 004032C2
                • PostMessageA.USER32(00000401,00000000,00000000), ref: 004032CA
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: AttachInputMessagePostThread$ItemTextWindow_memset
                • String ID:
                • API String ID: 4027892604-0
                • Opcode ID: a37b93b8690c29d1493356e1b36f27b47dbb918c7e43ba540a9214645cbde3bf
                • Instruction ID: c9cf3b587419c898d831ef5a1599cb3ca9c84f0e2901de51a9a86b78864e0b86
                • Opcode Fuzzy Hash: a37b93b8690c29d1493356e1b36f27b47dbb918c7e43ba540a9214645cbde3bf
                • Instruction Fuzzy Hash: DEF09B74245340ABEB112F61ED0AF553A26B71AB03F4041B9F602745F2CFBA9450DB1E
                Function 00409370 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00409420: _free.LIBCMT ref: 00409491
                • _free.LIBCMT ref: 00409388
                • _free.LIBCMT ref: 00409382
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                • _free.LIBCMT ref: 00409398
                • _free.LIBCMT ref: 004093A1
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 7f6082307f4c6e84e677b01f83bfb3c909e69f8a1a6103b8fc4e2cf8b3cba3f2
                • Instruction ID: e3fca0488d0dbcb1c65db404b81ac7fbf0d0434feb3dee6de7b743f1167a41ad
                • Opcode Fuzzy Hash: 7f6082307f4c6e84e677b01f83bfb3c909e69f8a1a6103b8fc4e2cf8b3cba3f2
                • Instruction Fuzzy Hash: E2E0CDB2F0130112D22037276C0298B73586F8172430A083FF809F2646EE3EED5185ED
                Function 0040442C Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0040442F
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0040443A
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040445B
                • ReleaseDC.USER32(00000000,00000000), ref: 0040447C
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 5c76fc17b753963f7480221e7dada1f4d246d264b3d1d47c5b55a7bb5ab1342a
                • Instruction ID: 639f43018dea91ffdd9f2136b60239b8be9380c2da072b7c1a56847d2e35a43a
                • Opcode Fuzzy Hash: 5c76fc17b753963f7480221e7dada1f4d246d264b3d1d47c5b55a7bb5ab1342a
                • Instruction Fuzzy Hash: 85E03025540B44EAD3529F34AC08B1AAB78AF9F753F008335F102750A5FB6054C18A15
                Function 0040BFA0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 0040BFAB
                  • Part of subcall function 00418E0E: HeapFree.KERNEL32(00000000,00000000,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E22
                  • Part of subcall function 00418E0E: GetLastError.KERNEL32(00456E48,?,00428522,00000000,?,?,0042340D,0041A7CB,00453560,00000014), ref: 00418E34
                • _free.LIBCMT ref: 0040BFBC
                • _free.LIBCMT ref: 0040BFC2
                • _free.LIBCMT ref: 0040BFCB
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: c584a25a71b3c1a8bb14584d13e5f644028b25c8f0065d81ec0a110ba24b3836
                • Instruction ID: 72680374181498ebfc41d993dee9b248ba0b000182dcaf6e6c672578ce182803
                • Opcode Fuzzy Hash: c584a25a71b3c1a8bb14584d13e5f644028b25c8f0065d81ec0a110ba24b3836
                • Instruction Fuzzy Hash: F1E0CD7290030523C61137169C028CB7729BFD1315705043EF80993616DF26F5A546DA
                Function 004095C0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 331COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: null
                • API String ID: 269201875-634125391
                • Opcode ID: f5f4b76544cdab926d995c8bde995ed84e0663054e20715422fc68443093112c
                • Instruction ID: 80a464ed9cf317717112f63e4e014dfdb00248ec76191e4175357499347f359e
                • Opcode Fuzzy Hash: f5f4b76544cdab926d995c8bde995ed84e0663054e20715422fc68443093112c
                • Instruction Fuzzy Hash: 3CE129742007018FC724DF19C490A22B7F0FF49318F058A6EE99A9B7A2D739E955CF86
                Function 0040C0E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040C640: vswprintf.LIBCMT ref: 0040C66B
                • _memset.LIBCMT ref: 0040C1CE
                  • Part of subcall function 0040C640: __vwprintf_p.LIBCMT ref: 0040C6AB
                  • Part of subcall function 0040C640: _malloc.LIBCMT ref: 0040C6B2
                  • Part of subcall function 0040C640: _free.LIBCMT ref: 0040C6D5
                  • Part of subcall function 0040C640: _free.LIBCMT ref: 0040C6F2
                • _memset.LIBCMT ref: 0040C287
                  • Part of subcall function 0041C528: _malloc.LIBCMT ref: 0041C534
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free_malloc_memset$__vwprintf_pvswprintf
                • String ID: null
                • API String ID: 490974072-634125391
                • Opcode ID: c35c74069a1e3c07ec3d3649af93621512b8e7756df21941c88fa422b9ba7a99
                • Instruction ID: 787d2de8a7ba6c2e63e760992a222ae8c88fbcf7dd3c22e1ac8a0b6113c56c2a
                • Opcode Fuzzy Hash: c35c74069a1e3c07ec3d3649af93621512b8e7756df21941c88fa422b9ba7a99
                • Instruction Fuzzy Hash: B7519071A00209EBCB14DF59DCC2A9E77E4EF44309F14457EE909A7382E739AA44CB99
                Function 00409BDC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: ]
                • API String ID: 269201875-3352871620
                • Opcode ID: 2d685f6b7eee5baf608b8cec979ea1e5d0229b5c26255c2f38604ab4b5e89f5a
                • Instruction ID: 68c8b9b51e2edf0636aebd1236bf690227415b3e716dc4f87692f040b1430e61
                • Opcode Fuzzy Hash: 2d685f6b7eee5baf608b8cec979ea1e5d0229b5c26255c2f38604ab4b5e89f5a
                • Instruction Fuzzy Hash: DB51E8742007018FD724DF09C494E26B7E0FF49368F05896EE88A9BBA2D739E956CF45
                Function 0040A93E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: ,$]
                • API String ID: 269201875-707046009
                • Opcode ID: 041c9f2f45d630c87be1c30315b4b0443709323d6cbdeb20a0ea9675a903d0fe
                • Instruction ID: 6d48fa1b49d42d3b958bb19e6194fd79601a3c76d7bcd2e20d84b21d8a0390da
                • Opcode Fuzzy Hash: 041c9f2f45d630c87be1c30315b4b0443709323d6cbdeb20a0ea9675a903d0fe
                • Instruction Fuzzy Hash: EE41E8742007028FDB34CF09C494E66B7E0FB49368F05866ED88A5BB92D739E965CF46
                Function 0040AAE2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _free
                • String ID: ,$}
                • API String ID: 269201875-290097841
                • Opcode ID: e2b1f73ac48ac38ac4d99edf89bb245f3d9411669a24a4db0385ec9c2a6a337f
                • Instruction ID: 372e3585d9915f712a6229daf79336e4604b66aa5c95116ab5de913f4d923b3e
                • Opcode Fuzzy Hash: e2b1f73ac48ac38ac4d99edf89bb245f3d9411669a24a4db0385ec9c2a6a337f
                • Instruction Fuzzy Hash: D341E6742007028FDB24CF09C494E66B7E0FB49368F05856ED88A9BB92D739E965CF46
                Function 00402D1D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: ea533c1f166f1e93f8ea5e351e8576c23ae91fd4a09d1489bc60a3cd9205b530
                • Instruction ID: f52bad4dfdaf4dd976133b4ab24ab9d7ba338bf1c2f06aad23fa8704fd16c477
                • Opcode Fuzzy Hash: ea533c1f166f1e93f8ea5e351e8576c23ae91fd4a09d1489bc60a3cd9205b530
                • Instruction Fuzzy Hash: 1B11E632304210ABDB24AE18DA49F5AB7AAEF81754B10053FF915A72C2D7F8DD41C7A9
                Function 0040F7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004154C0: lstrlenA.KERNEL32(83575E26,?,00000001), ref: 004154E0
                • __time64.LIBCMT ref: 0040F807
                  • Part of subcall function 0041922A: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00406F95,00000000,?,000000FF,00000000,?,?,00407011,?,000002DC,0040767B,00B64FC8), ref: 00419233
                • _rand.LIBCMT ref: 0040F817
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Time$FileSystem__time64_randlstrlen
                • String ID: expand 32-byte k
                • API String ID: 2132470021-455776987
                • Opcode ID: 83e705751715fcdf3f981db60d3118bcc64c75a7d0dbbd5186de535d10e30fc8
                • Instruction ID: 5fd52744e639f354eb9f57a86f2880b981a242af5d2823db37bce1cfa3ca3c1b
                • Opcode Fuzzy Hash: 83e705751715fcdf3f981db60d3118bcc64c75a7d0dbbd5186de535d10e30fc8
                • Instruction Fuzzy Hash: 4631D5B5D00208AFCB50DFA9D981ADDBBF4FF08314F20856AE819E7341D735A956CBA4
                Function 00415F00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                Download Yara Rule
                APIs
                • __libm_sse2_log_precise.LIBCMT ref: 00415FE2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: __libm_sse2_log_precise
                • String ID: hzduhztcadtfjzey$wsu
                • API String ID: 427701067-3542735647
                • Opcode ID: ba577e2c8b3a93fb0990611d0ae70727d753c7e0f1306924463b62a35af5c29d
                • Instruction ID: 6626ffb9408ca10b8a708ccdcc93144e068b9bf68525a831209c6749c2d0d040
                • Opcode Fuzzy Hash: ba577e2c8b3a93fb0990611d0ae70727d753c7e0f1306924463b62a35af5c29d
                • Instruction Fuzzy Hash: 48314871A14B404BC302DF389C51556B7A6EFCB398F41833AE846B7152FB748891C68A
                Function 0040654F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _memmove
                • String ID: invalid string position$string too long
                • API String ID: 4104443479-4289949731
                • Opcode ID: fa030341173f4cf610924cbe1a9fde3d739bb11abe1d3b81028d7b60f94928af
                • Instruction ID: 87889ab70f92ad839cc9d0de01e1effc2dedf5cde4eaa1ea5cd201654545cded
                • Opcode Fuzzy Hash: fa030341173f4cf610924cbe1a9fde3d739bb11abe1d3b81028d7b60f94928af
                • Instruction Fuzzy Hash: C121C331300314ABDB389F69ED81A5677A9EF40754B10093FF912D73C2CB78E894C699
                Function 00415600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75stringCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: lstrcatwsprintf
                • String ID: %02x
                • API String ID: 3065427908-560843007
                • Opcode ID: 21a4a936603c96a2e0a4ddc61b219ccf26112e16f51b7ca8ff74ee8d8d799243
                • Instruction ID: 2b54177cc4d8e13ba2dd83e2a2b668d6b3ba1c21db7c316dfdd97da97613aa90
                • Opcode Fuzzy Hash: 21a4a936603c96a2e0a4ddc61b219ccf26112e16f51b7ca8ff74ee8d8d799243
                • Instruction Fuzzy Hash: 3321E270A0421C9FCF19DF64C8857EEB7B8FB4A308F4009EAD909D7241C7B89A858BD4
                Function 004082FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: H_prolog3
                • String ID: http$https
                • API String ID: 431132790-745415921
                • Opcode ID: 6d79913ffa9b2aa46ab518ba654ba20256d9cc411597cd6a1f065297a0dd77ff
                • Instruction ID: 331bca510fcf65cefe48f9682ecb2dd9146b35f2627eb72fd5bf6f0b1acd4c1b
                • Opcode Fuzzy Hash: 6d79913ffa9b2aa46ab518ba654ba20256d9cc411597cd6a1f065297a0dd77ff
                • Instruction Fuzzy Hash: 3C116D71100109AFDB04EE56CC92EEE3B79AB60788F40802EFD455B181DB799685CB94
                Function 0040CDF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • _calloc.LIBCMT ref: 0040CDFE
                  • Part of subcall function 0041D9D8: __calloc_impl.LIBCMT ref: 0041D9EB
                • _calloc.LIBCMT ref: 0040CE1B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: _calloc$__calloc_impl
                • String ID: lh_table_new: calloc failed
                • API String ID: 770366589-2821893458
                • Opcode ID: 7ee6f927a5693a73ecbe5c13f532519ec0a0d6b8685756c49dacf014442d203d
                • Instruction ID: a471759443f559bfae0e58604c20b6a9742de5d1992ab7822d3e09b354183580
                • Opcode Fuzzy Hash: 7ee6f927a5693a73ecbe5c13f532519ec0a0d6b8685756c49dacf014442d203d
                • Instruction Fuzzy Hash: 5401F57464070AABC3249F69C881B867794FB44721F00063BE908ABBC2D778E8108BD8
                Function 00408AAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: Allocate_memmove
                • String ID: n\Int
                • API String ID: 1384894049-2997275496
                • Opcode ID: bca32887397cd7fcff1d2185621a0fde44d7f24e0fa0bb04bcffb74159e5bbd4
                • Instruction ID: 8bd69b4bca4b1686a670cc2609e743339ea7a125564589fb26c8930c1c5b4c08
                • Opcode Fuzzy Hash: bca32887397cd7fcff1d2185621a0fde44d7f24e0fa0bb04bcffb74159e5bbd4
                • Instruction Fuzzy Hash: 64F09A72104204AFD720AF6AD885E97FBE9EF40368B20482FF4C583651DA71A890CAA4
                Function 00443C41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00443CA4: _memset.LIBCMT ref: 00443CB1
                  • Part of subcall function 00403DC2: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00403FA8), ref: 00403DC8
                  • Part of subcall function 00403DC2: GetLastError.KERNEL32(?,00403FA8), ref: 00403DD2
                • IsDebuggerPresent.KERNEL32(?,?,?,0040127E), ref: 00443C74
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040127E), ref: 00443C83
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00443C7E
                Memory Dump Source
                • Source File: 00000000.00000002.11766977466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.11766515896.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11767436437.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768199439.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009B3000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.11768241830.00000000009C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_CheerSkullness.jbxd
                Similarity
                • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString_memset
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 2823744152-631824599
                • Opcode ID: 8e097444bdedb7b0a0833a11f03ce3a6806f0dea0503538792c8205760145518
                • Instruction ID: 97ed009f32cb68f79f5f87d788b7f27912922b5af3ef1e9f804c87d245e049fa
                • Opcode Fuzzy Hash: 8e097444bdedb7b0a0833a11f03ce3a6806f0dea0503538792c8205760145518
                • Instruction Fuzzy Hash: 0AE06D742007108BE7209F25E944706BBE4AF05B0AF11893EE446D2641DBB9E648CBA9