Edit tour

Windows Analysis Report
electrumx64.exe

Overview

General Information

Sample name:	electrumx64.exe
Analysis ID:	1545080
MD5:	cf837466c42aa63d4e4df0352a8063ef
SHA1:	461a44b862408c89f16f845b7367b51800344a41
SHA256:	451070b87e0b3acf9de1f6fd858bfadbdaf23fe75cd6f56a29ec817946e70a42
Tags:	exeinfostealerShellcodeRunneruser-ninjacatcher
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Tries to delay execution (extensive OutputDebugStringW loop)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

electrumx64.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\electrumx64.exe" MD5: CF837466C42AA63D4E4DF0352A8063EF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: electrumx64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: electrumx64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\test\nsNiuniuDUI.pdbp source: electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: E:\test\nsNiuniuDUI.pdb source: electrumx64.exe, electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: electrumx64.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: http://www.leeqia.com
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050F9

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044D1

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CF98060 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_6CF98060

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

0_2_004038AF

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_0040737E	0_2_0040737E
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_00406EFE	0_2_00406EFE
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_004079A2	0_2_004079A2
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_004049A8	0_2_004049A8
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF62410	0_2_6CF62410
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CFAF620	0_2_6CFAF620
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF6ECC0	0_2_6CF6ECC0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CFDACC0	0_2_6CFDACC0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF86DA5	0_2_6CF86DA5
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01AFB9	0_2_6D01AFB9
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF6E8B0	0_2_6CF6E8B0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01EB53	0_2_6D01EB53
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF6CAA0	0_2_6CF6CAA0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CFBEA70	0_2_6CFBEA70
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF86A07	0_2_6CF86A07
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF7CBD0	0_2_6CF7CBD0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF86572	0_2_6CF86572
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01C4BA	0_2_6D01C4BA
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01E29F	0_2_6D01E29F
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01DD4E	0_2_6D01DD4E
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01FF67	0_2_6D01FF67
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CFDB410	0_2_6CFDB410
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF8755F	0_2_6CF8755F
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01D7FD	0_2_6D01D7FD
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF87177	0_2_6CF87177
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6D01F22F	0_2_6D01F22F

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6D01804E appears 45 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CFA41C0 appears 144 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 004062CF appears 58 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CF7ADD4 appears 66 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CF80420 appears 50 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CF7B07D appears 370 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CF7A7A4 appears 49 times
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: String function: 6CF8C900 appears 63 times

Source: electrumx64.exe, 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamensNiuniuSkin.dllX vs electrumx64.exe
Source: electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamensNiuniuSkin.dllX vs electrumx64.exe

Source: electrumx64.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nsNiuniuSkin.dll.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9921396439509954

Source: classification engine

Classification label: sus29.evad.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CFD31C0 GetLastError,FormatMessageW,LocalFree,

0_2_6CFD31C0

Source: C:\Users\user\Desktop\electrumx64.exe

0_2_004044D1

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CFD0770 FindResourceW,LoadResource,FreeResource,SizeofResource,LockResource,FreeResource,

0_2_6CFD0770

Source: C:\Users\user\Desktop\electrumx64.exe

File created: C:\Users\user\AppData\Local\Temp\nshCE55.tmp

Jump to behavior

Source: electrumx64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\electrumx64.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\electrumx64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: electrumx64.exe	String found in binary or memory: images/add_file.png
Source: electrumx64.exe	String found in binary or memory: images/add_file@125.png
Source: electrumx64.exe	String found in binary or memory: images/add_file@150.png
Source: electrumx64.exe	String found in binary or memory: images/add_file@200.png
Source: electrumx64.exe	String found in binary or memory: images/stop.png}TT
Source: electrumx64.exe	String found in binary or memory: images/stop.png}TT
Source: electrumx64.exe	String found in binary or memory: images/stop@125.png
Source: electrumx64.exe	String found in binary or memory: images/stop@125.png
Source: electrumx64.exe	String found in binary or memory: images/stop@150.png}Vw@
Source: electrumx64.exe	String found in binary or memory: images/stop@150.png}Vw@
Source: electrumx64.exe	String found in binary or memory: images/stop@200.png
Source: electrumx64.exe	String found in binary or memory: images/stop@200.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help.png\|ZuX
Source: electrumx64.exe	String found in binary or memory: images/ticket-help2.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help2@125.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help2@150.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help2@200.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help@125.png\|
Source: electrumx64.exe	String found in binary or memory: images/ticket-help@150.png
Source: electrumx64.exe	String found in binary or memory: images/ticket-help@200.png

Source: C:\Users\user\Desktop\electrumx64.exe

File read: C:\Users\user\Desktop\electrumx64.exe

Jump to behavior

Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	Section loaded: globinputhost.dll	Jump to behavior

Source: C:\Users\user\Desktop\electrumx64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\electrumx64.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: electrumx64.exe

Static file information: File size 47521498 > 1048576

Source: electrumx64.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\test\nsNiuniuDUI.pdbp source: electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: E:\test\nsNiuniuDUI.pdb source: electrumx64.exe, electrumx64.exe, 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF80465 push ecx; ret		0_2_6CF80478
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF7D86A push ecx; ret		0_2_6CF7D87D

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\electrumx64.exe	File created: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\electrumx64.exe	File created: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll			Jump to dropped file

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF98747 _memset,BeginPaint,EndPaint,GetClientRect,GetUpdateRect,IsRectEmpty,IsIconic,DeleteDC,DeleteDC,DeleteObject,DeleteObject,KiUserCallbackDispatcher,_memset,UnionRect,_memset,_memset,BeginPaint,SelectObject,SaveDC,IsWindow,IsWindowVisible,IntersectRect,_memset,SelectObject,SendMessageW,73A24D40,SelectObject,DeleteObject,DeleteDC,RestoreDC,GetWindowRect,_memset,SelectObject,_memset,73A24D40,SelectObject,SelectObject,GetStockObject,SelectObject,Rectangle,SelectObject,SaveDC,RestoreDC,EndPaint,	0_2_6CF98747
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CFFCE60 IsIconic,GetWindowRect,CreateRoundRectRgn,SetWindowRgn,DeleteObject,	0_2_6CFFCE60
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF980F0 ScreenToClient,IsIconic,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,	0_2_6CF980F0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF980F0 ScreenToClient,IsIconic,GetClientRect,SaveDC,GetWindow,GetWindowRect,MapWindowPoints,SetWindowOrgEx,SendMessageW,GetWindow,RestoreDC,GetTickCount,_memset,CreateWindowExW,SendMessageW,SendMessageW,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,GetWindowRect,IsIconic,GetActiveWindow,PtInRect,SendMessageW,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,	0_2_6CF980F0
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF93CE0 IsIconic,	0_2_6CF93CE0

Source: C:\Users\user\Desktop\electrumx64.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\electrumx64.exe

Section loaded: OutputDebugStringW count: 408

Source: C:\Users\user\Desktop\electrumx64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll			Jump to dropped file
Source: C:\Users\user\Desktop\electrumx64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\electrumx64.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\electrumx64.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\electrumx64.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\nsxCF02.tmp FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_00406301 FindFirstFileW,FindClose,		0_2_00406301
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,		0_2_00406CC7

Source: C:\Users\user\Desktop\electrumx64.exe	API call chain: ExitProcess graph end node			graph_0-83470
Source: C:\Users\user\Desktop\electrumx64.exe	API call chain: ExitProcess graph end node			graph_0-83799

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CF7ADDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6CF7ADDF

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406328

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CF8AB4D __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_6CF8AB4D

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF7ADDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6CF7ADDF
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF80288 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6CF80288

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CFA4950 cpuid

0_2_6CFA4950

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_6CF8AA18
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_6CF8604D
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_6CF862DE
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_6CF8621E
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_6CF86381
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_6CF86345
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: GetLocaleInfoA,	0_2_6CF7FCA3
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6CF85E56
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_6CF85FF2
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_6CF85F4B
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_6CF898F2
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_6CF899CC

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_6CF8475D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_6CF8475D

Source: C:\Users\user\Desktop\electrumx64.exe

Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406831

Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF6F510 BindCallBack,GlobalFree,lstrcpynW,GlobalFree,_memset,lstrcpyW,GlobalFree,lstrcpynW,GlobalFree,IsWindow,		0_2_6CF6F510
Source: C:\Users\user\Desktop\electrumx64.exe	Code function: 0_2_6CF6F2D0 BindCallBackEx,lstrcpynW,GlobalFree,_memset,lstrcpyW,lstrcpyW,GlobalFree,_memset,lstrcpyW,GlobalFree,lstrcpynW,GlobalFree,IsWindow,		0_2_6CF6F2D0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
electrumx64.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.leeqia.com	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	electrumx64.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	URL Reputation: safe	unknown
http://www.leeqia.com	electrumx64.exe, 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmp, nsNiuniuSkin.dll.0.dr	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545080
Start date and time:	2024-10-30 04:15:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	electrumx64.exe
Detection:	SUS
Classification:	sus29.evad.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 130 Number of non-executed functions: 182
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll	file.exe	Get hash	malicious	Unknown	Browse
	Setup_10024.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Riskware.Application.5189.31489.exe	Get hash	malicious	Unknown	Browse
	LWZyUFvVh1.exe	Get hash	malicious	DCRat	Browse
	sVfXReO3QI.exe	Get hash	malicious	Unknown	Browse
	HolyTom980.exe	Get hash	malicious	Unknown	Browse
	https://xiuxiu.dl.meitu.com/pc_channel64/xiuxiu64_pc.exe	Get hash	malicious	Unknown	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\electrumx64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.729426875863261
Encrypted:	false
SSDEEP:	192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
MD5:	BF712F32249029466FA86756F5546950
SHA1:	75AC4DC4808AC148DDD78F6B89A51AFBD4091C2E
SHA-256:	7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
SHA-512:	13F69959B28416E0B8811C962A49309DCA3F048A165457051A28A3EB51377DCAF99A15E86D7EEE8F867A9E25ECF8C44DA370AC8F530EEAE7B5252EABA64B96F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Setup_10024.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Riskware.Application.5189.31489.exe, Detection: malicious, Browse Filename: LWZyUFvVh1.exe, Detection: malicious, Browse Filename: sVfXReO3QI.exe, Detection: malicious, Browse Filename: HolyTom980.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: ReimagePackage.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.PossibleThreat.20191.6097.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..............]..............XP......Xd......XU......XS.....Rich............PE..L.....GO...........!................('.......0...............................`............@..........................3.......1..P............................P.......................................................0..\............................text...1........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\licence.rtf

Download File

Process:	C:\Users\user\Desktop\electrumx64.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 936, default language ID 1033
Category:	dropped
Size (bytes):	939
Entropy (8bit):	4.311680372462902
Encrypted:	false
SSDEEP:	12:pXFIiYm+6sG+MxWTcL/83+SJkHLHIcEehIuTzL24epekxcwdSMK2jVw169Qf2:kh6+Mu0/rHIcZtTO4UeQvS5I21rf2
MD5:	B43BD89270FB32D069044F093A47250D
SHA1:	9A6733C6AC3DD0E7E26B170129CF8FCCE9AC8D07
SHA-256:	D57DDA71C73D4C9D20A67337DA3614C41630CAF0126BDCCB7F1D8145DF7E5E97
SHA-512:	1EE04AF87D9B3234DC512C1984D6069208656F838961613DE6902D8BD1E603A67272C6E7F6868AAB6614EE0EE9B68D5F255A767939D632778F85709406E81806
Malicious:	false
Reputation:	low
Preview:	{\rtf1\ansi\ansicpg936\deff0\nouicompat\deflang1033\deflangfe2052\deftab420{\fonttbl{\f0\fnil\fcharset134 \'cb\'ce\'cc\'e5;}}..{\\generator Riched20 10.0.20348}{\info{\horzdoc}{\\lchars $([\'7b\'a1\'ea\'a3\'a4\'a1\'a4\'a1\'ae\'a1\'b0\'a1\'b4\'a1\'b6\'a1\'b8\'a1\'ba\'a1\'be\'a1\'b2\'a1\'bc\'a8\'94\'a9\'76\'a9\'78\'a9\'7a\'a1\'e7\'a3\'a8\'a3\'ae\'a3\'db\'a3\'fb\'a1\'ea\'a3\'a4}{\\fchars !%),.:\'3b>?]\'7d\'a1\'e9\'a1\'a7\'a1\'e3\'a1\'a4\'a1\'a6\'a1\'a5\'a8\'44\'a1\'ac\'a1\'af\'a1\'b1\'a1\'ad\'a1\'eb\'a1\'e4\'a1\'e5?\'a1\'e6\'a1\'c3\'a1\'a2\'a1\'a3\'a1\'a8\'a1\'b5\'a1\'b7\'a1\'b9\'a1\'bb\'a1\'bf\'a1\'b3\'a1\'bd\'a8\'95\'a6\'e1\'a6\'e3\'a6\'e7\'a6\'e5\'a6\'eb\'a9\'77\'a9\'79\'a9\'7b\'a3\'a1\'a3\'a2\'a3\'a5\'a3\'a7\'a3\'a9\'a3\'ac\'a3\'ae\'a3\'ba\'a3\'bb\'a3\'bf\'a3\'dd\'a3\'e0\'a3\'fc\'a3\'fd\'a1\'ab\'a1\'e9}}..{\\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\sa200\sl276\slmult1\f0\fs22\lang2052\par..}...

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\logo.ico

Download File

Process:	C:\Users\user\Desktop\electrumx64.exe
File Type:	MS Windows icon resource - 10 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	458870
Entropy (8bit):	5.129021303459069
Encrypted:	false
SSDEEP:	3072:RQd9Jsc2/1NfYiRPcv9H/CzlftbCJ3e0hoCkaKK0N6owWIP2sDGL4dTIoNxK4LdB:ctUYWai7o9Z9p5ENM
MD5:	E4A8817AA15F1CCB0E49DAD689C87D16
SHA1:	3FEC80D3C40A03C7398892C3A1D1B94543C75B7C
SHA-256:	1B7E574335CA9D80B5523ABEA0BBD7DB0CD69C17A6BFD185FCCD3940B61BF973
SHA-512:	80DE3FC2940E0C7C8082678955BD177192D00739F7A68347A30D69B28FAEA6EE27C1909B01B843FBFE88B67D8309B51C4A05EF203C8209395A51B1D7A92BD24C
Malicious:	false
Reputation:	low
Preview:	............ .( ............ .(.... ..``.... ......(..PP.... ..g......HH.... ..T...%..@@.... .(B...z..00.... ..%..6......... ............... .h...f... .... .........(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll

Download File

Process:	C:\Users\user\Desktop\electrumx64.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	349696
Entropy (8bit):	7.923369185635811
Encrypted:	false
SSDEEP:	6144:zogxY8ClCBjHY8Sb/ziRCbHa/qh5APgK3nqOSEaGijVEAbzvL39wnk9sqcnBzOsp:8qClWjy/z6CZY3fxVqV5vz9w6sHB/p
MD5:	01A743D2E92F42035F694EB7BA16C6C4
SHA1:	DCD0B1B9991993E406768E715D787999D80BA13E
SHA-256:	ACF0A9F02F82E3F684CF90CD1FA3F587124CC2D1CF1D01F10017CEEFE4892C76
SHA-512:	12BDAADBBBCBCEDA9D242AE09C5D6A2D03E6E7110BF3BB87A5B3CC2CDCFF1FE6C915147306BDEE4DFBFE6D40FA74DDE15848449F57B0CD1A80534FED8D291A62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..b..b..b.K.b..b...b..b.K<b..b.K=b4.b.<b..b...b..b...b..b..b..b.K8b..b.K.b..b.K.b..b.K.b..bRich..b........PE..L....zue...........!..... ................... ...............................0............@..........................'.......%....... ..................,..8+.........................................H...........................................UPX0....................................UPX1..... ..........................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................................................2.02.UPX!....

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\skin.zip

Download File

Process:	C:\Users\user\Desktop\electrumx64.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	509403
Entropy (8bit):	7.9862763703586825
Encrypted:	false
SSDEEP:	12288:7pP9X8jpWqtEQQiBGqoJtvz8xVjTXfuST4TUJwMiWC6Y:7ptApWq6nYCtvz8TVUTUJfrY
MD5:	B9FED73562A2CC77C86E8E61C05DCEFA
SHA1:	416E6BAB8D686D15E5D5A825C71D784E08FE03B0
SHA-256:	F60AD8F4AB4AD0B6156813DC1898A39D4D3E3401754CDB81EE2D6A8CEEA68F72
SHA-512:	D8E9B525AA8B0D3124A68F5F9ADA18ACEC67A9758FEFA43E085B80A9AB63B1FE2A97DDB625F18D24F32A29D056F41169762A1854AB14F869644EF4CF009B78EC
Malicious:	false
Reputation:	low
Preview:	PK........i..K..H.....&.......arrow_down.png}R{l.q...#.kB0%..Q......U[..aJ+.qz?.zw.>.Q.^.x.l!&D.`...F.d.yD6&.1,...2..u..I...}..o>...s..w...}..&A...m.c?.S....KO.>9.HV.4.[,.(.@&.[.`........K......a...e.N.9...b.~/.E.!..Sn...E .a.H....F.n....3.A....8.A.[O#..`.....@.`.w.+.~#.K..h.E.v..1".M..3a3'.8]=A..&.`.^...tZ].L`x:.iP.."4..#...[.\|.@/&s-Sbw...$.DQ...i....z..... T2B%.X..X1.C..D.....p4..q.$#......e.X..~.Gq5........z;......-:.<@s..-..@..F.<i..%q...ttqf>'qb>..fs{..N..9...9Qc...%.u.....5...).1.. 2.V...r0gX&..3.!.V]....y.+up.?\M<n..16..."p^...I&..,.^.K..........b..=v...t.?`....66.!(a..br..5..s%+............g.Ca.V4.wT.3{#lb.eFHiJjH..kZ..._..^j.e..'M'..]O5f...C.#...z...'.OP...-.:...s....L.k.&}D.q%uA.......nhK.w.....-3.e..Bs.3_..q..-..q.-4u..y.....W.\].R..&...`c.....Y..[e%Y.qk...`8....<.58.....\....!..m.]..cr...............~.....Fn.f...d...kCR.J.$R.2c.m..kD]. ~g......;..5M...s....z..<..(........&.......W...........u....tA......?^fo.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.997717964812734
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	electrumx64.exe
File size:	47'521'498 bytes
MD5:	cf837466c42aa63d4e4df0352a8063ef
SHA1:	461a44b862408c89f16f845b7367b51800344a41
SHA256:	451070b87e0b3acf9de1f6fd858bfadbdaf23fe75cd6f56a29ec817946e70a42
SHA512:	ea7b575b6ccb2df7d6b4d38eab485f20a32a0e361d06cc2956260961829de8414ddf8de25c44b8b23dccf431124071a4a6681fc58c14f6b29fde0f68a5b5a29e
SSDEEP:	786432:0xW5G8CJA5+Uy2zuJHwMseHv0mA/s7emwLTYyJdU6M3z6t99:0c5G8CJoy2aJHw+HvwMeXLVsQ9
TLSH:	FEA733617B18D161C9C7EDF4F636A4A1082E1F3A25D40F055AF33AF600716DA392FAAD
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8.....

File Icon


Icon Hash:	332b3b574d6d170c

Static PE Info

General

Entrypoint:	0x4038af
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 0040A268h
mov dword ptr [esp+14h], ebp
call dword ptr [00409030h]
push 00008001h
call dword ptr [004090B4h]
push ebp
call dword ptr [004092C0h]
push 00000008h
mov dword ptr [0047EB98h], eax
call 00007F05F4B7C26Bh
push ebp
push 000002B4h
mov dword ptr [0047EAB0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040A264h
call dword ptr [00409184h]
push 0040A24Ch
push 00476AA0h
call 00007F05F4B7BF4Dh
call dword ptr [004090B0h]
push eax
mov edi, 004CF0A0h
push edi
call 00007F05F4B7BF3Bh
push ebp
call dword ptr [00409134h]
cmp word ptr [004CF0A0h], 0022h
mov dword ptr [0047EAB8h], eax
mov eax, edi
jne 00007F05F4B7983Ah
push 00000022h
pop esi
mov eax, 004CF0A2h
push esi
push eax
call 00007F05F4B7BC11h
push eax
call dword ptr [00409260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F05F4B798C3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F05F4B7983Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac40	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x134000	0x70ce0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x994	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x728c	0x7400	419d4e1be1ac35a5db9c47f553b27cea	False	0.6566540948275862	data	6.499708590628113	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x2b6e	0x2c00	cca1ca3fbf99570f6de9b43ce767f368	False	0.3678977272727273	data	4.497932535153822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0x72b9c	0x200	77f0839f8ebea31040e462523e1c770e	False	0.279296875	data	1.8049406284608531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7f000	0xb5000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x134000	0x70ce0	0x70e00	14f253f4202df3359620f18c937f7613	False	0.2939485568936877	data	5.130580807063862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1a5000	0xfd6	0x1000	ac1f916992f27d0cc1518b8fa425559f	False	0.028564453125	data	0.2267346467413615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x134358	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.19165902299020623
RT_ICON	0x176380	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3213208328404117
RT_ICON	0x186ba8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.40718940508723983
RT_ICON	0x190050	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	English	United States	0.47533834586466167
RT_ICON	0x196838	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5310998151571165
RT_ICON	0x19bcc0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5862068965517241
RT_ICON	0x19fee8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6374481327800829
RT_ICON	0x1a2490	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7429643527204502
RT_ICON	0x1a3538	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.8213114754098361
RT_ICON	0x1a3ec0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.9281914893617021
RT_DIALOG	0x1a4328	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x1a4518	0xda	data	English	United States	0.6376146788990825
RT_GROUP_ICON	0x1a45f8	0x92	data	English	United States	0.6986301369863014
RT_VERSION	0x1a4690	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.4662576687116564
RT_MANIFEST	0x1a4920	0x3bd	XML 1.0 document, ASCII text, with very long lines (957), with no line terminators	English	United States	0.5214211076280042

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 04:16:21.604195118 CET	53	65083	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	23:15:59
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\electrumx64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\electrumx64.exe"
Imagebase:	0x400000
File size:	47'521'498 bytes
MD5 hash:	CF837466C42AA63D4E4DF0352A8063EF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 6CF98747 Relevance: 81.8, APIs: 43, Strings: 3, Instructions: 1258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6CF9876B
BeginPaint.USER32(?,?), ref: 6CF98787
EndPaint.USER32(?,?), ref: 6CF987C2
GetClientRect.USER32(?,00000000), ref: 6CF98801
GetUpdateRect.USER32(?,00000000,00000000), ref: 6CF9883B

Strings

windowsize, xrefs: 6CF99DF5
windowinit, xrefs: 6CF98C57
0, xrefs: 6CF99C21

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: PaintRect$BeginClientUpdate_memset
String ID: windowinit$windowsize$0
API String ID: 3456385447-2147870576
Opcode ID: 2e5ff7a705564747817198f7429e896a486c5bb8db1352e59a10c3c004566ead
Instruction ID: 717dfbf3350e95bf41d7dc6248e34e9a571c67beaf88ae0c67a0bf35124e3079
Opcode Fuzzy Hash: 2e5ff7a705564747817198f7429e896a486c5bb8db1352e59a10c3c004566ead
Instruction Fuzzy Hash: 48E2D674A052288FEB65CB18CC94BDAB7B1EF89304F1481E9D90DAB351CB35AE85DF50

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038CE
SetErrorMode.KERNELBASE(00008001), ref: 004038D9
OleInitialize.OLE32(00000000), ref: 004038E0

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
OleUninitialize.OLE32(?), ref: 00403AFD
ExitProcess.KERNEL32 ref: 00403B1D
lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C

Strings

Error launching installer, xrefs: 00403AA9
/D=, xrefs: 004039D2
\Temp, xrefs: 00403A47
NSIS Error, xrefs: 0040390E
~nsu.tmp, xrefs: 00403B23
_?=, xrefs: 00403A90
SeShutdownPrivilege, xrefs: 00403C42
NCRC, xrefs: 004039A8

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-3712954417
Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE

Function 6CFAF620 Relevance: 41.2, APIs: 2, Strings: 21, Instructions: 997COMMON

Download Yara Rule

Strings

bad interlace method, xrefs: 6CFAFC1F
bad tRNS len, xrefs: 6CFB000D, 6CFB0126
multiple IHDR, xrefs: 6CFAF7A1
too large, xrefs: 6CFAF7F1, 6CFAF821, 6CFAFC9F, 6CFAFCE4
no IDAT, xrefs: 6CFB0331
outofmem, xrefs: 6CFB029E
bad comp method, xrefs: 6CFAFA9F
bad filter method, xrefs: 6CFAFB5F
tRNS with alpha, xrefs: 6CFB0104
XXXX PNG chunk not known, xrefs: 6CFB0562, 6CFB05A1
invalid PLTE, xrefs: 6CFAFD1F, 6CFAFD51
SNRt, xrefs: 6CFAF764
0-pixel image, xrefs: 6CFAFC42
1/2/4/8-bit only, xrefs: 6CFAF8FC
no PLTE, xrefs: 6CFB01C6
tRNS after IDAT, xrefs: 6CFAFFAF
bad IHDR len, xrefs: 6CFAF7C3
first not IHDR, xrefs: 6CFAFD01, 6CFAFF94, 6CFB01A3, 6CFB0306, 6CFB0534
bad ctype, xrefs: 6CFAF9B6, 6CFAF9DF
outofdata, xrefs: 6CFB02DD
tRNS before PLTE, xrefs: 6CFAFFF0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: 0-pixel image$1/2/4/8-bit only$SNRt$XXXX PNG chunk not known$bad IHDR len$bad comp method$bad ctype$bad filter method$bad interlace method$bad tRNS len$first not IHDR$invalid PLTE$multiple IHDR$no IDAT$no PLTE$outofdata$outofmem$tRNS after IDAT$tRNS before PLTE$tRNS with alpha$too large
API String ID: 0-3688516492
Opcode ID: cd376327e9ac6a7d1692d5a4dcf7475d9bd33595eb7ef2dcfab13e472f0cc057
Instruction ID: 90ddbfcbefacffe43edaf340c1fb153eadc10bc50bf9c3a6a7e309590f23e3f7
Opcode Fuzzy Hash: cd376327e9ac6a7d1692d5a4dcf7475d9bd33595eb7ef2dcfab13e472f0cc057
Instruction Fuzzy Hash: 2BA281F4A04159CFCB14CB94CA90BAEBBB1AF45308F2481E9D5497B742C731AE85CF66

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,004CF0A0), ref: 00406CE4
lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
lstrlenW.KERNEL32(?), ref: 00406D58
FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
FindClose.KERNEL32(?), ref: 00406E5F

Strings

ptF, xrefs: 00406D1A
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
Delete: DeleteFile("%s"), xrefs: 00406DE8
\*.*, xrefs: 00406D2F
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
Delete: DeleteFile failed("%s"), xrefs: 00406E29

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
API String ID: 2035342205-1650287579
Opcode ID: f7a733ba7b7dda8f767778852903590a58a16c07b963c85795d8b3373a8eb2b2
Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
Opcode Fuzzy Hash: f7a733ba7b7dda8f767778852903590a58a16c07b963c85795d8b3373a8eb2b2
Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE

Function 6CF6F510 Relevance: 12.1, APIs: 8, Instructions: 129stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6F554
GlobalFree.KERNEL32 ref: 6CF6F564
_memset.LIBCMT ref: 6CF6F58B
lstrcpyW.KERNEL32(?,?), ref: 6CF6F5AC
GlobalFree.KERNEL32 ref: 6CF6F5BD
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6F5E7
GlobalFree.KERNELBASE ref: 6CF6F5F7
IsWindow.USER32(?), ref: 6CF6F60D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGlobal$lstrcpyn$Window_memsetlstrcpy
String ID:
API String ID: 752816851-0
Opcode ID: 1cb60d70ab325124b7ae2bbfb3249d9aa8a19737f4a3b4867fba2d4c968adb59
Instruction ID: ea8accb40aa5f7b7801a51166217e1fd61b5299abb4f67219c803a5e497a7edc
Opcode Fuzzy Hash: 1cb60d70ab325124b7ae2bbfb3249d9aa8a19737f4a3b4867fba2d4c968adb59
Instruction Fuzzy Hash: 2F419376901218DBCB10EF64C980BDEB379BF89714F214699D61967B40DB71AD88CFE0

Function 6CF62410 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 347COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 6CF624B7

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Strings

Window, xrefs: 6CF624DA, 6CF625A8
node_addr, xrefs: 6CF62530
classname_leeqia, xrefs: 6CF625C7
sub_child, xrefs: 6CF6282E
parent:%ld, xrefs: 6CF6249D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DebugOutputString_free
String ID: Window$classname_leeqia$node_addr$parent:%ld$sub_child
API String ID: 3134867242-553710224
Opcode ID: ef7d91857067f276cfb1af3acb0ace91ac63958b5a00a3bebdfa6249b7e8130d
Instruction ID: 9ec85ee1a2531293183b273419dfe328a1e1df948286854b1d1747657a7f11ee
Opcode Fuzzy Hash: ef7d91857067f276cfb1af3acb0ace91ac63958b5a00a3bebdfa6249b7e8130d
Instruction Fuzzy Hash: A4E16C719052189FDB25CF64DC84BDEB7B1AF49304F1082EAD459A7B41DB35AE88CFA0

Function 6CFD0770 Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000000,00000000,?,?,6CF949B0,?,00000000,00000000), ref: 6CFD084B
LoadResource.KERNEL32(00000000,00000000,?,?,6CF949B0), ref: 6CFD0869
FreeResource.KERNEL32(00000000,?,?,6CF949B0), ref: 6CFD087C
SizeofResource.KERNEL32(00000000,00000000,00000000,?,?,6CF949B0), ref: 6CFD089C
LockResource.KERNEL32(00000000,00000000,?,?,6CF949B0), ref: 6CFD08A7

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: 14d6d041d81738f508e29bcdaa2c1adbc8beb72eb2c141014752307c382bff5e
Instruction ID: 2191f50945f5bf2c9bdeabcefbd3cee13460054c3711bc2ea1fa432595e41ac3
Opcode Fuzzy Hash: 14d6d041d81738f508e29bcdaa2c1adbc8beb72eb2c141014752307c382bff5e
Instruction Fuzzy Hash: 6F515F75E00259EFCB04DF99C894AEF77B5BF88304F148529F805AB740DB75A981CBA0

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 6CFD31C0 Relevance: 4.5, APIs: 3, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000400,6CFD3381,00000000,00000000,?,?,6CFD3381), ref: 6CFD31D1
FormatMessageW.KERNELBASE(00001100,00000000,00000000,?,?,6CFD3381), ref: 6CFD31DF
LocalFree.KERNEL32(6CFD3381,?,?,6CFD3381), ref: 6CFD31E9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: e804ad260118203cb08bbb0bbfa9ec47917ba6c5036cb1ce23fd35c0bef42e65
Instruction ID: d2a43a5504b7aa652690b7378cb8e8f986f7c9d0fb9d63b05e5a6ff261afcebf
Opcode Fuzzy Hash: e804ad260118203cb08bbb0bbfa9ec47917ba6c5036cb1ce23fd35c0bef42e65
Instruction Fuzzy Hash: 53D05EB5E85308BBEB149BD0CC4BFB9773CE749B12F600184FB09961C09BB1690487B6

Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
GetProcAddress.KERNEL32(00000000), ref: 00406353

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC

Function 6CFD0900 Relevance: 260.4, APIs: 101, Strings: 47, Instructions: 1407COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFD0A11
__wcsicoll.LIBCMT ref: 6CFD0AC0

Strings

italic, xrefs: 6CFD0DBA
linkhoverfontcolor, xrefs: 6CFD1A67
linkfontcolor, xrefs: 6CFD19F0
bold, xrefs: 6CFD0D3E
Window, xrefs: 6CFD1294
Default, xrefs: 6CFD0EFA
layeredimage, xrefs: 6CFD188A
gdiplustext, xrefs: 6CFD1E85
shadowcolor, xrefs: 6CFD1C8C
textrenderinghint, xrefs: 6CFD1EC4
true, xrefs: 6CFD0B77, 6CFD0D56, 6CFD0D94, 6CFD0DD2, 6CFD0E0D, 6CFD0E48, 6CFD1003, 6CFD115E, 6CFD1784, 6CFD1860, 6CFD18D8, 6CFD1E54, 6CFD1E9D
shared, xrefs: 6CFD0B5F, 6CFD0E30, 6CFD0FEB, 6CFD1146
value, xrefs: 6CFD0FC5, 6CFD1120
caption, xrefs: 6CFD151F
defaultfontcolor, xrefs: 6CFD1979
tooltiphovertime, xrefs: 6CFD1EF6
shadowcorner, xrefs: 6CFD1D08
Font, xrefs: 6CFD0BD4
layeredopacity, xrefs: 6CFD17FB
underline, xrefs: 6CFD0D7C
Image, xrefs: 6CFD0A05
shadowsharpness, xrefs: 6CFD1B91
opacity, xrefs: 6CFD17AE
noactivate, xrefs: 6CFD18C0
shadowsize, xrefs: 6CFD1B55
fontfile, xrefs: 6CFD1240
disabledfontcolor, xrefs: 6CFD1902
shadowimage, xrefs: 6CFD1E09
Style, xrefs: 6CFD1055
shadowposition, xrefs: 6CFD1C09
sizebox, xrefs: 6CFD1446
size, xrefs: 6CFD0D03, 6CFD13A6
layered, xrefs: 6CFD1830
mask, xrefs: 6CFD0B06
selectedcolor, xrefs: 6CFD1ADE
showdirty, xrefs: 6CFD176C
default, xrefs: 6CFD0DF5
bktrans, xrefs: 6CFD1848
alpha, xrefs: 6CFD17C6
restype, xrefs: 6CFD0ADD
showshadow, xrefs: 6CFD1E3C
maxinfo, xrefs: 6CFD16F0
name, xrefs: 6CFD0AB4, 6CFD0CDA, 6CFD0F9F, 6CFD10FA
roundcorner, xrefs: 6CFD15F8
mininfo, xrefs: 6CFD1674
Import, xrefs: 6CFD11B0
shadowdarkness, xrefs: 6CFD1BCD

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: Default$Font$Image$Import$Style$Window$alpha$bktrans$bold$caption$default$defaultfontcolor$disabledfontcolor$fontfile$gdiplustext$italic$layered$layeredimage$layeredopacity$linkfontcolor$linkhoverfontcolor$mask$maxinfo$mininfo$name$noactivate$opacity$restype$roundcorner$selectedcolor$shadowcolor$shadowcorner$shadowdarkness$shadowimage$shadowposition$shadowsharpness$shadowsize$shared$showdirty$showshadow$size$sizebox$textrenderinghint$tooltiphovertime$true$underline$value
API String ID: 3832890014-2278178710
Opcode ID: 7c79f5b86beecf7f26576666178873e5ac0e9c36928d83075b4fda707bf66e91
Instruction ID: 820b4bb7a260185cbe8c20896113df10be10144966ffcfe800dbdfde0242c98c
Opcode Fuzzy Hash: 7c79f5b86beecf7f26576666178873e5ac0e9c36928d83075b4fda707bf66e91
Instruction Fuzzy Hash: EFC220B1D08658ABDB24CB64DC50BEFB3B4AF45306F0485D9E50DA7680EB35AE84CF91

Function 6CF92BA0 Relevance: 79.3, APIs: 17, Strings: 28, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsicoll.LIBCMT ref: 6CF92CC6

Strings

left, xrefs: 6CF92ED3, 6CF9321F
right, xrefs: 6CF92F4E, 6CF93263
wanttab, xrefs: 6CF92CF9
multiline, xrefs: 6CF92CBD
wantctrlreturn, xrefs: 6CF92D71
disabledimage, xrefs: 6CF930E0
rich, xrefs: 6CF92DE9
textcolor, xrefs: 6CF92FC1
true, xrefs: 6CF92BC8, 6CF92C09, 6CF92C4A, 6CF92C8C, 6CF92CD2, 6CF92D0E, 6CF92D4A, 6CF92D86, 6CF92DC2, 6CF92DFE, 6CF92E3A, 6CF92E8B
transparent, xrefs: 6CF92DAD
password, xrefs: 6CF92E76
tipvalue, xrefs: 6CF931BE
tipvaluealign, xrefs: 6CF9320A
normalimage, xrefs: 6CF9306E
maxchar, xrefs: 6CF9303F
hscrollbar, xrefs: 6CF92C35
autovscroll, xrefs: 6CF92BF4
wantreturn, xrefs: 6CF92D35
textpadding, xrefs: 6CF93106
autohscroll, xrefs: 6CF92C77
tipvaluecolor, xrefs: 6CF931E4
focusedimage, xrefs: 6CF930BA
vscrollbar, xrefs: 6CF92BB3
font, xrefs: 6CF92F92
center, xrefs: 6CF92F0F, 6CF93241
align, xrefs: 6CF92EBA
hotimage, xrefs: 6CF93094
readonly, xrefs: 6CF92E25

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: align$autohscroll$autovscroll$center$disabledimage$focusedimage$font$hotimage$hscrollbar$left$maxchar$multiline$normalimage$password$readonly$rich$right$textcolor$textpadding$tipvalue$tipvaluealign$tipvaluecolor$transparent$true$vscrollbar$wantctrlreturn$wantreturn$wanttab
API String ID: 3832890014-2978963918
Opcode ID: 0ffcb7f0927216efe56301d137cf2be674c177c54c4467657442c13834abc6c0
Instruction ID: fff60c202600cf98c90c2ae1ea0d5fd92d549fc7ad155464937ece00e734d476
Opcode Fuzzy Hash: 0ffcb7f0927216efe56301d137cf2be674c177c54c4467657442c13834abc6c0
Instruction Fuzzy Hash: AE1230B5E09205ABEF04DBA5CD45EEE73F5AF48304F148168E909AB741EB36DE04CB61

Function 6CFCCF60 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsicoll.LIBCMT ref: 6CFCCF7C
__fassign.LIBCMT ref: 6CFCCFAF

Part of subcall function 6D0185FC: wcstoxl.LIBCMT ref: 6D01860C

__fassign.LIBCMT ref: 6CFCCFC7
__fassign.LIBCMT ref: 6CFCCFDF
__fassign.LIBCMT ref: 6CFCCFF7
__wcsicoll.LIBCMT ref: 6CFCD03C
__wcsicoll.LIBCMT ref: 6CFCD051

Strings

left, xrefs: 6CFCD311
mousechild, xrefs: 6CFCD033
right, xrefs: 6CFCD359
hscrollbar, xrefs: 6CFCD19E
childvalign, xrefs: 6CFCD380
inset, xrefs: 6CFCCF73
scrollstepsize, xrefs: 6CFCD401
bottom, xrefs: 6CFCD3DD
true, xrefs: 6CFCD048, 6CFCD0A5, 6CFCD1B3
vscrollbarstyle, xrefs: 6CFCD0D4
vcenter, xrefs: 6CFCD3B9
vscrollbar, xrefs: 6CFCD077
childalign, xrefs: 6CFCD2FC
hscrollbarstyle, xrefs: 6CFCD1FB
center, xrefs: 6CFCD335
top, xrefs: 6CFCD395
childpadding, xrefs: 6CFCD2C5

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __fassign$__wcsicoll$wcstoxl
String ID: bottom$center$childalign$childpadding$childvalign$hscrollbar$hscrollbarstyle$inset$left$mousechild$right$scrollstepsize$top$true$vcenter$vscrollbar$vscrollbarstyle
API String ID: 1413853151-2115408772
Opcode ID: 09a218c501da8c642495317189ee751ef35a361d3fb92970360fe24ea89b6187
Instruction ID: 11dd1f97221722309e096b56296cbdc100ba44984e1b01be368f2d5455ff8bc0
Opcode Fuzzy Hash: 09a218c501da8c642495317189ee751ef35a361d3fb92970360fe24ea89b6187
Instruction Fuzzy Hash: 7BE12E75B44106ABDB04DFA4CD90AEEB3F5AF88304F148168E919A7750DB35EE44CFA1

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: "%s" created, xrefs: 00401849
Rename: %s, xrefs: 004018F8
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Aborting: "%s", xrefs: 0040161D
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
BringToFront, xrefs: 004016BD
Jump: %d, xrefs: 00401602
Rename failed: %s, xrefs: 0040194B
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Call: %d, xrefs: 0040165A
Rename on reboot: %s, xrefs: 00401943
detailprint: %s, xrefs: 00401679
CreateDirectory: "%s" (%d), xrefs: 004017BF
SetFileAttributes failed., xrefs: 004017A1
Sleep(%d), xrefs: 0040169D

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 0aacebd35cab78dd9e56fb0c34c611705e18b02e61851c41ce70807ba0770869
Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
Opcode Fuzzy Hash: 0aacebd35cab78dd9e56fb0c34c611705e18b02e61851c41ce70807ba0770869
Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
ShowWindow.USER32(?), ref: 004054FE
DestroyWindow.USER32 ref: 00405512
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
GetDlgItem.USER32(?,?), ref: 0040554F
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
IsWindowEnabled.USER32(00000000), ref: 0040556A
GetDlgItem.USER32(?,00000001), ref: 00405619
GetDlgItem.USER32(?,00000002), ref: 00405623
SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
GetDlgItem.USER32(?,00000003), ref: 00405734
ShowWindow.USER32(00000000,?), ref: 00405756
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
EnableWindow.USER32(?,?), ref: 00405783
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
EnableMenuItem.USER32(00000000), ref: 004057A0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
SetWindowTextW.USER32(?,00451D98), ref: 00405808
ShowWindow.USER32(?,0000000A), ref: 0040593C

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

.DEFAULT\Control Panel\International, xrefs: 004059C5
_Nb, xrefs: 00405AFD
RichEdit, xrefs: 00405BF0
.exe, xrefs: 00405A69
"F, xrefs: 00405A4B
RichEd20, xrefs: 00405BC9
@jG, xrefs: 00405AF2
F, xrefs: 00405A22
RichEd32, xrefs: 00405BD4
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEdit20A, xrefs: 00405BE2, 00405BE7

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 6CFD1F70 Relevance: 39.1, APIs: 10, Strings: 12, Instructions: 611
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wcsicoll.LIBCMT ref: 6CFD2020
__wcsicoll.LIBCMT ref: 6CFD2038
__wcsicoll.LIBCMT ref: 6CFD2050
__wcsicoll.LIBCMT ref: 6CFD2068
__wcsicoll.LIBCMT ref: 6CFD208F
__wcsicoll.LIBCMT ref: 6CFD20AC
_memset.LIBCMT ref: 6CFD20FE
__fassign.LIBCMT ref: 6CFD2145

Strings

Include, xrefs: 6CFD20A0
TreeView, xrefs: 6CFD24C8
Default, xrefs: 6CFD2044
Style, xrefs: 6CFD205C
count, xrefs: 6CFD211E
TreeNode, xrefs: 6CFD2492, 6CFD24AA
C%sUI, xrefs: 6CFD22E5
IContainer, xrefs: 6CFD266D
Font, xrefs: 6CFD202C
Import, xrefs: 6CFD2083
Image, xrefs: 6CFD2014
source, xrefs: 6CFD216B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$__fassign_memset
String ID: C%sUI$Default$Font$IContainer$Image$Import$Include$Style$TreeNode$TreeView$count$source
API String ID: 3453739279-446817640
Opcode ID: 46a3989816623e864da92e0789726d48d49d6b5d455f6f1162f9f13644307cb7
Instruction ID: a349562b4921c30a51c4d4525e1af000a37bd46e059671e0a028f8403b332312
Opcode Fuzzy Hash: 46a3989816623e864da92e0789726d48d49d6b5d455f6f1162f9f13644307cb7
Instruction Fuzzy Hash: 8A523975A052689FDB24CF14CC94BDAB3B2BF88304F1442D9E519A7690DB726EC8CF91

Function 6F951C1B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 559stringmemorylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 6F951581: GlobalAlloc.KERNELBASE(00000040,?,6F9515BA,?,?,6F95185F,?,6F951017), ref: 6F95158B

Part of subcall function 6F9515A3: lstrcpyW.KERNEL32(00000000,?,?,?,6F95185F,?,6F951017), ref: 6F9515C1
Part of subcall function 6F9515A3: GlobalFree.KERNEL32 ref: 6F9515D2

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6F951D0B
lstrcpyW.KERNEL32(00000008,?), ref: 6F951D59
lstrcpyW.KERNEL32(00000808,?), ref: 6F951D63
GlobalFree.KERNEL32(00000000), ref: 6F951D7D
GlobalFree.KERNEL32(?), ref: 6F951E69
GlobalFree.KERNELBASE(?), ref: 6F951E6E
GlobalFree.KERNELBASE(?), ref: 6F951E73
GlobalFree.KERNEL32(00000000), ref: 6F95201A
lstrcpyW.KERNEL32(?,?), ref: 6F95217A
GetModuleHandleW.KERNEL32(00000008), ref: 6F9521EE
LoadLibraryW.KERNEL32(00000008), ref: 6F9521FF
lstrcmpiW.KERNEL32(kernel32,00000008), ref: 6F95221B
lstrcmpiW.KERNEL32(kernel32.dll,00000008), ref: 6F952227
lstrlenW.KERNEL32(00000808), ref: 6F952258
lstrcatW.KERNEL32(00000808,6F9530C8), ref: 6F95227C
lstrcpyW.KERNEL32(?,00000808), ref: 6F9522C7
lstrcatW.KERNEL32(?,00000057), ref: 6F9522DE
lstrcatW.KERNEL32(00000808,00000057), ref: 6F952307

Strings

kernel32.dll, xrefs: 6F952222
kernel32, xrefs: 6F952216
W, xrefs: 6F9522C0

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: Global$Free$lstrcpy$lstrcat$Alloclstrcmpi$HandleLibraryLoadModulelstrlen
String ID: W$kernel32$kernel32.dll
API String ID: 2496820534-4093004423
Opcode ID: 419cac719a9e4dc39c8d947ce9c675112c844857bd0a6f6f916ae80eac10bde9
Instruction ID: 82a4574e5e9ae6934ed0f91982289f8c6635e47f7dce8ca3642e17b8988368c1
Opcode Fuzzy Hash: 419cac719a9e4dc39c8d947ce9c675112c844857bd0a6f6f916ae80eac10bde9
Instruction Fuzzy Hash: A9128B71904706DADB21CFB8C980AEEBBB9FF0A314F10452AD166E61C0D774E6E8CB54

Function 6CFB9B30 Relevance: 32.1, APIs: 17, Strings: 1, Instructions: 588
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000FF,00000000,E243FD3F), ref: 6CFB9BD0
GetFileSize.KERNEL32(000000FF,00000000), ref: 6CFB9C05
std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CFB9CCD
FindResourceW.KERNEL32(00000000,000000FF,00000000,E243FD3F), ref: 6CFB9FBE
CreateFileW.KERNEL32(000000FF,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6CFBA097
GetFileSize.KERNEL32(000000FF,00000000), ref: 6CFBA0BA
ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 6CFBA10B
CloseHandle.KERNEL32(000000FF), ref: 6CFBA118
_memset.LIBCMT ref: 6CFBA1B1

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Strings

(, xrefs: 6CFBA1B9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: File$CreateDebugHeapSize$CloseFindHandleReadResourceStringString::__free_memsetstd::_
String ID: (
API String ID: 1708488715-3887548279
Opcode ID: 5cd86bab5aa994db4dd2780997fb78f9287672661d4c0da728d8fc589d0601ba
Instruction ID: f2f6cfd430d8978b9f89a20dc934477cb618ce7444139e980a2e623a67d0c0c8
Opcode Fuzzy Hash: 5cd86bab5aa994db4dd2780997fb78f9287672661d4c0da728d8fc589d0601ba
Instruction Fuzzy Hash: EE525CB0D04259CBDB24DFA4C840BEEBBB5AF49304F1082D9D51977781DB35AA88CF65

Function 6CF717B0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 256
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF71816
GlobalFree.KERNEL32 ref: 6CF71826
_memset.LIBCMT ref: 6CF7185A
lstrcpyW.KERNEL32(?,?), ref: 6CF7187D
GlobalFree.KERNEL32 ref: 6CF71889

Part of subcall function 6CF748C0: GlobalAlloc.KERNEL32(00000040,0000200C,00000000,?,6CF71B02,unsupported attribute,selected,visible,enabled,userdata,text,height,width,?,000000FF), ref: 6CF748D9
Part of subcall function 6CF748C0: lstrcpynW.KERNEL32(00000004,?,00002004,?,6CF71B02,unsupported attribute,selected,visible,enabled,userdata,text,height,width,?,000000FF), ref: 6CF748F0

_memset.LIBCMT ref: 6CF718B1
lstrcpyW.KERNEL32(?,?,?,?,000000FF), ref: 6CF718D3
GlobalFree.KERNELBASE ref: 6CF718DF
IsWindow.USER32(?), ref: 6CF71902

Strings

width, xrefs: 6CF7197E
enabled, xrefs: 6CF71A4B
text, xrefs: 6CF719DD
height, xrefs: 6CF719B5
userdata, xrefs: 6CF71A1E
visible, xrefs: 6CF71A7D
selected, xrefs: 6CF71AAC
unsupported attribute with this control, xrefs: 6CF71AF1
unsupported attribute, xrefs: 6CF71AF8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Global$Free$_memsetlstrcpylstrcpyn$AllocWindow
String ID: enabled$height$selected$text$unsupported attribute$unsupported attribute with this control$userdata$visible$width
API String ID: 3770548889-1816005700
Opcode ID: cec8ce15f5060606ca4acee3d9f1cde1120280122bffa3c1768dcafee49d0b85
Instruction ID: 021a8cb324791c0dff217640237c3b132eed791d2f26f1f272fa0546ec37631b
Opcode Fuzzy Hash: cec8ce15f5060606ca4acee3d9f1cde1120280122bffa3c1768dcafee49d0b85
Instruction Fuzzy Hash: 32918E719015159BDF24EF24ED50FEE7375AF95208F50829AD90967680EF30EA8DCFA0

Function 6CF96500 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 363
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CFD7540: CoCreateInstance.COMBASE(6D035FE0,00000000,00000001,6D036010,?), ref: 6CFD75C8

Part of subcall function 6CF8C420: _malloc.LIBCMT ref: 6CF8C450

Part of subcall function 6CF8D5D0: _memset.LIBCMT ref: 6CF8D62F

Part of subcall function 6CFD29D0: _memset.LIBCMT ref: 6CFD2A66

_memset.LIBCMT ref: 6CF96963
GetStockObject.GDI32(00000011), ref: 6CF96973
GetObjectW.GDI32(00000000), ref: 6CF9697A
CreateFontIndirectW.GDI32(00000000), ref: 6CF96988
_memset.LIBCMT ref: 6CF969F4
CreatePen.GDI32(00000000,00000001,000000DC), ref: 6CF96A67
6F551CD0.COMCTL32(?,?,?,?,?,?), ref: 6CF96A72
LoadLibraryW.KERNELBASE(msimg32.dll), ref: 6CF96A7D
_memset.LIBCMT ref: 6CF96B14
_memset.LIBCMT ref: 6CF96B2D
_memset.LIBCMT ref: 6CF96B45
_memset.LIBCMT ref: 6CF96B5E

Strings

msimg32.dll, xrefs: 6CF96A78
, xrefs: 6CF96994
0, xrefs: 6CF96A55, 6CF96A6D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset$Create$Object$F551FontIndirectInstanceLibraryLoadStock_malloc
String ID: msimg32.dll$$0
API String ID: 1442371279-2677200948
Opcode ID: fd67418b8a33ad443f2665245f64ca98d9fbd8a69a357fd7b5bc428481a8d8ae
Instruction ID: 5aeee5cf3dd3c81bc4b2361583451dac0776a4c3a50bcbd1fd01fb1699c1316e
Opcode Fuzzy Hash: fd67418b8a33ad443f2665245f64ca98d9fbd8a69a357fd7b5bc428481a8d8ae
Instruction Fuzzy Hash: E5127E70901259CFEB24CB54CA54BDEBBB1BF45308F1481E8D689AB3C2DB765A84CF91

Function 6CFD2D00 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 371
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

G, xrefs: 6CFD2DB3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: bd252c7d10a7fd798e1d6e40f9d369c158ab7acf8d16afd2851101e081d8d06b
Instruction ID: dd6054f8f3ca879cc04b606882094ea0e7a6c35389b0b34d5d332d7cd0372f3a
Opcode Fuzzy Hash: bd252c7d10a7fd798e1d6e40f9d369c158ab7acf8d16afd2851101e081d8d06b
Instruction Fuzzy Hash: ACF1B271A00149EFCB08CF98C894BAEBBB1BF85305F2981C8E555AB685C731EF45DB90

Function 6CF70180 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 207
stringmemorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 6CF701DA
_memset.LIBCMT ref: 6CF701EE
lstrcpyW.KERNEL32(?,?), ref: 6CF7021C
GlobalFree.KERNEL32 ref: 6CF70229
_memset.LIBCMT ref: 6CF70311
lstrcpyW.KERNEL32(?,?,?,?,000000FF,00000000), ref: 6CF70333
GlobalFree.KERNEL32 ref: 6CF70340
wsprintfW.USER32 ref: 6CF703E3
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF70402
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF70418
PostMessageW.USER32(00000000,00008071,00000000,00000000), ref: 6CF7043E

Strings

skin.zip, xrefs: 6CF70266
install.xml, xrefs: 6CF7027E
XXX, xrefs: 6CF703A8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Global$Free_memsetlstrcpy$AllocInitializeMessagePostlstrcpynwsprintf
String ID: XXX$install.xml$skin.zip
API String ID: 2343033441-3793670083
Opcode ID: ef919107ab6c99fca8fd6d39cad48e96632bf4f71523344409431309650cef08
Instruction ID: ad22750a1ba70a1b9cd61bd93ddaff5e425edca67cc5f5597f92e387c1ac44ba
Opcode Fuzzy Hash: ef919107ab6c99fca8fd6d39cad48e96632bf4f71523344409431309650cef08
Instruction Fuzzy Hash: CC71A471A01204EBDB14EF64DD41FEE7378AF89704F10455AE609A77C1DB70A988CF64

Function 6CF63BE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 6CF63C5F
GetClientRect.USER32(?,?), ref: 6CF63C7E
ScreenToClient.USER32(?,?), ref: 6CF63C8D
GetWindowRect.USER32(?,?), ref: 6CF63CEF
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001), ref: 6CF63D17
InvalidateRect.USER32(?,?,00000001,?,?), ref: 6CF63D3C

Part of subcall function 6CF8C0D0: PostMessageW.USER32(?,?,?,00000000), ref: 6CF8C0EA

Strings

s, xrefs: 6CF63C0B
editLicense, xrefs: 6CF63F67

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$ClientWindow$CursorInvalidateMessagePostScreen
String ID: editLicense$s
API String ID: 2400065917-3755112512
Opcode ID: 2d34b886ef4efaba59e59ee32ff5c83a3e0ea12f9e80ca15b609aad0507f09ab
Instruction ID: f73d94151cdb72114ec6834e69cbe145bb33b8af431e3194dd51dc9e82bf8264
Opcode Fuzzy Hash: 2d34b886ef4efaba59e59ee32ff5c83a3e0ea12f9e80ca15b609aad0507f09ab
Instruction Fuzzy Hash: F1B16E75A04301DFCB14DF65D680F9AB7F5EB89318F10892EF45987A80D734A989CF92

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

lstrcatW.KERNEL32(00000000,00000000,ShowPage,004D70B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,ShowPage,ShowPage,00000000,00000000,ShowPage,004D70B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00428BB1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Strings

ShowPage, xrefs: 00401A53, 00401A5C, 00401A69, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40
File: error, user cancel, xrefs: 00401B93
File: error, user abort, xrefs: 00401B53
File: error creating "%s", xrefs: 00401AF0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$ShowPage
API String ID: 4286501637-3981414064
Opcode ID: 23359e57e86623cb041ae238ad4d2dfc68e00f0e31f0802a264bc06316deb979
Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
Opcode Fuzzy Hash: 23359e57e86623cb041ae238ad4d2dfc68e00f0e31f0802a264bc06316deb979
Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D

Function 6CFCF2C0 Relevance: 21.4, APIs: 5, Strings: 7, Instructions: 366filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFCF970: _free.LIBCMT ref: 6CFCF985
Part of subcall function 6CFCF970: _free.LIBCMT ref: 6CFCF99D

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,74E2F860,00000000,E243FD3F), ref: 6CFCF358
GetFileSize.KERNEL32(000000FF,00000000), ref: 6CFCF3AB

Part of subcall function 6CFD06D0: _wcsncpy.LIBCMT ref: 6CFD06E6
Part of subcall function 6CFD06D0: _wcsncpy.LIBCMT ref: 6CFD0713

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CFCF587

Strings

File is empty, xrefs: 6CFCF3C2, 6CFCF733
Error opening file, xrefs: 6CFCF36F
Could not unzip file, xrefs: 6CFCF861
Could not find ziped file, xrefs: 6CFCF6DA
Error opening zip file, xrefs: 6CFCF642
File too large, xrefs: 6CFCF403, 6CFCF783
Could not read file, xrefs: 6CFCF4D2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _free$DebugFileHeap_wcsncpy$CreateSizeStringString::_std::_
String ID: Could not find ziped file$Could not read file$Could not unzip file$Error opening file$Error opening zip file$File is empty$File too large
API String ID: 2069743891-2950584456
Opcode ID: 24f9072254c9761c5ad8367671ad41805c2295ab1c45453b335c7970bcdbdb0b
Instruction ID: 58007f32d3944874b18787a272ed9bdf8db18ec9d9fc225fd55ca654d386c09c
Opcode Fuzzy Hash: 24f9072254c9761c5ad8367671ad41805c2295ab1c45453b335c7970bcdbdb0b
Instruction Fuzzy Hash: 20F188B0E06268DBDB20DB64DC40BDEBB75AF15304F1482D9E15967A81DB306F88CF66

Function 6CFD3200 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 6CFD3243
_memset.LIBCMT ref: 6CFD32E6
SelectObject.GDI32(00000000,00000000), ref: 6CFD3369
GetLastError.KERNEL32 ref: 6CFD3372

Part of subcall function 6CFD31C0: GetLastError.KERNEL32(00000400,6CFD3381,00000000,00000000,?,?,6CFD3381), ref: 6CFD31D1
Part of subcall function 6CFD31C0: FormatMessageW.KERNELBASE(00001100,00000000,00000000,?,?,6CFD3381), ref: 6CFD31DF
Part of subcall function 6CFD31C0: LocalFree.KERNEL32(6CFD3381,?,?,6CFD3381), ref: 6CFD31E9

Part of subcall function 6CFBAD50: GetModuleHandleW.KERNEL32(msimg32.dll,AlphaBlend), ref: 6CFBAD86
Part of subcall function 6CFBAD50: GetProcAddress.KERNEL32(00000000), ref: 6CFBAD8D

MoveWindow.USER32(00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 6CFD3575
UpdateLayeredWindow.USER32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002), ref: 6CFD359F
SelectObject.GDI32(00000000,6CFD4A32), ref: 6CFD35B0
DeleteObject.GDI32(00000000), ref: 6CFD35BA
DeleteDC.GDI32(00000000), ref: 6CFD35C4

Strings

(, xrefs: 6CFD32EE

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ObjectWindow$DeleteErrorLastSelect$AddressFormatFreeHandleLayeredLocalMessageModuleMoveProcRectUpdate_memset
String ID: (
API String ID: 4092839018-3887548279
Opcode ID: 00e3e12dccf80a1607875fe454c6b2987a0df90d62604701fb2226bad0a16b0a
Instruction ID: 7e8cea3a6e253888a4355e7b43a9dd25910c92e80f04e7e23132210cfe271b20
Opcode Fuzzy Hash: 00e3e12dccf80a1607875fe454c6b2987a0df90d62604701fb2226bad0a16b0a
Instruction Fuzzy Hash: 30D14C71E04258DFDB14CFA8C894BEEBBB5BF49304F248199E509AB345D730AA85CF51

Function 6CFBDDD0 Relevance: 18.2, APIs: 9, Strings: 1, Instructions: 729COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 6CFBDE41

Strings

&#x, xrefs: 6CFBE74A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ObjectSelect
String ID: &#x
API String ID: 1517587568-603352367
Opcode ID: b71509ed1acc912eb7ea17d292e545d3d6813503f99a4e566e6c8c6a92ffa63b
Instruction ID: a526d55fcc74846f9c02854d42f8a25c7ff477e25ea52588e67c81b5f322760b
Opcode Fuzzy Hash: b71509ed1acc912eb7ea17d292e545d3d6813503f99a4e566e6c8c6a92ffa63b
Instruction Fuzzy Hash: FA72F2B1905669DFDB24CF65CC90BEEBBB5AB48305F1082D9E509B7680DB349E84CF90

Function 6CF712D0 Relevance: 18.2, APIs: 12, Instructions: 182stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF71336
GlobalFree.KERNEL32 ref: 6CF71346
_memset.LIBCMT ref: 6CF7137A
lstrcpyW.KERNEL32(?,?), ref: 6CF7139D
GlobalFree.KERNELBASE ref: 6CF713A9
_memset.LIBCMT ref: 6CF713D1
lstrcpyW.KERNEL32(?,?,?,?,000000FF), ref: 6CF713F3
GlobalFree.KERNELBASE ref: 6CF713FF
_memset.LIBCMT ref: 6CF71427
lstrcpyW.KERNEL32(?,?,?,?,000000FF,?,?,000000FF), ref: 6CF71449
GlobalFree.KERNEL32 ref: 6CF71455
IsWindow.USER32(?), ref: 6CF71478

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGlobal$_memsetlstrcpy$Windowlstrcpyn
String ID:
API String ID: 2383034679-0
Opcode ID: 7319cb1f2e180c4134fc287c73430e5131c5189898672906351b73304ad6260b
Instruction ID: 07acfad80c44ab3a54f9c6f1e5b85953d26c3ed840c7612c866bf590496165c3
Opcode Fuzzy Hash: 7319cb1f2e180c4134fc287c73430e5131c5189898672906351b73304ad6260b
Instruction Fuzzy Hash: 626162B2901114DBCB24EF64DD50FEAB379BF85714F504299D61AA7A40DB30EA49CFA0

Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004035C4
GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
Null, xrefs: 004036AA
Error launching installer, xrefs: 00403603
Inst, xrefs: 00403698
soft, xrefs: 004036A1

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C

Function 6CFDDFE0 Relevance: 16.3, APIs: 5, Strings: 4, Instructions: 599COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CFDE06D

Strings

/..\, xrefs: 6CFDE392
/../, xrefs: 6CFDE35B
\../, xrefs: 6CFDE324
\..\, xrefs: 6CFDE2ED

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove
String ID: /../$/..\$\../$\..\
API String ID: 4104443479-3885502717
Opcode ID: 5e7b5fb70ca130f6e1530c9280c7fe1d4cf6cfa5431475c11672ec7556f63316
Instruction ID: 7d78f14759ee9433aceef4a6535e6cff77b13d7f079e1d6a463577abaa69d411
Opcode Fuzzy Hash: 5e7b5fb70ca130f6e1530c9280c7fe1d4cf6cfa5431475c11672ec7556f63316
Instruction Fuzzy Hash: 76523C70A012189FDB15CF58C990BEDB7B5AF89304F1882E9E519AB385D730AF81CF90

Function 6CFDEB60 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

%s%s, xrefs: 6CFDEF79
%s%s%s, xrefs: 6CFDEFBC

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: %s%s$%s%s%s
API String ID: 0-1506711308
Opcode ID: 45a411f8884dfe8a536a7c97f75943245a69106a6d1c62919ebc657fb2090543
Instruction ID: e97aa7d7cc20fa4ce8a052b8c2d1aa136eef4a1d4614600709f3c80384c34f27
Opcode Fuzzy Hash: 45a411f8884dfe8a536a7c97f75943245a69106a6d1c62919ebc657fb2090543
Instruction Fuzzy Hash: D0026071905119CFDB24CF14CD84BAAB7B2AF85308F1A82D9E4196B740DB32AED5CF91

Function 6CF63760 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 280memorystringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF639AF
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF639C4
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF639DD
lstrcpynW.KERNEL32(00000004,ui_inited,00002004), ref: 6CF639F1
std::_Xinvalid_argument.LIBCPMT ref: 6CF63B0C

Strings

list<T> too long, xrefs: 6CF63B07
.txt, xrefs: 6CF63AE8
ui_inited, xrefs: 6CF639E8
editLicense, xrefs: 6CF63ABB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocGloballstrcpyn$Xinvalid_argumentstd::_
String ID: .txt$editLicense$list<T> too long$ui_inited
API String ID: 1084485446-4130411850
Opcode ID: ba08f00ba96890524c0bcc628522458b2081b90fb1af37db8629257b65a2a58e
Instruction ID: 05d82b68585620f4c38bb878c3fbc4573ec5a9fee85249d100b0b441579204ad
Opcode Fuzzy Hash: ba08f00ba96890524c0bcc628522458b2081b90fb1af37db8629257b65a2a58e
Instruction Fuzzy Hash: AEB18AB1608381CFD714DF29C580BAAB7F5BF89708F14491DE49987B91D770E849CB92

Function 0040337F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00428BB1,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

(]C, xrefs: 004033FD
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB
API String ID: 651206458-3635341587
Opcode ID: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 6CF61BB0 Relevance: 15.2, APIs: 10, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF61CF9
__CxxThrowException@8.LIBCMT ref: 6CF61D0E
std::exception::exception.LIBCMT ref: 6CF61D1D
__CxxThrowException@8.LIBCMT ref: 6CF61D32
std::exception::exception.LIBCMT ref: 6CF61D41
__CxxThrowException@8.LIBCMT ref: 6CF61D56
std::exception::exception.LIBCMT ref: 6CF61D65
__CxxThrowException@8.LIBCMT ref: 6CF61D7A
std::exception::exception.LIBCMT ref: 6CF61D89
__CxxThrowException@8.LIBCMT ref: 6CF61D9E

Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8B0
Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8CA
Part of subcall function 6CF7C861: __CxxThrowException@8.LIBCMT ref: 6CF7C8DB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: df9705d3a88584009c2c1e9c8568471d55a77d5dd0671868b5dbd9eff9d7de25
Instruction ID: 21392575428012c828f7da844d9fa76acad6014f57a71a05efa2f3d3db959de8
Opcode Fuzzy Hash: df9705d3a88584009c2c1e9c8568471d55a77d5dd0671868b5dbd9eff9d7de25
Instruction Fuzzy Hash: 17516DB1901704DFC761CF69D980AEEBBF0FF58600F14866ED449A7B51E731AA08CB62

Function 6CFCD9E0 Relevance: 14.0, APIs: 9, Instructions: 546COMMON

Download Yara Rule

APIs

IntersectRect.USER32(00000000,?,?), ref: 6CFCDA38

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: IntersectRect
String ID:
API String ID: 481094312-0
Opcode ID: 7dac4e6525abba0ebb98c4ddbea3a74dfbf4954f4cac856dd0777189af07a3e7
Instruction ID: 2ae48e1bd3b20577acd3ee45a1916ee162727b1470ee227b95911ef91cfd3f0f
Opcode Fuzzy Hash: 7dac4e6525abba0ebb98c4ddbea3a74dfbf4954f4cac856dd0777189af07a3e7
Instruction Fuzzy Hash: 60420A74A002099FCB58DF68C890BEEB7B1BF89314F1482A9E459AB751DB30AD85CF51

Function 6F9528A3 Relevance: 13.6, APIs: 9, Instructions: 147memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 6F952958
GlobalAlloc.KERNEL32(00000040,?), ref: 6F952985
lstrcpynW.KERNEL32(00000000,?), ref: 6F952998
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6F9529B4
CLSIDFromString.OLE32(00000000,00000000), ref: 6F9529C1
GlobalFree.KERNEL32(00000000), ref: 6F9529C8
GlobalAlloc.KERNEL32(00000040), ref: 6F9529D8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6F9529EF
GlobalFree.KERNELBASE(00000000), ref: 6F952A19

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: Global$Alloc$Free$ByteCharFromMultiStringWidelstrcpynlstrlen
String ID:
API String ID: 916651646-0
Opcode ID: 3e876ff800af75e58e2a559d1f6f366aeed590134c889fe575416fd2505727c6
Instruction ID: 4006e292df1972aee6b3d404d24a3f841df3edf44532779ba96872249562a8fd
Opcode Fuzzy Hash: 3e876ff800af75e58e2a559d1f6f366aeed590134c889fe575416fd2505727c6
Instruction Fuzzy Hash: C541AA71108301AFE764CF788944A6A7BF8FF46321F100A1AE61ADA2D1D730E4B9CF61

Function 6CF70BE0 Relevance: 13.6, APIs: 9, Instructions: 134stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70C4D
GlobalFree.KERNEL32 ref: 6CF70C5D
_memset.LIBCMT ref: 6CF70C8C
lstrcpyW.KERNEL32(?,?), ref: 6CF70CAD
GlobalFree.KERNEL32 ref: 6CF70CBD
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70CE7
GlobalFree.KERNELBASE ref: 6CF70CF8
IsWindow.USER32(?), ref: 6CF70D10
UpdateWindow.USER32(?), ref: 6CF70D7C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGlobal$Windowlstrcpyn$Update_memsetlstrcpy
String ID:
API String ID: 1311623043-0
Opcode ID: 3aaffdbd6d4fe5bd4b0688e53861effc3ce169d50a59e14180049c1d0dba2f82
Instruction ID: a00c6c64d1f0fe98430fc90df8edcc78cb6dfe15b7d148a4be75f195c77adc24
Opcode Fuzzy Hash: 3aaffdbd6d4fe5bd4b0688e53861effc3ce169d50a59e14180049c1d0dba2f82
Instruction Fuzzy Hash: B351BF76901314DFCB24DF68DA80FAAB3B9BFC9714F10455AE94597700DB71A984CFA0

Function 6CF70560 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF8B7D0: IsWindow.USER32(?), ref: 6CF8B7E0

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

lstrcpynW.KERNEL32(?,?,00000080,?), ref: 6CF70629
GlobalFree.KERNEL32 ref: 6CF7063A
KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6CF706AB
TranslateMessage.USER32(00000000), ref: 6CF706DA
DispatchMessageW.USER32(00000000), ref: 6CF706E3
KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00000000), ref: 6CF706F2

Strings

logo.ico, xrefs: 6CF705B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CallbackDispatcherMessageUser$DispatchFreeGlobalTranslateWindow_freelstrcpyn
String ID: logo.ico
API String ID: 2296167118-87942624
Opcode ID: 99defe743fc28bdd9bea8b73d98bae1df0e3e416d2e4ca5b4ab42e54ef3bc88e
Instruction ID: a370a1cfb5c71f96fca97e9159666b13594a558adfe58e77751e67665446eeb2
Opcode Fuzzy Hash: 99defe743fc28bdd9bea8b73d98bae1df0e3e416d2e4ca5b4ab42e54ef3bc88e
Instruction Fuzzy Hash: 78413171A01218DFDF14EF64DD90FDAB7B8EF89704F104199E94997640DB71AA88CFA0

Function 004023F0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00428BB1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
`G, xrefs: 0040246E
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
API String ID: 1033533793-4193110038
Opcode ID: c076069b8b51cc5180cfdda9fa0df6bded6a99c0ce616e210176aacc9454d606
Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
Opcode Fuzzy Hash: c076069b8b51cc5180cfdda9fa0df6bded6a99c0ce616e210176aacc9454d606
Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D

Function 6CF62E00 Relevance: 12.2, APIs: 8, Instructions: 209COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF63067
__CxxThrowException@8.LIBCMT ref: 6CF6307C
std::exception::exception.LIBCMT ref: 6CF6308B
__CxxThrowException@8.LIBCMT ref: 6CF630A0
std::exception::exception.LIBCMT ref: 6CF630AF
__CxxThrowException@8.LIBCMT ref: 6CF630C4
std::exception::exception.LIBCMT ref: 6CF630D3
__CxxThrowException@8.LIBCMT ref: 6CF630E8

Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8B0
Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8CA
Part of subcall function 6CF7C861: __CxxThrowException@8.LIBCMT ref: 6CF7C8DB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 3413db461a175ded4634e89aa8cfa65850fccea547189820b8738daac46ddbf6
Instruction ID: 5c982adbfa3035d7f52df8a96150e2f69e1ef01876cd405f26c3bd6e0415685b
Opcode Fuzzy Hash: 3413db461a175ded4634e89aa8cfa65850fccea547189820b8738daac46ddbf6
Instruction Fuzzy Hash: 6391A7B0905604DFC721CF68C684BDABBF0EB59304F14856ED45E97702E735A908CFA2

Function 6CFCF060 Relevance: 12.2, APIs: 8, Instructions: 197COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000003,00000000,00000000), ref: 6CFCF0CA
_malloc.LIBCMT ref: 6CFCF0DB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,00000003,?,00000000), ref: 6CFCF101
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,6CFA1AE0,00000000,00000000), ref: 6CFCF130
_malloc.LIBCMT ref: 6CFCF141
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,6CFA1AE0,?,6CFA1AE0), ref: 6CFCF164
_malloc.LIBCMT ref: 6CFCF252
_memmove.LIBCMT ref: 6CFCF26F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ByteCharMultiWide$_malloc$_memmove
String ID:
API String ID: 3455049887-0
Opcode ID: 95e7ca84321498eab80927df39c2eaa79e8653a3d60507a890d4573326f2f128
Instruction ID: 4b1ba527608a748b0f57834b800858522dd1880de6e826024f21f830c23592a5
Opcode Fuzzy Hash: 95e7ca84321498eab80927df39c2eaa79e8653a3d60507a890d4573326f2f128
Instruction Fuzzy Hash: 9C818175B0424AAFCB54CF68C490BEEBB72EF89314F14C158E9499F781C731AA46CB91

Function 6CF62980 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 176COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF62A69
OutputDebugStringW.KERNELBASE(00000000,images,E243FD3F,00000000,?,74DEFFC0), ref: 6CF62AD8

Strings

list<T> too long, xrefs: 6CF62A64
Window, xrefs: 6CF62A94, 6CF62AB8
images, xrefs: 6CF629C9
%s, %s, %s, xrefs: 6CF62AC0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DebugOutputStringXinvalid_argumentstd::_
String ID: %s, %s, %s$Window$images$list<T> too long
API String ID: 1269862971-2528853410
Opcode ID: f443d4126717b246f85ca21c21482f3441bdaea45b8b0d7dc9c0a4dd48374f7b
Instruction ID: f5b7ab6e6a0d15409d032ee79c2966e3afc9f390e2b45baca5fa514c050a5195
Opcode Fuzzy Hash: f443d4126717b246f85ca21c21482f3441bdaea45b8b0d7dc9c0a4dd48374f7b
Instruction Fuzzy Hash: 8061DE716083418FC714DF2AC984BEAB7F5BF85318F040A5DE499A7E41DB71E9488BA2

Function 6CFA19D0 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,6CF70290,74E2F860), ref: 6CFA1A5F

Part of subcall function 6CFCEFE0: _wcslen.LIBCMT ref: 6CFCEFF5
Part of subcall function 6CFCEFE0: _malloc.LIBCMT ref: 6CFCF009
Part of subcall function 6CFCEFE0: _memmove.LIBCMT ref: 6CFCF026

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FindResource_malloc_memmove_wcslen
String ID:
API String ID: 2598395083-0
Opcode ID: 8c0b9d5509c43a270e425d2284f9a8398c21f72c438a536ff253f483484e5ce0
Instruction ID: 68f212e6aadfab57f85571edbc4b3f1b55c9400790e9dbb4f67f3cab5448372e
Opcode Fuzzy Hash: 8c0b9d5509c43a270e425d2284f9a8398c21f72c438a536ff253f483484e5ce0
Instruction Fuzzy Hash: DD41A672E00129EBCB18DBE9DC58BABB7B9AF8D344F108599F409D7640DB34D9858B60

Function 6CF70460 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF704C7
GlobalFree.KERNEL32 ref: 6CF704D7
_memset.LIBCMT ref: 6CF704FE
lstrcpyW.KERNEL32(?,?), ref: 6CF7051B
GlobalFree.KERNELBASE ref: 6CF7052C
SetWindowTextW.USER32(00000000,?), ref: 6CF7053A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGlobal$TextWindow_memsetlstrcpylstrcpyn
String ID:
API String ID: 1391933569-0
Opcode ID: 03a310116181ce18dc6c3ee11beb0f67b548401caa8fff15b55557e95951051a
Instruction ID: 127460a678b3b23284a9daa362dacd73d0841fd52baa8561daecc3af6d6218fe
Opcode Fuzzy Hash: 03a310116181ce18dc6c3ee11beb0f67b548401caa8fff15b55557e95951051a
Instruction Fuzzy Hash: 6A213D76902208DFCB24DF68D980F9AB7B9EF89714F20455AE90597340D771E988CFA0

Function 6CFB0B60 Relevance: 8.2, APIs: 1, Strings: 3, Instructions: 1159COMMON

Download Yara Rule

Strings

outofmem, xrefs: 6CFB0BA6
invalid filter, xrefs: 6CFB0C7F
not enough pixels, xrefs: 6CFB0BF6, 6CFB0C12

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _malloc
String ID: invalid filter$not enough pixels$outofmem
API String ID: 1579825452-151463205
Opcode ID: 8bab5281eaac270ddf5d30dd28cdb204d9bf61500889cdb5bbf1783fbab639e6
Instruction ID: 659e3ef6af5be1097dafe2caa753473b179164898f8848107566f163ef11c019
Opcode Fuzzy Hash: 8bab5281eaac270ddf5d30dd28cdb204d9bf61500889cdb5bbf1783fbab639e6
Instruction Fuzzy Hash: E5C2F575E04199CFCB05CFA9C590AAEBBB1FF4A308F188159E851BB745C339AA52CF50

Function 6CF7C152 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF7C1AD
_memcpy_s.LIBCMT ref: 6CF7C21E
__read.LIBCMT ref: 6CF7C281
__filbuf.LIBCMT ref: 6CF7C29D

Part of subcall function 6CF7EF1D: __getptd_noexit.LIBCMT ref: 6CF7EF1D

_memset.LIBCMT ref: 6CF7C2DE

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: ec2f3f45b22c6c1f499700662e45d79e4d94285a8cedecb7b0c9d721168bfe6e
Instruction ID: ffc953ee35c82723f23e1d09190ce1f6149c9b023b9b1c49f593a65aa51f8bdc
Opcode Fuzzy Hash: ec2f3f45b22c6c1f499700662e45d79e4d94285a8cedecb7b0c9d721168bfe6e
Instruction Fuzzy Hash: 9751DA71A01709DBDB309FF9A84068E77B5AF41328F21826BE83597A90D770DA54CF70

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GlobalFree.KERNELBASE(00000000), ref: 00402387

Strings

ShowPage, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$ShowPage
API String ID: 1459762280-2337487663
Opcode ID: e59d48cc0b33387c2730e4ad274f001f3a7594b7c65e82bccf9c8afdadd6d069
Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
Opcode Fuzzy Hash: e59d48cc0b33387c2730e4ad274f001f3a7594b7c65e82bccf9c8afdadd6d069
Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D

Function 6CF87E16 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF87E24

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

_free.LIBCMT ref: 6CF87E37

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: bb773307f19fce5320b956fdc27c434a89d0b041e86b65be2694e9a0534cccb2
Instruction ID: 1886dea2e195e6431e10ecd8a5be66a541f058d7220cb6da32cccb0df58979de
Opcode Fuzzy Hash: bb773307f19fce5320b956fdc27c434a89d0b041e86b65be2694e9a0534cccb2
Instruction Fuzzy Hash: 0211A732A46516ABCB321B75A804BCB3BB59F55369B214527F8549BE40DF318C4446F4

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

GlobalFree.KERNELBASE(00000000), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 62822491a2171e7313e749cd3bc434bc25a9f92e131eb6a230f292f9eb063890
Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
Opcode Fuzzy Hash: 62822491a2171e7313e749cd3bc434bc25a9f92e131eb6a230f292f9eb063890
Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 39b3758b80fcd953e19c2f81128d57e0ae640eda6b6d66c2b66b0c237e413b24
Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
Opcode Fuzzy Hash: 39b3758b80fcd953e19c2f81128d57e0ae640eda6b6d66c2b66b0c237e413b24
Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68

Function 6CF8D540 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 6CF8D552

Part of subcall function 6D01841D: __vsnwprintf_l.LIBCMT ref: 6D018430

_malloc.LIBCMT ref: 6CF8D56B

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

_memset.LIBCMT ref: 6CF8D580
_vswprintf_s.LIBCMT ref: 6CF8D59B

Part of subcall function 6CF8CAD0: _wcslen.LIBCMT ref: 6CF8CAF0
Part of subcall function 6CF8CAD0: _free.LIBCMT ref: 6CF8CB22
Part of subcall function 6CF8CAD0: _wcsncpy.LIBCMT ref: 6CF8CB90

_free.LIBCMT ref: 6CF8D5B8

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Heap_free_vswprintf_s$AllocateErrorFreeLast__vsnwprintf_l_malloc_memset_wcslen_wcsncpy
String ID:
API String ID: 246700949-0
Opcode ID: 508418e29619212fee40b68fdadcee9c50b6da2f11f2d5297319a23dcb07fa83
Instruction ID: 643eab3c5d0cd15375abc3db21d116a234be956453be25a7f23f89d8a0023b8a
Opcode Fuzzy Hash: 508418e29619212fee40b68fdadcee9c50b6da2f11f2d5297319a23dcb07fa83
Instruction Fuzzy Hash: 4E11C0B5E04108BBDB54DFD8DC81E9EB7B9EF48204F148698E91997340E631AB148B91

Function 6CF94710 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF973C0: 73A1A570.USER32(?,00000000,00000000,00000000,00000000,00000053,?), ref: 6CF97455

std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CF94A31
MessageBoxW.USER32(00000000,00000000,Duilib,00000010), ref: 6CF94A5A
ExitProcess.KERNEL32 ref: 6CF94A62

Strings

Duilib, xrefs: 6CF94A47

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DebugHeap$A570ExitMessageProcessStringString::_std::_
String ID: Duilib
API String ID: 2211569601-72997937
Opcode ID: 33acccb884f8b74d90ccd3d71c84908dc7e03d739f4fee4cb80a6f5ab79735ba
Instruction ID: b75229c6023e3cf008628ab8ab1a3ad5b44d37fc1d350d1e43b96a1d1fde6903
Opcode Fuzzy Hash: 33acccb884f8b74d90ccd3d71c84908dc7e03d739f4fee4cb80a6f5ab79735ba
Instruction Fuzzy Hash: 12B1E5B09012289FDB64DB18CC90BD9F7B5AF48308F5052D9E619A7391DB706F88CF69

Function 6CF8E120 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

Msftedit.dll, xrefs: 6CF8E24D
CreateTextServices, xrefs: 6CF8E261

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object_memset
String ID: CreateTextServices$Msftedit.dll
API String ID: 2040364543-398192312
Opcode ID: 5ad15788aa6d2fed04da6147048cf6e6321e6dadc1c2d987568d688c0c61235a
Instruction ID: 6c9c0bea9a9ee3eaa9bfda11f98ce03c844585709cb0d29f03e8bb9a350c8ebc
Opcode Fuzzy Hash: 5ad15788aa6d2fed04da6147048cf6e6321e6dadc1c2d987568d688c0c61235a
Instruction Fuzzy Hash: 0C61D6B9E01209DFDB04CF98C495BAEBBB1BF88318F108199E9159B795D770E981CBD0

Function 6F952A4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 6F951C1B: GlobalFree.KERNEL32(?), ref: 6F951E69
Part of subcall function 6F951C1B: GlobalFree.KERNELBASE(?), ref: 6F951E6E
Part of subcall function 6F951C1B: GlobalFree.KERNELBASE(?), ref: 6F951E73

GlobalFree.KERNEL32(00000000), ref: 6F952AFA
FreeLibrary.KERNEL32(?), ref: 6F952B71
GlobalFree.KERNEL32(00000000), ref: 6F952B96

Part of subcall function 6F9523C1: GlobalAlloc.KERNEL32(00000040,00000000), ref: 6F9523F3

Part of subcall function 6F9525B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,6F952ACB,00000000), ref: 6F952611

Part of subcall function 6F951904: lstrcpyW.KERNEL32(00000000,error,00000000,6F95287B,00000000), ref: 6F951929

Part of subcall function 6F952445: wsprintfW.USER32 ref: 6F9524E8
Part of subcall function 6F952445: GlobalFree.KERNEL32(?), ref: 6F952516
Part of subcall function 6F952445: GlobalFree.KERNEL32(00000000), ref: 6F95253F

Strings

, xrefs: 6F952B77

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 11ee72a18cce88ff89d727e2c1c84fd7b8f11ac8665c8ac79dfda2c4faab9bdb
Instruction ID: ee4c0d908d72fa17a4f66c8bd660878bc7153d5a32f497799ee112715a492d1e
Opcode Fuzzy Hash: 11ee72a18cce88ff89d727e2c1c84fd7b8f11ac8665c8ac79dfda2c4faab9bdb
Instruction Fuzzy Hash: 7631B3714043459ADF54DFB898C4B963BACAF16328F144426E919AE0D7DBB4E0B5CA60

Function 6CFAEF80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CFAF066
_free.LIBCMT ref: 6CFAF07F
_free.LIBCMT ref: 6CFAF098

Strings

bad req_comp, xrefs: 6CFAEF97

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _free
String ID: bad req_comp
API String ID: 269201875-3549665374
Opcode ID: 21c519371a4d52cf3fa1dc34b7be5a1550aa36ccc2e93021e47a747c9fee14ea
Instruction ID: 0750227c3d35280596b9c96a9f5219040d293bb7de1704ffd74d019963d90ecd
Opcode Fuzzy Hash: 21c519371a4d52cf3fa1dc34b7be5a1550aa36ccc2e93021e47a747c9fee14ea
Instruction Fuzzy Hash: F841E4B9600208EFDB44DF54C480B9ABBB1FF89358F24C198E8098B351D735EA86CBD0

Function 6CFD12DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFD13B2
__fassign.LIBCMT ref: 6CFD13DC
__fassign.LIBCMT ref: 6CFD13FD

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Strings

size, xrefs: 6CFD13A6

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __fassign$__wcsicoll_free
String ID: size
API String ID: 1821799827-4156564586
Opcode ID: c09b6b04bc4209ba3b5c08208dd28156d1651608a0fc6f238d46ce3f69d3937f
Instruction ID: d5eca398e88988ee2021eab55fa727c991319c17c2f85deb232e22c432114f34
Opcode Fuzzy Hash: c09b6b04bc4209ba3b5c08208dd28156d1651608a0fc6f238d46ce3f69d3937f
Instruction Fuzzy Hash: A0310671E051289BDB24DB68CC95BDAB3B4AF44315F2482D9E11DA7680EB346F88CF51

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758

Function 6CF8CAD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 6CF8CAF0
_free.LIBCMT ref: 6CF8CB22
_wcsncpy.LIBCMT ref: 6CF8CB90

Part of subcall function 6CF8C9B0: _wcslen.LIBCMT ref: 6CF8C9BD

Strings

?, xrefs: 6CF8CB09

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _wcslen$_free_wcsncpy
String ID: ?
API String ID: 3312590453-1684325040
Opcode ID: 83c4e04ced0c35d90007358bf620018d9ab5b002182313b935d3b80e5be4fd74
Instruction ID: c6911270186eeda0c3641ed06c55ec8c7d49272f0cbd39624dbdec830269f184
Opcode Fuzzy Hash: 83c4e04ced0c35d90007358bf620018d9ab5b002182313b935d3b80e5be4fd74
Instruction Fuzzy Hash: 8831FAB5A05108EFDB04DFA4C580A9DB7B5FF89319F2482A8E805AB740E730AF45DF91

Function 6F95199F Relevance: 6.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 6F9515A3: lstrcpyW.KERNEL32(00000000,?,?,?,6F95185F,?,6F951017), ref: 6F9515C1
Part of subcall function 6F9515A3: GlobalFree.KERNEL32 ref: 6F9515D2

GlobalFree.KERNEL32(?), ref: 6F951A04
GlobalFree.KERNEL32(?), ref: 6F951A9C
GlobalFree.KERNELBASE(?), ref: 6F951AA1
__alldvrm.LIBCMT ref: 6F951ACB

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: FreeGlobal$__alldvrmlstrcpy
String ID:
API String ID: 1811517867-0
Opcode ID: 30f89d33481757dd4014b647400f95ccd9f521134b74788e087700d2097ea101
Instruction ID: a642c6a6be5a80771a78e6cedf304b59059f2247557daba0f8f8837f28aae8c7
Opcode Fuzzy Hash: 30f89d33481757dd4014b647400f95ccd9f521134b74788e087700d2097ea101
Instruction Fuzzy Hash: 6C512331D04208AB9BA2DFF8C5809ADB7B9EF87354B118257D818971D4E735EFF08A51

Function 6CFDDED0 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 6CFDDF03
_wcslen.LIBCMT ref: 6CFDDF12
_wcscat.LIBCMT ref: 6CFDDF4A
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 6CFDDF62

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CurrentDirectoryFilePointer_wcscat_wcslen
String ID:
API String ID: 1723098609-0
Opcode ID: 0f2b0e60c03a25d2d99e8aee66fb888ae0e29496b37f9b9c589f414258fd0115
Instruction ID: 9353113fa5050c85d4cf1ad595678112acbbfd7abceed7c0d8af175689944eb7
Opcode Fuzzy Hash: 0f2b0e60c03a25d2d99e8aee66fb888ae0e29496b37f9b9c589f414258fd0115
Instruction Fuzzy Hash: 5E3191B5D0420ADBDB00DFA8C885BAFB775EF45308F194658F514A7A80E330AA91CFA1

Function 6CF78550 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF78580
std::exception::exception.LIBCMT ref: 6CF7859C
__CxxThrowException@8.LIBCMT ref: 6CF785B1
_memmove.LIBCMT ref: 6CF785B9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_malloc_memmovestd::exception::exception
String ID:
API String ID: 3703101265-0
Opcode ID: 7d8c022cc382d7add20709b17183ecd137ad99761f14c9d611708e595f4c36e0
Instruction ID: dad8a5cd9720979e2791f8b1c59d157f90c12b8e4d1d1bf83422841cb5e4a562
Opcode Fuzzy Hash: 7d8c022cc382d7add20709b17183ecd137ad99761f14c9d611708e595f4c36e0
Instruction Fuzzy Hash: 3211D632901205AFD721CF58E844A9AB7B9EF85328F14C1AFE8195B710D731D919CBA1

Function 6CF78420 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF78443
std::exception::exception.LIBCMT ref: 6CF7845F
__CxxThrowException@8.LIBCMT ref: 6CF78474
_memmove.LIBCMT ref: 6CF7847C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_malloc_memmovestd::exception::exception
String ID:
API String ID: 3703101265-0
Opcode ID: 224eda0a1d6cf721da101296c79e24d88f1df4354a0b950460b7716fda698457
Instruction ID: 997b094f54d13b5d2325f043e5fe90268d6fc7a62633082d5ed66b9bb1134854
Opcode Fuzzy Hash: 224eda0a1d6cf721da101296c79e24d88f1df4354a0b950460b7716fda698457
Instruction Fuzzy Hash: 06F0497290012567C721DBBDAC04AEFB7B89F85264F14076BD814A7B41EB70961983F1

Function 6CF7C861 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF7C87B

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

std::exception::exception.LIBCMT ref: 6CF7C8B0
std::exception::exception.LIBCMT ref: 6CF7C8CA
__CxxThrowException@8.LIBCMT ref: 6CF7C8DB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: b032d55c88053d2d1e1567da0a7a3fa8236c1c4e4d292e7d57b8b2930966ebcc
Instruction ID: cd66af20083f58fac5a00fc4c1041cd86b4e6c24924bade4b4ce3ee0da010fac
Opcode Fuzzy Hash: b032d55c88053d2d1e1567da0a7a3fa8236c1c4e4d292e7d57b8b2930966ebcc
Instruction Fuzzy Hash: 39F0CD71401145ABEF24EF69F904FEE3AB8AF4531CF10453BE820A5E81DB708644C771

Function 6CFC9840 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 6CFC995A
CharNextW.USER32(?,",6D02C778,6CFC8270,000000FF,E243FD3F), ref: 6CFC9A94

Strings

", xrefs: 6CFC98D2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CharNext
String ID: "
API String ID: 3213498283-1102514066
Opcode ID: f3916c109cf3a39bf5dc3bc23af83fc326d9ddc0b66ee3cc98f82c8e63d3e409
Instruction ID: 92274733b66e2cfc498fc9a0d15e2a4ea8a1360e1809d6c743403cb3ef17d11e
Opcode Fuzzy Hash: f3916c109cf3a39bf5dc3bc23af83fc326d9ddc0b66ee3cc98f82c8e63d3e409
Instruction Fuzzy Hash: 37C1E570A02229CBCB64EB24C990BEEB7B1EF59318F2042D9D49A67690DB305FD4CF51

Function 6CF66C50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66CC5
_memmove.LIBCMT ref: 6CF66D16

Part of subcall function 6CF67FE0: std::_Xinvalid_argument.LIBCPMT ref: 6CF67FFA

Strings

string too long, xrefs: 6CF66CC0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: b618d93e43f84b46cb93b575ff2ba88a68155fbbc037d1562751ee9210ffb3a6
Instruction ID: f1bb406839acd8451d4311565c34786389bd4b058fcaf6832fad4a19579cb5a4
Opcode Fuzzy Hash: b618d93e43f84b46cb93b575ff2ba88a68155fbbc037d1562751ee9210ffb3a6
Instruction Fuzzy Hash: 9431A772315A105BD7258E5EE880A5AF7E9EBA6769B20062FF481C7F40C771DC4483A1

Function 6CF63610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 6CF636CF

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Strings

oninstallwidowshow, xrefs: 6CF636D7
syscommandclose, xrefs: 6CF6364B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CallbackDispatcherUser_free
String ID: oninstallwidowshow$syscommandclose
API String ID: 3825463412-236353129
Opcode ID: 0bbeaeb5a52f6c721d1f50a391cfbfa6956c89e56213bf097114f43dcbcdca9a
Instruction ID: d781aaca6bad160101bf36bbcb442140df141b0da208568f1c995af6da4cf1d2
Opcode Fuzzy Hash: 0bbeaeb5a52f6c721d1f50a391cfbfa6956c89e56213bf097114f43dcbcdca9a
Instruction Fuzzy Hash: 33318C759046189FDB14DB64C981FEAF7B4FB05324F104799E52A93BC0DB34AA48CBA0

Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405EC9
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4

Strings

nsa, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98

Function 6CFB0820 Relevance: 4.7, APIs: 3, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52352421b158a794b63c4f626c22c98504cdb797f6a3ad0ca8516d6d16dc881c
Instruction ID: 9c8e809e3987d5b10921919c889de061f39de601a0b44c2c85fc4115f3288329
Opcode Fuzzy Hash: 52352421b158a794b63c4f626c22c98504cdb797f6a3ad0ca8516d6d16dc881c
Instruction Fuzzy Hash: 17A117B5900209DFDB08CF98D994BDEBBB5FF48308F208199E919AB340D775AA55CF50

Function 6CF9F920 Relevance: 4.7, APIs: 3, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 6CF9F951
__fassign.LIBCMT ref: 6CF9F97F
_memmove.LIBCMT ref: 6CF9FA46

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __fassign_memmovelstrlen
String ID:
API String ID: 1376217908-0
Opcode ID: 42e7cfcec9580fb257be93f35a007df09b888361223510f4488b1571007a384b
Instruction ID: a9b7aeae5e5f4cb17641586b4bf102683d287d0821583001b0ec718bac6b9fce
Opcode Fuzzy Hash: 42e7cfcec9580fb257be93f35a007df09b888361223510f4488b1571007a384b
Instruction Fuzzy Hash: 9C81A0B5A00109EBEF48CF98C990FEE77B5AF89308F148158F915AB781D735DA44DBA0

Function 6CFDD670 Relevance: 4.7, APIs: 3, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bb77d007f29480c58d0586cb7c8e5673373f867ab591d6a136fb0ef8246149
Instruction ID: 6b3221f3072eff6f0327a8f07f06543d403c6021ad97a3780c100cabe78b370d
Opcode Fuzzy Hash: 02bb77d007f29480c58d0586cb7c8e5673373f867ab591d6a136fb0ef8246149
Instruction Fuzzy Hash: 1291FDB4A00219CFDB04CFA8C990BAEB7B1BF88304F258699D8156B785D735ED45CFA0

Function 6CF620F0 Relevance: 4.6, APIs: 3, Instructions: 140COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,E243FD3F,00000000,00000000,?,00000000,node_addr,6D039F24,6D039E60), ref: 6CF62164
_memset.LIBCMT ref: 6CF621DC
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000001,000000FF,00000000,00000000,00000000,00000000), ref: 6CF621F7

Part of subcall function 6CF66000: _memmove.LIBCMT ref: 6CF66033

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove_memset
String ID:
API String ID: 2888255262-0
Opcode ID: 7207328ba642583ae4110ae1bf226f39a710efa6fb9fb00e44d1f06a97993d23
Instruction ID: f05cb8bdba8d48c3843acb6781dda0acfd387333205e26ff880e0aea6a58b233
Opcode Fuzzy Hash: 7207328ba642583ae4110ae1bf226f39a710efa6fb9fb00e44d1f06a97993d23
Instruction Fuzzy Hash: E1410770604245AFD721DF2A8C84FABBBF9EF86714F14462DE451DBF80DB71950887A1

Function 6CFDC260 Relevance: 4.6, APIs: 3, Instructions: 117fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000001,80000000,00000001,00000000,00000003,00000080,00000000,?,6CFDDF9B), ref: 6CFDC2DA
SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001,?,6CFDDF9B), ref: 6CFDC307
SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001,?,?,6CFDDF9B), ref: 6CFDC37F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: File$Pointer$Create
String ID:
API String ID: 250661774-0
Opcode ID: 6dc2c9f8de2c5f7de4e025e51511bb67f274d94e79c2e990806f7b981529abae
Instruction ID: ecd89194f7b2a78a0eeff39bc0432993d8594de44df4d1e90252969c910c7388
Opcode Fuzzy Hash: 6dc2c9f8de2c5f7de4e025e51511bb67f274d94e79c2e990806f7b981529abae
Instruction Fuzzy Hash: CA512A74E04349EFDB15CFA4C855B9EBBB1BF05304F248299EC606B381C3B2AA45CB91

Function 6CF680D0 Relevance: 4.6, APIs: 3, Instructions: 113COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF68169

Part of subcall function 6CF7B28C: std::exception::_Copy_str.LIBCMT ref: 6CF7B2A7

__CxxThrowException@8.LIBCMT ref: 6CF6817E

Part of subcall function 6CF7D3D1: RaiseException.KERNEL32(?,?,6CF7C8E0,E243FD3F,?,?,?,?,6CF7C8E0,E243FD3F,6D042A94,6D049FF4,E243FD3F,-00000898,00000002,?), ref: 6CF7D413

Part of subcall function 6CF69D60: std::exception::exception.LIBCMT ref: 6CF69D8F
Part of subcall function 6CF69D60: __CxxThrowException@8.LIBCMT ref: 6CF69DA4

_memmove.LIBCMT ref: 6CF681C5

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID:
API String ID: 163498487-0
Opcode ID: 9f8a1c7ea4dbeb5f46ce79ec7833ffe033f173dd40d82a4ae6a0ff7904d007e7
Instruction ID: 6a9a97e13b99c02309a0fc602c088950b522f2cec7c1ced8f5c913448411943e
Opcode Fuzzy Hash: 9f8a1c7ea4dbeb5f46ce79ec7833ffe033f173dd40d82a4ae6a0ff7904d007e7
Instruction Fuzzy Hash: CE4173B1900605ABDB14CF69C89079EBBF8EB0A364F51462FE825A7F81D7709944CBE1

Function 6CFDC4A0 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,74E2F860,00000000,00000000), ref: 6CFDC4D3
SetFilePointer.KERNEL32(?,74E2F860,00000000,00000001), ref: 6CFDC4F0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 21f480230c5b908bfc02217d383e6e598dd9ab93a2626e08d311b8581670dec8
Instruction ID: 81c4aa4c5a6e435bf7b5ae89fad1fd35c674826d6b572f3bfaf87994d58a2638
Opcode Fuzzy Hash: 21f480230c5b908bfc02217d383e6e598dd9ab93a2626e08d311b8581670dec8
Instruction Fuzzy Hash: 03314535654208EFDB08DF19C894B9A7BB1BF46764F19C209F8594B681C330FA81CF90

Function 6CF64640 Relevance: 4.6, APIs: 3, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CF646B5
__wfopen_s.LIBCMT ref: 6CF646DC
_fseek.LIBCMT ref: 6CF646F3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DebugHeap$StringString::___wfopen_s_fseekstd::_
String ID:
API String ID: 568567257-0
Opcode ID: 40164fef754cffc93f3ee08eb20ce90956282511c3b7fb572fdac2e409e7a021
Instruction ID: 0a821ad2626aee0878fd024a71988a79545abf7aa9ceb6ebb0f96f6aa14f5f74
Opcode Fuzzy Hash: 40164fef754cffc93f3ee08eb20ce90956282511c3b7fb572fdac2e409e7a021
Instruction Fuzzy Hash: C5218371900128ABEB24EB64DD41FEEB7B8EF45214F1002A9D91DA77C1DF756A48CF90

Function 6CFE2E30 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 459COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(00000000), ref: 6CFE33E8

Part of subcall function 6CF95A40: CharNextW.USER32(00000000,00000000,?,00000000,E243FD3F), ref: 6CF95B51
Part of subcall function 6CF95A40: CharNextW.USER32(00000000,00000000,?,00000000,E243FD3F), ref: 6CF95B80

Strings

res='%s' restype='%s' dest='%d,%d,%d,%d' source='%d,%d,%d,%d', xrefs: 6CFE3059, 6CFE3118, 6CFE3181, 6CFE3242, 6CFE3304

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CharNext$EnabledWindow
String ID: res='%s' restype='%s' dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
API String ID: 3456984671-192091556
Opcode ID: 102c1356b744db78edaf5cc0c19bcf0c84396fdf2c314ed3f3d5a16f5375db0d
Instruction ID: 29c8ca27280e723a6b95796fd3bf164af4c6d2d4509da0cb11b71e0ab8014924
Opcode Fuzzy Hash: 102c1356b744db78edaf5cc0c19bcf0c84396fdf2c314ed3f3d5a16f5375db0d
Instruction Fuzzy Hash: 4C221871A016299BDB29CB48CC94BEAB3B9BF48305F1442E9E50DA7751DB31AF84CF50

Function 6CF90520 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6CF9055B

Strings

return, xrefs: 6CF90585

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: State
String ID: return
API String ID: 1649606143-2812165903
Opcode ID: de16ebcbe52223e83bbc663872509e28cff183c12dd174cb487bbbda95cd9970
Instruction ID: 8fc0ef36ed2a9f43e575984c6259d0b91e6d959d8500df23591f8905ad6fd124
Opcode Fuzzy Hash: de16ebcbe52223e83bbc663872509e28cff183c12dd174cb487bbbda95cd9970
Instruction Fuzzy Hash: 54218434A04148AFEF04CF45C490BAEB7B5EF4C714F5482A9E959AB781D7B0E981CF50

Function 6CF61FB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF61FF6

Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7B9
Part of subcall function 6CF7A7A4: __CxxThrowException@8.LIBCMT ref: 6CF7A7CE
Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7DF

Strings

list<T> too long, xrefs: 6CF61FF1

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 1823113695-4027344264
Opcode ID: 15f95757ba19854176564aa6e8c4a3b3363dd1140283a532a326da3ff711cf43
Instruction ID: 497fc55ce6996eb3bd2cd111f2181a1b4e23845f7b8f24b6d4ca7151b191db05
Opcode Fuzzy Hash: 15f95757ba19854176564aa6e8c4a3b3363dd1140283a532a326da3ff711cf43
Instruction Fuzzy Hash: 8F011EB6501204AF8714DB69DA80C9BB7F9FB89704710956DE94687F05EA31F905CB60

Function 6F95124C Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(00000000), ref: 6F95130B
GetLastError.KERNEL32 ref: 6F951412

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: DiskErrorFreeLastSpace
String ID:
API String ID: 1766372604-0
Opcode ID: 47c6e2a55ff88f4abad91d69f21c64c254611c6d394fab2ceb1002b6fb32cd3e
Instruction ID: b2b95f15d7a9a8758c2a7720b2ab57bc783bab6d9b8d4ac30d8de2ed798c5a83
Opcode Fuzzy Hash: 47c6e2a55ff88f4abad91d69f21c64c254611c6d394fab2ceb1002b6fb32cd3e
Instruction Fuzzy Hash: 0F517B768087049FEB60DF78D9A0B5937A8FB47328F20452AE404CA2C1DB34E5F9DE95

Function 6CFB9010 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1c07166bb8f83e8a2cde84626e94b43a837e4a6f338e8c3efbea705bd33657
Instruction ID: 3301e6cbb68f447bbaac4b5d0884d5c7ad234b2d3d856515624bf595e723bde0
Opcode Fuzzy Hash: 3c1c07166bb8f83e8a2cde84626e94b43a837e4a6f338e8c3efbea705bd33657
Instruction Fuzzy Hash: 24517071604209EFCF04CFA6C890BEE7BB5AF98304F145159F955AB780CB35DA85DBA0

Function 6CFDC880 Relevance: 3.1, APIs: 2, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 6CFDC4A0: SetFilePointer.KERNELBASE(?,74E2F860,00000000,00000000), ref: 6CFDC4D3

_malloc.LIBCMT ref: 6CFDC8CB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FilePointer_malloc
String ID:
API String ID: 1406651323-0
Opcode ID: 84e05b30651d38e19ff2f1d31f9345a3416f335dac32045217ba89f97c9ccd0f
Instruction ID: 54d324ee2ed185d26b4da257123a6f1f4138df2456774c2b42b7d949eef32b74
Opcode Fuzzy Hash: 84e05b30651d38e19ff2f1d31f9345a3416f335dac32045217ba89f97c9ccd0f
Instruction Fuzzy Hash: 2E518EB1D04109DFCF04EFD8C991ABEBBB1AF45318F298259D512B7784D731AA40CB92

Function 6CF9D4D0 Relevance: 3.1, APIs: 2, Instructions: 119timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,?,00000000), ref: 6CF9D560
SetTimer.USER32(?,?,?,00000000), ref: 6CF9D5D5

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: cfba2d3c9834c25c24549a569d49eef9c0bdf9c5359ebee48bc1a9ce88dd2841
Instruction ID: 3142ce3a81f6d45378c65cb8f1ad1859c8e2f9516739fd120433f65dda1ffd14
Opcode Fuzzy Hash: cfba2d3c9834c25c24549a569d49eef9c0bdf9c5359ebee48bc1a9ce88dd2841
Instruction Fuzzy Hash: E351AF75A04109EFDF04CF98C590AAEB7B5FF89304F348299D909AB741D731AE41DBA1

Function 6CF8B660 Relevance: 3.1, APIs: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 6CF8BCD0: _memset.LIBCMT ref: 6CF8BD16
Part of subcall function 6CF8BCD0: GetClassInfoExW.USER32(00000000,?,00000030), ref: 6CF8BD2F
Part of subcall function 6CF8BCD0: GetClassInfoExW.USER32(00000000,?,00000030), ref: 6CF8BD47

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6CF8B709

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ClassInfo$CreateWindow_memset
String ID:
API String ID: 834990534-0
Opcode ID: 6e74e1d85c2d23cee028873c224a06af602c338cd4fc8d6f167a2a00c9308cd2
Instruction ID: 07fe32bb0c8f9ec24ff803ea61480b4dd8c52f766bfa979343b39df49979d421
Opcode Fuzzy Hash: 6e74e1d85c2d23cee028873c224a06af602c338cd4fc8d6f167a2a00c9308cd2
Instruction Fuzzy Hash: 9B41A5B9A05109AF8B04DF99C890DAEB7B9FF8D304B14C699F919D7354DB30E901CBA0

Function 6CFDE8D0 Relevance: 3.1, APIs: 2, Instructions: 89COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 6CFDE906
_memset.LIBCMT ref: 6CFDE95B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ByteCharMultiWide_memset
String ID:
API String ID: 2800726579-0
Opcode ID: 4e9dc80b875e4e51950e82dc7fea1814b33eb7f857b5b9e7a7aae3d76082872c
Instruction ID: 265eaf26551b39be3b877965c5486617eb245f048ea878da2718a44028fe28f4
Opcode Fuzzy Hash: 4e9dc80b875e4e51950e82dc7fea1814b33eb7f857b5b9e7a7aae3d76082872c
Instruction Fuzzy Hash: 43317A70A02208DFCB15DF64CC81BDAB7B1BB89314F1483A9E9656B3D0D730AA95CF91

Function 6CFD2B70 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00080020,6D02D19C,00000000,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6CFD2BFF

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b9f0191d9bffef32506027de23a9845b519b090f75787af10530e0a49e1b75ba
Instruction ID: 5d6fbadf08112d511354bae243e602098031e01b3931e731e724c40827397e05
Opcode Fuzzy Hash: b9f0191d9bffef32506027de23a9845b519b090f75787af10530e0a49e1b75ba
Instruction Fuzzy Hash: 94311A75E05308AFDB04CFA4D895FAEBB71AB45324F248288F915AB384C771AD81CB94

Function 6CF79B90 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF79C47
__CxxThrowException@8.LIBCMT ref: 6CF79C5C

Part of subcall function 6CF78550: _malloc.LIBCMT ref: 6CF78580
Part of subcall function 6CF78550: std::exception::exception.LIBCMT ref: 6CF7859C
Part of subcall function 6CF78550: __CxxThrowException@8.LIBCMT ref: 6CF785B1
Part of subcall function 6CF78550: _memmove.LIBCMT ref: 6CF785B9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception$_memmove
String ID:
API String ID: 4279888175-0
Opcode ID: 2aff1a53fbcb8d24121a8e7288d75f8a0134bf57d38dca6460edf5be71fda9fb
Instruction ID: 1dbd3b2c1ee7d09dfeca43d6361a16c1b10014b22fe90b10f555d89cf997c5f7
Opcode Fuzzy Hash: 2aff1a53fbcb8d24121a8e7288d75f8a0134bf57d38dca6460edf5be71fda9fb
Instruction Fuzzy Hash: DB2153B1D01609ABC714DF99D940AEEFBF8EB58714F10456FD419A3B41E7306A44CBA1

Function 6CF795D0 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF7967B
__CxxThrowException@8.LIBCMT ref: 6CF79690

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 9dcc18a7949045d21a4d292d1f51fc7d50dd76f19085f9de1da4dc72c2dd8ed3
Instruction ID: a8da55107f210d0f2f7d93406a8f6af956efd23d7d63d8a0a1c8d915995f8b53
Opcode Fuzzy Hash: 9dcc18a7949045d21a4d292d1f51fc7d50dd76f19085f9de1da4dc72c2dd8ed3
Instruction Fuzzy Hash: 09217FB1A01608DFCB11DF59C980A9AFBF8FB59610F10856FE819A7741D730AA04CBA1

Function 6CF6AD00 Relevance: 3.1, APIs: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF6ADC4
__CxxThrowException@8.LIBCMT ref: 6CF6ADD9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 6d4751498ef4f520a21e4858177efd2408a451190cc1474e26442b069026ba23
Instruction ID: 6a8f43c85bf57559d02559174e2bd13bed3a29684e8ad526fc5af1808fdb5172
Opcode Fuzzy Hash: 6d4751498ef4f520a21e4858177efd2408a451190cc1474e26442b069026ba23
Instruction Fuzzy Hash: 5B2183B19016099BCB14DFA9D940BEEFBF8FB48714F10866ED459A3B41DB306904CBA1

Function 6CFDC580 Relevance: 3.1, APIs: 2, Instructions: 65fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000001,00000001,00000000,00000000,00000000,?,00000001,FFFFFFFF), ref: 6CFDC5AF
_memmove.LIBCMT ref: 6CFDC604

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: 0cee9960e5b90c0f98b5bb65a02be0dfbb9cd5870326293c93206c54f1e7d5f0
Instruction ID: 79af8288df3912acd1c359965f3a14729d441ed1db793b1689a202c8e3288e5f
Opcode Fuzzy Hash: 0cee9960e5b90c0f98b5bb65a02be0dfbb9cd5870326293c93206c54f1e7d5f0
Instruction Fuzzy Hash: ED21A6B9A00109EFCB08CF59D590A9EBBB6BF88304F148199E805AB345D730EE51CFA1

Function 6CF6A280 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF6A334
__CxxThrowException@8.LIBCMT ref: 6CF6A349

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 96f210a09cf2b6a6d12cdf711af40dcc1920b0acfb5437919678d300a20fef32
Instruction ID: 20745babc09f8c86dc0a5c873b0e6ed2fba6017d2929e10ec1dd0c0ef62ba092
Opcode Fuzzy Hash: 96f210a09cf2b6a6d12cdf711af40dcc1920b0acfb5437919678d300a20fef32
Instruction Fuzzy Hash: 00216D71901608DFCB15CF99C940ADEFBF4FF59710F50856AE819A7B41D730AA04CBA1

Function 6CFDDD20 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e093246de82540408ff0a4e0227cab13c62d7d3a3a66881b214539f50f39e639
Instruction ID: 2389de3c1d2ffe2c696dcfb459d5dcbc955fbfd5b1eec57522f90f856120feab
Opcode Fuzzy Hash: e093246de82540408ff0a4e0227cab13c62d7d3a3a66881b214539f50f39e639
Instruction Fuzzy Hash: 9C21E9B4900208EFDB10DF94C880B9DBBB1FF45318F258699D8156B794D375AA85CF91

Function 004029FF Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.KERNELBASE(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(?), ref: 004029E4
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00402A32

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7364fa734b1cafd0e9c302eb8c761ae35a440ebd4c3d320034ea02a32beaa18b
Instruction ID: e3af14d3babfee09cb1fb7ac7dbcae58df224abeee96a0ce1dd220965ef9d513
Opcode Fuzzy Hash: 7364fa734b1cafd0e9c302eb8c761ae35a440ebd4c3d320034ea02a32beaa18b
Instruction Fuzzy Hash: C8116071A10204EFDF24DFA4DA499AEB6B4EF44344B20847FE446F72D0E6785B41DB19

Function 6CF6AC90 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF6ACD9
__CxxThrowException@8.LIBCMT ref: 6CF6ACEE

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 385f24ebfac7455477bdb12b3015d23b217529f3404ba2a0d47a20751aa7a45c
Instruction ID: d289ee9b4c8e90c7b24182d1306163e549a493fd599415cfa2eb357d9fa18ead
Opcode Fuzzy Hash: 385f24ebfac7455477bdb12b3015d23b217529f3404ba2a0d47a20751aa7a45c
Instruction Fuzzy Hash: 3F0144749012049FC71CDF55D490C9ABBB5EF58704B14C56EDD2A4BB51E730E944CB91

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C

Function 6CF7C30E Relevance: 3.0, APIs: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF7C33B
__lock_file.LIBCMT ref: 6CF7C35E

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 06698e66946bb2029f954ac1c57e2ec1aebcf8a1c3d8d8d0e2f9b9efb99fb1cd
Instruction ID: 7bcd0ae9af19ad24031a7380847ddca7796c0a155d83dc0e610ee9ba60a09080
Opcode Fuzzy Hash: 06698e66946bb2029f954ac1c57e2ec1aebcf8a1c3d8d8d0e2f9b9efb99fb1cd
Instruction Fuzzy Hash: EB012172802219EBCF61AFA4E8004DE3F71BF04759F548127F82456A60D7758666DFE1

Function 6CF8B7D0 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CF8B7E0
ShowWindow.USER32(?,00000000), ref: 6CF8B819

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Window$Show
String ID:
API String ID: 990937876-0
Opcode ID: 0d7307184d7afc5bb02e267d02b631cd42a340feafe83a89f764a3181317c6a4
Instruction ID: 80f87f2fb2f054ce770e597b6616f7a268a17fc84140558985b108f599d5c60c
Opcode Fuzzy Hash: 0d7307184d7afc5bb02e267d02b631cd42a340feafe83a89f764a3181317c6a4
Instruction Fuzzy Hash: 01F0B475E05108ABCF00DFB8C845A5EBFB4AB46305F24C699F81597380D334DA40DB50

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 6CFDCA10 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd60096e74fc4a71c35b357a7bd661c41c96a97361e48af39233303a176268c
Instruction ID: af994bad9280fd40b92785b417e8a7711c3a8c7f2f861a7cc4536bea6db235ca
Opcode Fuzzy Hash: 5cd60096e74fc4a71c35b357a7bd661c41c96a97361e48af39233303a176268c
Instruction Fuzzy Hash: 0A613DB5E002089BDB20DF65DC44BDEB774AF45368F158698E82C97681E730EA85CFA1

Function 6CF9DED0 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6CF9DF22

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CountTick_free_malloc
String ID:
API String ID: 1247268073-0
Opcode ID: 4ca2353358e4f11c841aa103274eb43f87f02562798e1192360fa5bd59c4ebc1
Instruction ID: bd6e471e75a60c63daca64476b175c15371e176d4ebeb7ab063e55bbaad41d5d
Opcode Fuzzy Hash: 4ca2353358e4f11c841aa103274eb43f87f02562798e1192360fa5bd59c4ebc1
Instruction Fuzzy Hash: 6671F974A04218DFDB18CF18C894BD9B7B2BF89304F1482E9D98D9B781DB716A85CF91

Function 6CF90390 Relevance: 1.6, APIs: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

GetCaretBlinkTime.USER32(00000000), ref: 6CF904C8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: BlinkCaretTime
String ID:
API String ID: 1096504186-0
Opcode ID: 1a29a88efae64d627b9f430345fe059d2dddcdb386276ff947e3a5c03f9381c2
Instruction ID: 38a20784073c7eeeb08204a571e253c592cd0095f48a7c4452e1e57e26797399
Opcode Fuzzy Hash: 1a29a88efae64d627b9f430345fe059d2dddcdb386276ff947e3a5c03f9381c2
Instruction Fuzzy Hash: 1051D974A01218DFDB44CF94D894BEDB7B6BF88308F248169E9096B791C772AC56CF90

Function 6CF9D940 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000000,?,?,?,?,?,?,6CF97F4C,00000000), ref: 6CF9D977

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 40b7f489e21bdb6e515bce2447838c905a819d412f9f9ade5b7e481f983b121c
Instruction ID: 35d59738634d1ae3741fc82ccaad6d9134b510d231983ea1046f7dc19f915205
Opcode Fuzzy Hash: 40b7f489e21bdb6e515bce2447838c905a819d412f9f9ade5b7e481f983b121c
Instruction Fuzzy Hash: 11411774A042589FDF08CFA4C894BEEFBF1AF89300F2481A9D894AB341D7755A41CF90

Function 6CFDD2F0 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6CFDD317

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 053d598874e5e5334d4bb59e4813d0103692fac75d0491cf5b90e16ae7b9ba9a
Instruction ID: a3ac22aecae3c90129f38155d8b02f2e777c894c3eae8f760761d4ba32f4e130
Opcode Fuzzy Hash: 053d598874e5e5334d4bb59e4813d0103692fac75d0491cf5b90e16ae7b9ba9a
Instruction Fuzzy Hash: 9B314FB5E00209AFDB14CFA8D840F9EB7B4AB48314F254669E9159B780D770FA84CFA1

Function 6CF78770 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF787F2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 06c2130afafc44e1309f79423d01c2de1f8ddde0e153bfc536f64b42bb8972f9
Instruction ID: bfcf103d8b4519fab26334688d16ea042077d0587efe155e0fbfc68aeb0e936d
Opcode Fuzzy Hash: 06c2130afafc44e1309f79423d01c2de1f8ddde0e153bfc536f64b42bb8972f9
Instruction Fuzzy Hash: B821EB75901540DBDB20DF65ED44B9AB7A8EF05618F10465BE822BBB80D738E906C7B1

Function 6CF79760 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF797DA

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a0e854e78eca808466754ae826229af9c0482747ae67bebe71962404cdd4de45
Instruction ID: 7ac8343d17bc83d8de89374249f5879cab0fa829e0df49924f4128a19d8681f7
Opcode Fuzzy Hash: a0e854e78eca808466754ae826229af9c0482747ae67bebe71962404cdd4de45
Instruction Fuzzy Hash: E411C4B6904604ABDB20CF58E840B9ABBB9FB45364F14462FE82557B40D739EA04CBE0

Function 6CFAEEA0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: fb751a3a8630f95593372b88e12a602d96d9bfda016ae56829b5e6bd6051e19f
Instruction ID: 7a07d8aa0027713e07f04f6350e32d5b3fe6d13207e68657fc564bbac40c9b78
Opcode Fuzzy Hash: fb751a3a8630f95593372b88e12a602d96d9bfda016ae56829b5e6bd6051e19f
Instruction Fuzzy Hash: 4B11FEB1A0114ADFCB24DFA8D940BAEB7B5EF48304F0045A9E80997745DB30EA55DFD1

Function 6CF87D94 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 6CF87DD7

Part of subcall function 6CF7EF1D: __getptd_noexit.LIBCMT ref: 6CF7EF1D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 1ad4ba14d91b6a7980dcd9981225a7c6b5572fc6f4167d656c354383ae00e92f
Instruction ID: 218bd369f4943ba423755c8f89342d5956d28ba4ac5c103fbc87676bb60fe644
Opcode Fuzzy Hash: 1ad4ba14d91b6a7980dcd9981225a7c6b5572fc6f4167d656c354383ae00e92f
Instruction Fuzzy Hash: 4001B5323072159BEB258F25C854FA637B5AB81769F154A2BF8258B980D770D84086A0

Function 6CFD7540 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(6D035FE0,00000000,00000001,6D036010,?), ref: 6CFD75C8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 45a26257304285b9aa821423326c2f5af40923c6cd89da90a141b6e7f29c955f
Instruction ID: 25ddd53d3e14e92bbab5eb0e8bf1357dce2092de5d966592b4171bd37678064a
Opcode Fuzzy Hash: 45a26257304285b9aa821423326c2f5af40923c6cd89da90a141b6e7f29c955f
Instruction Fuzzy Hash: 7411B9B4A0120A8FEB04CF84C595BAFFBF1BF44304F248548D8047B381C775A905CBA5

Function 6CFC9D00 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 6CFC9D2A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: IntersectRect
String ID:
API String ID: 481094312-0
Opcode ID: 108bdd859a871a42a184e0e22d27ee1ef435ec14f2751a927f808b7170a0f724
Instruction ID: fb84987a7c6a567c3272df114a2783622daca1ea2150d4c697e3097ec9612b55
Opcode Fuzzy Hash: 108bdd859a871a42a184e0e22d27ee1ef435ec14f2751a927f808b7170a0f724
Instruction Fuzzy Hash: EF014F31B44109EBCB04CF59C940F9FB7B9AF8570AF204598F459A7741CA31AF01DB65

Function 6CF8D5D0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF8D62F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: d26226cc891b2855e918279ffd4f4bd53b9422bcb9cc652e2932e6445114fb7a
Instruction ID: d7ab57a7a53626bc8da026f3d104c70bcb67bd3c5c58ee9ea11d20d7c8a4ff86
Opcode Fuzzy Hash: d26226cc891b2855e918279ffd4f4bd53b9422bcb9cc652e2932e6445114fb7a
Instruction Fuzzy Hash: AD0112B5A01208EFDB04CF58D441A9EBFB5EB44350F14C1ADEC495B380D731DA44CB90

Function 6CF79798 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 03ee52f311e1308fc0d61956336024dc7a57e42ded6e671422c3206340cdd153
Instruction ID: c3e54d7915df51098a25b4e021bab7315aa5d7a33ff6888c1474871dc283c824
Opcode Fuzzy Hash: 03ee52f311e1308fc0d61956336024dc7a57e42ded6e671422c3206340cdd153
Instruction Fuzzy Hash: 1501F4B69003049BDB20CF58F44069EB7B1EF44325F20862FD82557B40DB39EA15CBE0

Function 6CFDCC80 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CFDCCC4

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3916b0518c9523f3abb50564c7dc8c5856ddbf00f16e397b00e7aa2639c3593a
Instruction ID: 5c0534f8c3958230a5f93a6c6beff9ecfebbd39c19ea4c45820e28b9ce71a940
Opcode Fuzzy Hash: 3916b0518c9523f3abb50564c7dc8c5856ddbf00f16e397b00e7aa2639c3593a
Instruction Fuzzy Hash: 9FF082B5900148EFCB00EF68E940B9E73B5AF85308F2586A8E90887780E735FF44DB91

Function 6CFDC450 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(45C7FC45,00000000,00000000,00000001,?,6CFDC8AB,74E2F860,?,?,?,?,?,?,?,?,6CFDCA64), ref: 6CFDC475

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 623965dab0257ed98cb4f65711d0c42205faa2fe192112b5bcfce300c1f3ded2
Instruction ID: 94381f408c479f4d595d2cce642f3ab9fc8dbd9f2470f37b60dfda71e03ae9fd
Opcode Fuzzy Hash: 623965dab0257ed98cb4f65711d0c42205faa2fe192112b5bcfce300c1f3ded2
Instruction Fuzzy Hash: D5F05E30245315ABEB44DF25C490B767BA5AF46655F28C54CFC898F681CB31F542CB90

Function 00401553 Relevance: 1.5, APIs: 1, Instructions: 29registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000022,00000000,?,?), ref: 0040158B

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1caef13d468ef467c4b3b08d59f2ccd1d994183a05b4919832578f2617b25be5
Instruction ID: fa57b471ed8b987ef0152cf373f8deb4fb29a4d96bb60b9d9eb6fabc224e71a1
Opcode Fuzzy Hash: 1caef13d468ef467c4b3b08d59f2ccd1d994183a05b4919832578f2617b25be5
Instruction Fuzzy Hash: F3F0303A650115FBD700DB95DD42EE63BDCAB08794F044131FA0AEB1A1D234E84087AD

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4

Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE

Function 6CF8C100 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,00000202,?,00000000,?,?,6CF94F79,00000000,?,00000202,00000000,?,00000202,00000000), ref: 6CF8C121

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ca9077a9076f79333351effa49567eb215c3643faa24756bef1e5971b78900a5
Instruction ID: 509feb21f6e347a95e78c48261101a2215eff048b95979c636102fcdb44bcb1d
Opcode Fuzzy Hash: ca9077a9076f79333351effa49567eb215c3643faa24756bef1e5971b78900a5
Instruction Fuzzy Hash: D3E02FB5A15108FB8B04CF99D944D9AF7FDEB4D310B14868DB909D7301D631EE50DBA4

Function 6CF9FC90 Relevance: 1.5, APIs: 1, Instructions: 20windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

PostMessageW.USER32(?,00008001,00000000,00000000), ref: 6CF9FCB8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7cea175e64150b24765ccfb89e6380abb882831c092c2049b9e44e9c2875c60f
Instruction ID: 337710789a6c0057159a82233eed3f392d21993d6f3d90cd05482e00a06e68a9
Opcode Fuzzy Hash: 7cea175e64150b24765ccfb89e6380abb882831c092c2049b9e44e9c2875c60f
Instruction Fuzzy Hash: 24E04F70B49208EBDB04CB95C955FA9BBB8AB45705F2442E9FD48AB382C7726E009B54

Function 6F952728 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6F954020,00000004,00000040,6F954028), ref: 6F952746

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 03069635955d140c0ddf2036d2fa3eb24a82ed4efe604fb25fbfd9511b65f147
Instruction ID: fff53f7ca423a7b0522e56333c4449c2e58f2c1976fee1a18332db34d7d71eb7
Opcode Fuzzy Hash: 03069635955d140c0ddf2036d2fa3eb24a82ed4efe604fb25fbfd9511b65f147
Instruction Fuzzy Hash: 8EE0AEB190DB409EEBD0CF3CD864B023AF0B75B326F21452AE248D62C0E230913CAF19

Function 6CF64610 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 6CF64621

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 2f4c74d6bb5598f67877027b510957e31077f82797a0ffc6c53c0c3259abc79f
Instruction ID: f1278a43298e94cf700a0b03066a836eff2a4af42caa784c01d6653104ac0a30
Opcode Fuzzy Hash: 2f4c74d6bb5598f67877027b510957e31077f82797a0ffc6c53c0c3259abc79f
Instruction Fuzzy Hash: 70D09E752103086BDB04DF64D881DAB3369EB44614F108819BD154B741D671E9209AA5

Function 6CFDB8F0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6CFDB90D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: f0a1bf826ec3f6c1d7305ddabcf0ae9287661dbb3350c9d412980476288be99b
Instruction ID: a97eaa931da5d112f6644ac9b2662aa3090c76387a03887341288627e0fdf0d4
Opcode Fuzzy Hash: f0a1bf826ec3f6c1d7305ddabcf0ae9287661dbb3350c9d412980476288be99b
Instruction Fuzzy Hash: 81D0E27600424DABCB00CFA8D880AAA33A8AB44218F04C918BD2C8B200DA30E560CB50

Function 00403D6B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(?,?,00000000), ref: 00403D85

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: ItemTextVersion
String ID:
API String ID: 1287519508-0
Opcode ID: 6c6e3b9cce5e3c04e16e3261811eafba0214bdccea44d0b3cf2813b955e277e9
Instruction ID: 3d91de8bf8cbd2b1f3a3cf9e9dcc3d672f8c1b7d0241b958bd96d56531da4427
Opcode Fuzzy Hash: 6c6e3b9cce5e3c04e16e3261811eafba0214bdccea44d0b3cf2813b955e277e9
Instruction Fuzzy Hash: 7EC04C76148300BFE641A759CC46F1FB799EFA4719F00C52EB19CE11D5CA398420DA26

Function 6CFA4680 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CFA4687

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 17f0809e41a037017afa13fa89890ed12633f984fcd4df5484950895e108c249
Instruction ID: d0cd4a37662e12f3364b58eabf321d79bdd34db482b95e533e1f94de09590630
Opcode Fuzzy Hash: 17f0809e41a037017afa13fa89890ed12633f984fcd4df5484950895e108c249
Instruction Fuzzy Hash: 1DB012B680030C13890076DCB801886378C0604418F040021FE0C4B701E521F65441E2

Function 6CFA41A0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CFA41A7

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: d6cfca12000a0b106740b4379124f6eb9ff0438c1e64e4861b856a235bc69ecf
Instruction ID: 205410f856108ebbce74c322f03418e69be913ef285502ef24a2264a8ca47f6f
Opcode Fuzzy Hash: d6cfca12000a0b106740b4379124f6eb9ff0438c1e64e4861b856a235bc69ecf
Instruction Fuzzy Hash: 7FB012B280430C138A0066D8B801886338C4A04414B440421B90C47B00F625F55441E2

Function 6CFDB920 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CFDB927

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: e866c6280bb8740010ab8c6dff84e555f095f6d90278c21fead7fd0c1bf12db2
Instruction ID: 1eb02b8d82abb0ea7519aa0126b1ca3bcf4c73119ecd5063ee721cd2d4a83c9c
Opcode Fuzzy Hash: e866c6280bb8740010ab8c6dff84e555f095f6d90278c21fead7fd0c1bf12db2
Instruction Fuzzy Hash: C2B012B280430C138A0066D87801846338C4A04424B444421B90C47B00F635F51441A2

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09

Function 6CFDC3E0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,00000000), ref: 6CFDC401

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d63924800296dadd94c2ad727f39b7b5b22e510be9e17451b4ba050bac5d65c5
Instruction ID: 76f7962c370ce36dfb29a4ab1d2441c0e09db627fd1799e6182ee410682378af
Opcode Fuzzy Hash: d63924800296dadd94c2ad727f39b7b5b22e510be9e17451b4ba050bac5d65c5
Instruction Fuzzy Hash: 6AE092B5A15208AFCB04DF64C484A6A7BB8BF45365F25C3A9FC5987740D730EA40DB91

Function 6F951581 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6F9515BA,?,?,6F95185F,?,6F951017), ref: 6F95158B

Memory Dump Source

Source File: 00000000.00000002.2905145483.000000006F951000.00000020.00000001.01000000.00000004.sdmp, Offset: 6F950000, based on PE: true

Associated: 00000000.00000002.2905129472.000000006F950000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905161285.000000006F953000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2905179764.000000006F955000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f950000_electrumx64.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cc853746078a4c9b1c6e42b9bb1825dc8667207b0b2e4174895a7d9d4c316632
Instruction ID: af99e66709344539024c1600abcbb94fdda3997164a56c5da794ba7fb55c0459
Opcode Fuzzy Hash: cc853746078a4c9b1c6e42b9bb1825dc8667207b0b2e4174895a7d9d4c316632
Instruction Fuzzy Hash: 4FB002716445006FFF409778CD5BF353BA5F741755F550050F705D5141D56458788D15

Non-executed Functions

Function 6CFBEA70 Relevance: 100.1, APIs: 54, Strings: 2, Instructions: 2054COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 6CFBEAB1

Part of subcall function 6CF8C420: _malloc.LIBCMT ref: 6CF8C450

GetClipBox.GDI32(?,00000000), ref: 6CFBEB20
CreateRectRgnIndirect.GDI32(00000000), ref: 6CFBEB2A
CreateRectRgnIndirect.GDI32(?), ref: 6CFBEB3A
ExtSelectClipRgn.GDI32(?,?,00000001), ref: 6CFBEB5B
SelectObject.GDI32(?), ref: 6CFBEBA9
SetBkMode.GDI32(?,00000001), ref: 6CFBEBBB
SetTextColor.GDI32(?), ref: 6CFBEBF9
SetBkColor.GDI32(?), ref: 6CFBEC43
PtInRect.USER32(?,?,?), ref: 6CFBEE45
SetRect.USER32(?,00000000,?,?,?), ref: 6CFBF021
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0
SetTextColor.GDI32(?), ref: 6CFC185C
SelectObject.GDI32(?), ref: 6CFC18B5
SetBkMode.GDI32(?,00000002), ref: 6CFC18CC
_memmove.LIBCMT ref: 6CFC190F
_memmove.LIBCMT ref: 6CFC194F
_memmove.LIBCMT ref: 6CFC1986
SelectClipRgn.GDI32(?,?), ref: 6CFC1A42
DeleteObject.GDI32(?), ref: 6CFC1A4F
DeleteObject.GDI32(?), ref: 6CFC1A5C
SelectObject.GDI32(?,?), ref: 6CFC1A6D

Strings

..., xrefs: 6CFC1656
d, xrefs: 6CFBEC99

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$ObjectRectSelect$ClipColor$CreateDeleteIndirectModeText$Empty_malloc
String ID: ...$d
API String ID: 1279121391-1910149496
Opcode ID: f0751885f060841c649441de676fa1d7c33f725adb579c659d2d812e282cd19c
Instruction ID: 5b7efbf44ff3ce6066bd81f9de8e87b1193927426bd5846b61c4b945936d6899
Opcode Fuzzy Hash: f0751885f060841c649441de676fa1d7c33f725adb579c659d2d812e282cd19c
Instruction Fuzzy Hash: 21236DB5A051198FDB14CF69C890BEEB7B2BF89304F1481D9E809AB744DB34AE95CF50

Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040515B
GetDlgItem.USER32(?,000003EE), ref: 0040516A
GetClientRect.USER32(?,?), ref: 004051C2
GetSystemMetrics.USER32(00000015), ref: 004051CA
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
ShowWindow.USER32(?,00000008), ref: 00405266
GetDlgItem.USER32(?,000003EC), ref: 00405287
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
GetDlgItem.USER32(?,000003F8), ref: 00405179

Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

GetDlgItem.USER32(?,000003EC), ref: 004052D7
CreateThread.KERNEL32(00000000,00000000,Function_00005073,00000000), ref: 004052E5
CloseHandle.KERNEL32(00000000), ref: 004052EC
ShowWindow.USER32(00000000), ref: 00405313
ShowWindow.USER32(?,00000008), ref: 00405318
ShowWindow.USER32(00000008), ref: 0040535F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
CreatePopupMenu.USER32 ref: 004053A2
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
GetWindowRect.USER32(?,?), ref: 004053CA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
OpenClipboard.USER32(00000000), ref: 00405437
EmptyClipboard.USER32 ref: 0040543D
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
GlobalLock.KERNEL32(00000000), ref: 00405453
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
GlobalUnlock.KERNEL32(00000000), ref: 00405489
SetClipboardData.USER32(0000000D,00000000), ref: 00405494
CloseClipboard.USER32 ref: 0040549A

Strings

New install of "%s" to "%s", xrefs: 004051AE
{, xrefs: 0040537E

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: New install of "%s" to "%s"${
API String ID: 2110491804-1641061399
Opcode ID: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
Opcode Fuzzy Hash: b870e07e0f90b65775997a4172df4cb72c50b11c5a38a9ad208b9f3c2b6ee9f0
Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58

Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049BF
GetDlgItem.USER32(?,00000408), ref: 004049CC
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
LoadBitmapW.USER32(0000006E), ref: 00404A2E
SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
DeleteObject.GDI32(?), ref: 00404AA5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
ShowWindow.USER32(?,00000005), ref: 00404BFB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
ImageList_Destroy.COMCTL32(?), ref: 00404DC8
GlobalFree.KERNEL32(?), ref: 00404DD8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
ShowWindow.USER32(?,00000000), ref: 00404F75
GetDlgItem.USER32(?,000003FE), ref: 00404F80
ShowWindow.USER32(00000000), ref: 00404F87

Strings

, xrefs: 00404F65
M, xrefs: 00404B6F
@, xrefs: 00404BBC
N, xrefs: 00404C32

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58

Function 6CF980F0 Relevance: 58.4, APIs: 31, Strings: 2, Instructions: 700COMMON

Download Yara Rule

Strings

tooltips_class32, xrefs: 6CF9A5F7
{, xrefs: 6CF981DC

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: tooltips_class32${
API String ID: 0-3725455198
Opcode ID: b7116dd91ba342e713e8c19f7ada4e4f4c7195c27b0a4856b5674e682ef6b508
Instruction ID: 6a648302e58cb81939efd6e68202ddac04e11847eb248d4ea1846b7d06e2435d
Opcode Fuzzy Hash: b7116dd91ba342e713e8c19f7ada4e4f4c7195c27b0a4856b5674e682ef6b508
Instruction Fuzzy Hash: 5E722974E05218DFEB65CF58C894BA9B7B5FF89304F1081EAE50DA7680CB74AA81CF51

Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 00404525
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
GetDlgItem.USER32(?,000003FB), ref: 00404553
GetAsyncKeyState.USER32(00000010), ref: 0040455A
GetDlgItem.USER32(?,000003F0), ref: 0040456F
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
SetWindowTextW.USER32(?,?), ref: 004045AF
SHBrowseForFolderW.SHELL32(?), ref: 00404669
lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
CoTaskMemFree.OLE32(00000000), ref: 00404674

Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3

Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB

GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902

SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819

Strings

F, xrefs: 004046A0
A, xrefs: 00404662

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: F$A
API String ID: 3347642858-1281894373
Opcode ID: a5fa6dd7612635b06afd7bdf928a1f1f12882f9767dd20a4809df49b26cd99e9
Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
Opcode Fuzzy Hash: a5fa6dd7612635b06afd7bdf928a1f1f12882f9767dd20a4809df49b26cd99e9
Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59

Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
lstrcmpA.KERNEL32(name,?), ref: 00406FF3
CloseHandle.KERNEL32(?), ref: 00407212

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

name, xrefs: 00406FEB
GetTTFNameString, xrefs: 00406F33
%s: failed opening file "%s", xrefs: 00406F38

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75

Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902
GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406A73

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406A0B
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406952
F, xrefs: 00406A7F
F, xrefs: 00406858

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-1792361021
Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59

Function 6CF6ECC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF6EF6E
std::_Xinvalid_argument.LIBCPMT ref: 6CF6EF78
std::exception::exception.LIBCMT ref: 6CF6EF90
__CxxThrowException@8.LIBCMT ref: 6CF6EFAB

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

Strings

vector<T> too long, xrefs: 6CF6EF73
list<T> too long, xrefs: 6CF6EF69

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_mallocstd::exception::exception
String ID: list<T> too long$vector<T> too long
API String ID: 462811778-355118384
Opcode ID: f1bad00fe24cb357e5c4a82dbe0f843c94ccfa66eb0f35741211b2c9912fe59c
Instruction ID: 9283031fa201b783670f0f3b38f7c24c40e545c59f7273b0b77656c898d72888
Opcode Fuzzy Hash: f1bad00fe24cb357e5c4a82dbe0f843c94ccfa66eb0f35741211b2c9912fe59c
Instruction Fuzzy Hash: 46919372A006058FC728DF2DCD84BEEB7F6AB84314F54869DD45A97B80DB30AA45CF90

Function 6CF6E8B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF6EB5E
std::_Xinvalid_argument.LIBCPMT ref: 6CF6EB68
std::exception::exception.LIBCMT ref: 6CF6EB80
__CxxThrowException@8.LIBCMT ref: 6CF6EB9B

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

Strings

vector<T> too long, xrefs: 6CF6EB63
list<T> too long, xrefs: 6CF6EB59

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Exception@8Throw_mallocstd::exception::exception
String ID: list<T> too long$vector<T> too long
API String ID: 462811778-355118384
Opcode ID: 509abdb3048e5f7369b9f739e565b285c7c327f86940d9717aa1328612eacec5
Instruction ID: 6c2707a15ab60d7739ebfbe0f141a493a1f2abd79b660ce74b5ca8ac52972609
Opcode Fuzzy Hash: 509abdb3048e5f7369b9f739e565b285c7c327f86940d9717aa1328612eacec5
Instruction Fuzzy Hash: 3791A472A006058FC728DF29CD84BEEB7F6BF84314F54869DD44A97B80DB30AA45CB90

Function 6CFFCE60 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 6CFFCE8B
GetWindowRect.USER32(00000000,?), ref: 6CFFCEAE

Part of subcall function 6CF8C3D0: OffsetRect.USER32(?,?,?), ref: 6CF8C3E3

CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 6CFFCEF2
SetWindowRgn.USER32(00000000,?,00000001), ref: 6CFFCF0A
DeleteObject.GDI32(?), ref: 6CFFCF14

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$Window$CreateDeleteIconicObjectOffsetRound
String ID:
API String ID: 2749569207-0
Opcode ID: ad2a58bd6463279a8eef615ac59197dcc42f5bef309da82eb6fb96dd7ab05970
Instruction ID: 44faef3c65616726481ac6bb3a8ea36609ce66e687887d80b6a589ae78fdd050
Opcode Fuzzy Hash: ad2a58bd6463279a8eef615ac59197dcc42f5bef309da82eb6fb96dd7ab05970
Instruction Fuzzy Hash: 7821A571E04109ABDF04DFA8D995EEEB7B9BF88305F204159E516A7280DB34A905CB64

Function 6CF7ADDF Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CF7FE42
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF7FE57
UnhandledExceptionFilter.KERNEL32(6D0281B0), ref: 6CF7FE62
GetCurrentProcess.KERNEL32(C0000409), ref: 6CF7FE7E
TerminateProcess.KERNEL32(00000000), ref: 6CF7FE85

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1ae05b5477492b667ed5c1cd97b7779058b53298f47aac0f45e638bbeb0d58a8
Instruction ID: 1221aea61ccd443f03e33d453be74bd49d4a5c87791fada5a0d4f1e6fbb701a4
Opcode Fuzzy Hash: 1ae05b5477492b667ed5c1cd97b7779058b53298f47aac0f45e638bbeb0d58a8
Instruction Fuzzy Hash: 5A21E0B9802200DFEF10EF29D686F483BB0BB4E319F20406AE90897761E77499C58F95

Function 6CF98060 Relevance: 7.5, APIs: 5, Instructions: 48keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6CF9806D
GetKeyState.USER32(00000001), ref: 6CF98083
GetKeyState.USER32(00000002), ref: 6CF9809B
GetKeyState.USER32(00000010), ref: 6CF980B3
GetKeyState.USER32(00000012), ref: 6CF980C9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 9c6fc4a56e69d2fee9b041f40262113a64858991081abc1b2dabb78a24d101d0
Instruction ID: 65649b4353be616b01d4b21e7d3a5cf0c0540506761ad0f0a8746410d52c0db6
Opcode Fuzzy Hash: 9c6fc4a56e69d2fee9b041f40262113a64858991081abc1b2dabb78a24d101d0
Instruction Fuzzy Hash: 49015270E06608EBFF08CF95C5467ADB7B1FB80305F24415EE946A7650D7719E41EB50

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54

Function 6D01AFB9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c8061294ec54c7cd13ddf24de3aaa76d4d596e35418d4a3108236fac6f2d6d
Instruction ID: d3de0d84df5d91be91160343bbdf24ac23cb7b75848b42c34298c9179d895f60
Opcode Fuzzy Hash: 53c8061294ec54c7cd13ddf24de3aaa76d4d596e35418d4a3108236fac6f2d6d
Instruction Fuzzy Hash: 5F321525D2DF424DEB239634C972335A69DAFB73D4F12D727E829B5A96EF28C4834100

Function 6CFDACC0 Relevance: 1.9, Strings: 1, Instructions: 615COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 6CFDB2BE

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: invalid literal/length code
API String ID: 0-2703802952
Opcode ID: 29872f1d8ff087c6dc629e40f06ce4ecbe2a8df07dfc0e589a05235272ef46da
Instruction ID: 5e4a749c8e7ab6db34c59b0496c539b600991d9d1ce7abe96e306b506a29d68a
Opcode Fuzzy Hash: 29872f1d8ff087c6dc629e40f06ce4ecbe2a8df07dfc0e589a05235272ef46da
Instruction Fuzzy Hash: 0A6291B4E0520ACFCB08CF99C5909EEFBB2FF89314B248259D815A7355D734A952CFA4

Function 6CF93CE0 Relevance: 1.5, APIs: 1, Instructions: 18windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(00000000), ref: 6CF93CF0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 714c2a2ef73d93052167ab926de1a7a943601cbe9b5fab842e3bd2f5b73836e4
Instruction ID: 2987d603a749d3349f0bd3e53a00ab5894df4e8e118dc9c0bbadc8a454b083a9
Opcode Fuzzy Hash: 714c2a2ef73d93052167ab926de1a7a943601cbe9b5fab842e3bd2f5b73836e4
Instruction Fuzzy Hash: B6E0C27190820CABEB00CF60D905B8A37F89B00300F008159F80593290DB749A00DA60

Function 004079A2 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95

Function 6CF86DA5 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 015b38bda9e3b6cdd42c782103d585f5a40de34a14c9f4388d8bbd788c22bebf
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: CFC19573D6F5F3458B36462E445822FEE726E81B8832FC395ECE07F989C626AD0585D0

Function 6CF86A07 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: c76afe4eb8a6f476560c20633d8c40b9c5e51c3cb03b31892a7e1d066c5379fb
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 89B1A773D6F4F3458725462E445822FEFB26E82B8932FC395ECE07F989C6266D0586D0

Function 0040737E Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85

Function 6CF6CAA0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610b23f9225da6ee5cf62f95e2cd2b0b0b3a822c1f7dbae692d3ff4384bc61a3
Instruction ID: 58b1faaf3f98daecddb8808ae9473a3db5ed588890f80f439fe2f92ed678d0f9
Opcode Fuzzy Hash: 610b23f9225da6ee5cf62f95e2cd2b0b0b3a822c1f7dbae692d3ff4384bc61a3
Instruction Fuzzy Hash: 77B1B0B1D01258CBDF14DFA9C884BDDFBB5AF14304F1481AED85AA7B40DB356A48CBA1

Function 6CF7CBD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: ac1031f6a40c7cd82e45a866f098e9fb1e097232ffaab6a958e0dc8accb0e24b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: E6110BF72420C147D211A72EF5F06A7B395EAC932D739436BD1624BE58D223D1459620

Function 6CFA4950 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cfc501d2c9ac840bd8ecb51454683a8592fa786a1eddfe0d74d7eb5a2c6bb83
Instruction ID: 0daafdd6fedcdc14715d5442bd18e21d55c6b7af32b0735ef186756b6bbfccb6
Opcode Fuzzy Hash: 7cfc501d2c9ac840bd8ecb51454683a8592fa786a1eddfe0d74d7eb5a2c6bb83
Instruction Fuzzy Hash: C1E012B1A00208DFCB14DF6DD541AEAF7F4EF48310B51847ED85AE7740D631AD448B90

Function 6CFEC580 Relevance: 116.0, APIs: 37, Strings: 29, Instructions: 492COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFEC59C
__wcsicoll.LIBCMT ref: 6CFEC5B1
__wcsicoll.LIBCMT ref: 6CFEC5D7

Strings

left, xrefs: 6CFEC616
checkboxhotimage, xrefs: 6CFECAA5
right, xrefs: 6CFEC691
showhtml, xrefs: 6CFEC877
editable, xrefs: 6CFEC970
checkboxforeimage, xrefs: 6CFECB5A
pushedimage, xrefs: 6CFEC8FE
dragable, xrefs: 6CFEC593
textcolor, xrefs: 6CFEC765
true, xrefs: 6CFEC5A8, 6CFEC6EA, 6CFEC88C, 6CFEC985, 6CFEC9C0, 6CFEC9FB
checkboxdisabledimage, xrefs: 6CFECB14
sepwidth, xrefs: 6CFEC5CE
checkboxpushedimage, xrefs: 6CFECACB
checkboxselectedimage, xrefs: 6CFECB37
normalimage, xrefs: 6CFEC8B2
sepimage, xrefs: 6CFEC94A
checkboxwidth, xrefs: 6CFECA21
textpadding, xrefs: 6CFEC7BF
checkboxnormalimage, xrefs: 6CFECA7F
focusedimage, xrefs: 6CFEC924
font, xrefs: 6CFEC736
checkboxfocusedimage, xrefs: 6CFECAF1
comboable, xrefs: 6CFEC9AB
center, xrefs: 6CFEC652
endellipsis, xrefs: 6CFEC6D5
align, xrefs: 6CFEC5FD
hotimage, xrefs: 6CFEC8D8
checkboxheight, xrefs: 6CFECA50
checkable, xrefs: 6CFEC9E6

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: align$center$checkable$checkboxdisabledimage$checkboxfocusedimage$checkboxforeimage$checkboxheight$checkboxhotimage$checkboxnormalimage$checkboxpushedimage$checkboxselectedimage$checkboxwidth$comboable$dragable$editable$endellipsis$focusedimage$font$hotimage$left$normalimage$pushedimage$right$sepimage$sepwidth$showhtml$textcolor$textpadding$true
API String ID: 3832890014-1044791483
Opcode ID: 3e9170cbdb25a9efbe7f97a7e821ca3a6381b12dc9229b2d80fa83644151f190
Instruction ID: 84444f849851a4f02ed76476740e315ad1a37ed7166a88f34ff368e1ebe712e4
Opcode Fuzzy Hash: 3e9170cbdb25a9efbe7f97a7e821ca3a6381b12dc9229b2d80fa83644151f190
Instruction Fuzzy Hash: BE026EB6A04109BBDB04EFA5DC51EEE77F5AF8D254F108669F818AB740E7319A04CB60

Function 6CFC4A10 Relevance: 98.4, APIs: 29, Strings: 27, Instructions: 355COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFC4A20
__wcsicoll.LIBCMT ref: 6CFC4A46

Strings

button1pushedimage, xrefs: 6CFC4A63
railhotimage, xrefs: 6CFC4C05
range, xrefs: 6CFC4D7A
button1hotimage, xrefs: 6CFC4A3D
button2normalimage, xrefs: 6CFC4AAF
true, xrefs: 6CFC4D24, 6CFC4DED, 6CFC4E26
showbutton2, xrefs: 6CFC4E11
button2disabledimage, xrefs: 6CFC4B21
button1normalimage, xrefs: 6CFC4A17
bknormalimage, xrefs: 6CFC4C77
value, xrefs: 6CFC4DA9
thumbhotimage, xrefs: 6CFC4B6D
raildisabledimage, xrefs: 6CFC4C51
button2pushedimage, xrefs: 6CFC4AFB
railpushedimage, xrefs: 6CFC4C2B
hor, xrefs: 6CFC4D0F
bkdisabledimage, xrefs: 6CFC4CE9
thumbnormalimage, xrefs: 6CFC4B47
thumbpushedimage, xrefs: 6CFC4B93
bkhotimage, xrefs: 6CFC4C9D
button1disabledimage, xrefs: 6CFC4A89
button2hotimage, xrefs: 6CFC4AD5
showbutton1, xrefs: 6CFC4DD8
linesize, xrefs: 6CFC4D4B
bkpushedimage, xrefs: 6CFC4CC3
railnormalimage, xrefs: 6CFC4BDF
thumbdisabledimage, xrefs: 6CFC4BB9

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: bkdisabledimage$bkhotimage$bknormalimage$bkpushedimage$button1disabledimage$button1hotimage$button1normalimage$button1pushedimage$button2disabledimage$button2hotimage$button2normalimage$button2pushedimage$hor$linesize$raildisabledimage$railhotimage$railnormalimage$railpushedimage$range$showbutton1$showbutton2$thumbdisabledimage$thumbhotimage$thumbnormalimage$thumbpushedimage$true$value
API String ID: 3832890014-956292628
Opcode ID: 637cf2090283f41591e5eb01b540f5d57e6d5d724f056ce3d40ebb8e09b2e206
Instruction ID: 0b13ab7bd0ebd14c2cb40996cfbb4dd52f861a87104833fab4bfdbca94d11505
Opcode Fuzzy Hash: 637cf2090283f41591e5eb01b540f5d57e6d5d724f056ce3d40ebb8e09b2e206
Instruction Fuzzy Hash: CDB18EB2B04106F7DB04CF65DC91EEF77A96F59349F008519BD299BB40EB30EA088766

Function 6CFE2430 Relevance: 87.9, APIs: 31, Strings: 19, Instructions: 379COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFE2442
__wcsicoll.LIBCMT ref: 6CFE2470

Strings

bindtablayoutname, xrefs: 6CFE25D9
hotfont, xrefs: 6CFE281B
normalimage, xrefs: 6CFE2439
hotbkcolor, xrefs: 6CFE25FF
pushedimage, xrefs: 6CFE2495
disabledimage, xrefs: 6CFE24F1
statecount, xrefs: 6CFE257B
pushedbkcolor, xrefs: 6CFE2659
focusedimage, xrefs: 6CFE24C3
bindtabindex, xrefs: 6CFE25AA
hottextcolor, xrefs: 6CFE270D
stateimage, xrefs: 6CFE254D
focuedfont, xrefs: 6CFE2873
pushedfont, xrefs: 6CFE2847
focusedtextcolor, xrefs: 6CFE27C1
disabledbkcolor, xrefs: 6CFE26B3
hotforeimage, xrefs: 6CFE251F
pushedtextcolor, xrefs: 6CFE2767
hotimage, xrefs: 6CFE2467

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: bindtabindex$bindtablayoutname$disabledbkcolor$disabledimage$focuedfont$focusedimage$focusedtextcolor$hotbkcolor$hotfont$hotforeimage$hotimage$hottextcolor$normalimage$pushedbkcolor$pushedfont$pushedimage$pushedtextcolor$statecount$stateimage
API String ID: 3832890014-3678212032
Opcode ID: d2555cc98e410a84eec918fc34f7fc7026895ce5ae0de24d23cfaba968d10b83
Instruction ID: cbe6c65534459ac634876dac436e24843af8b398334c5bbee65b36c03a7d224f
Opcode Fuzzy Hash: d2555cc98e410a84eec918fc34f7fc7026895ce5ae0de24d23cfaba968d10b83
Instruction Fuzzy Hash: 6BD171B6A05109BBDB04DFA5DC94E9E77B9AF4D304F108519F9189B744EB31EE04CB60

Function 6D006540 Relevance: 73.8, APIs: 24, Strings: 18, Instructions: 340COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6D00655C
__wcsicoll.LIBCMT ref: 6D006571
__wcsicoll.LIBCMT ref: 6D006598

Strings

left, xrefs: 6D0065D7
right, xrefs: 6D006652
normalimage, xrefs: 6D006874
showhtml, xrefs: 6D006838
sepimage, xrefs: 6D006909
pushedimage, xrefs: 6D0068C0
textpadding, xrefs: 6D006780
dragable, xrefs: 6D006553
textcolor, xrefs: 6D006726
true, xrefs: 6D006568, 6D0066AB, 6D00684D
focusedimage, xrefs: 6D0068E6
font, xrefs: 6D0066F7
scale, xrefs: 6D00692C
center, xrefs: 6D006613
endellipsis, xrefs: 6D006696
align, xrefs: 6D0065BE
sepwidth, xrefs: 6D00658F
hotimage, xrefs: 6D00689A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: align$center$dragable$endellipsis$focusedimage$font$hotimage$left$normalimage$pushedimage$right$scale$sepimage$sepwidth$showhtml$textcolor$textpadding$true
API String ID: 3832890014-2664051919
Opcode ID: 17a8ee818e72d098a33a677e0141683b541142ffaa543dc8c4ee5a95588557fa
Instruction ID: 3e3fb19e172ba1ff6576b2364a362a96bc65db3889746b831739d67b25762fa2
Opcode Fuzzy Hash: 17a8ee818e72d098a33a677e0141683b541142ffaa543dc8c4ee5a95588557fa
Instruction Fuzzy Hash: CCC167B5D14205BBEB04CF64DC50FEE77B6AF49314F448129E918AB341EB31E984CBA1

Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
lstrlenW.KERNEL32(?), ref: 004063F8
GetVersionExW.KERNEL32(?), ref: 00406456

Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
FreeLibrary.KERNEL32(00000000), ref: 00406500
GlobalFree.KERNEL32(?), ref: 00406509

Strings

EnumProcesses, xrefs: 004064AE
PSAPI.DLL, xrefs: 00406490
CreateToolhelp32Snapshot, xrefs: 004065E1
Module32FirstW, xrefs: 004065FF
Module32NextW, xrefs: 0040660A
GetModuleBaseNameW, xrefs: 004064C0
Process32FirstW, xrefs: 004065E9
EnumProcessModules, xrefs: 004064B6
Process32NextW, xrefs: 004065F4
Kernel32.DLL, xrefs: 004065C7
Unknown, xrefs: 00406528

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59

Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
GetDlgItem.USER32(?,000003E8), ref: 004041AD
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
GetSysColor.USER32(?), ref: 004041DB
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
lstrlenW.KERNEL32(?), ref: 00404202
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E

Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030

GetDlgItem.USER32(?,0000040A), ref: 00404276
SendMessageW.USER32(00000000), ref: 0040427D
GetDlgItem.USER32(?,000003E8), ref: 004042AA
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
SetCursor.USER32(00000000), ref: 004042FE
ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
SetCursor.USER32(00000000), ref: 00404322
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363

Strings

open, xrefs: 0040430B
F, xrefs: 004042D3
N, xrefs: 00404298

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: F$N$open
API String ID: 3928313111-1104729357
Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99

Function 6CFA0CE0 Relevance: 36.3, APIs: 24, Instructions: 327windowfileCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 6CFA0D0A
SendMessageW.USER32(?,00000202,00000000,00000000), ref: 6CFA0D3F
GlobalLock.KERNEL32(00000000), ref: 6CFA0D74
73A1A570.USER32(00000000), ref: 6CFA0D90
GlobalUnlock.KERNEL32(?), ref: 6CFA0DEE
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 6CFA0E0F
DeleteObject.GDI32(00000000), ref: 6CFA0E22
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 6CFA0E63
DeleteObject.GDI32(00000000), ref: 6CFA0E76
GetEnhMetaFileHeader.GDI32(?,0000006C,?), ref: 6CFA0EAE
73A1A570.USER32(?), ref: 6CFA0EBE
SelectObject.GDI32(?,?), ref: 6CFA0FDC
PlayEnhMetaFile.GDI32(?,?,?), ref: 6CFA0FF4
SelectObject.GDI32(?,?), ref: 6CFA1002
DeleteDC.GDI32(?), ref: 6CFA100F
SendMessageW.USER32(?,00000172,00000000,?), ref: 6CFA103E
DeleteObject.GDI32(00000000), ref: 6CFA1051
GlobalLock.KERNEL32(?), ref: 6CFA1080
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 6CFA10A6
DragQueryFileW.SHELL32(00000000,00000000,?,00000208), ref: 6CFA10D0
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00000050), ref: 6CFA10E7
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 6CFA1114
DeleteObject.GDI32(00000000), ref: 6CFA1130
GlobalUnlock.KERNEL32(?), ref: 6CFA113D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object$DeleteMessageSend$FileGlobal$A570DragLockMetaQuerySelectUnlock$CursorHeaderImageLoadPlay
String ID:
API String ID: 156693821-0
Opcode ID: df33628a3318c1e26b0a7dec68734c5b41ed32f7ca60689863d1c7a3cc29d8ec
Instruction ID: 43ebda5a33f7da839ae1e1d71f94d641cead4b8ca871c53256dc720a7259c5e1
Opcode Fuzzy Hash: df33628a3318c1e26b0a7dec68734c5b41ed32f7ca60689863d1c7a3cc29d8ec
Instruction Fuzzy Hash: C4E14075E01218EFDB14DFA0CD89BADB775FF49305F218199E919AB280C7709A85CF50

Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD

Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
wsprintfA.USER32 ref: 00406B79
GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63

Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
GlobalFree.KERNEL32(00000000), ref: 00406C7E
CloseHandle.KERNEL32(?), ref: 00406C88

Strings

%s=%s, xrefs: 00406B6F
NUL, xrefs: 00406ACA
^F, xrefs: 00406ACF
plF, xrefs: 00406B54
[Rename], xrefs: 00406BF4, 00406C03

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: ^F$%s=%s$NUL$[Rename]$plF
API String ID: 565278875-3368763019
Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E

Function 6CFFA830 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 153COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFFA842
__wcsicoll.LIBCMT ref: 6CFFA857
__wcsicoll.LIBCMT ref: 6CFFA87E

Strings

forecolor2, xrefs: 6CFFA96D
isstretchfore, xrefs: 6CFFA931
max, xrefs: 6CFFA8A4
hor, xrefs: 6CFFA839
value, xrefs: 6CFFA8D3
ishor, xrefs: 6CFFA902
true, xrefs: 6CFFA84E, 6CFFA946
min, xrefs: 6CFFA875

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: forecolor2$hor$ishor$isstretchfore$max$min$true$value
API String ID: 3832890014-980700665
Opcode ID: 9f962f9121f9e2a016ddb346317a2fd604ca2ca995984a6b59b68f46a1a6549e
Instruction ID: be6ddeacb98f32a34db077fea0ed8df0b0b2f9b179ab382d5c718741ddb0c7a8
Opcode Fuzzy Hash: 9f962f9121f9e2a016ddb346317a2fd604ca2ca995984a6b59b68f46a1a6549e
Instruction Fuzzy Hash: D95160B6904108BBDB24CFB5DC84E9E73B9AF49205F10C269F9289B750EB34EA45C761

Function 6CF9E4C0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 185stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF9E4E8
GetStockObject.GDI32(00000011), ref: 6CF9E4F8
GetObjectW.GDI32(00000000), ref: 6CF9E4FF
lstrlenW.KERNEL32(00000000), ref: 6CF9E509
_memset.LIBCMT ref: 6CF9E527
_wcsncat.LIBCMT ref: 6CF9E53C
_wcsncpy.LIBCMT ref: 6CF9E551
CreateFontIndirectW.GDI32(00000000), ref: 6CF9E5A8
DeleteObject.GDI32(000A0DE0), ref: 6CF9E5CF
_memset.LIBCMT ref: 6CF9E618
SelectObject.GDI32(00000000,00000000), ref: 6CF9E640
GetTextMetricsW.GDI32(00000000,6D04B28C), ref: 6CF9E65E
SelectObject.GDI32(00000000,?), ref: 6CF9E678
DeleteObject.GDI32(?), ref: 6CF9E690
_memset.LIBCMT ref: 6CF9E706
SelectObject.GDI32(00000000,00000000), ref: 6CF9E72E
GetTextMetricsW.GDI32(00000000,?), ref: 6CF9E754
SelectObject.GDI32(00000000,?), ref: 6CF9E76E

Strings

, xrefs: 6CF9E5C8, 6CF9E5D8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object$Select_memset$DeleteMetricsText$CreateFontIndirectStock_wcsncat_wcsncpylstrlen
String ID:
API String ID: 489608762-2974417871
Opcode ID: 2fd65bde0c8216d3a06dda7d7fe53de8f1358fc6c409b52556931587fd6d7214
Instruction ID: 489578f4a04f0096b66cc7c08be0fdb4b2a31e0dc5f3d590e0c4a46dd748803a
Opcode Fuzzy Hash: 2fd65bde0c8216d3a06dda7d7fe53de8f1358fc6c409b52556931587fd6d7214
Instruction Fuzzy Hash: 4E814F75A01388DFDB14DFA4C994FEE7BB5AF49304F1441A9E9099B382D7309A84CF52

Function 6CFFA140 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 118COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFFA152
__wcsicoll.LIBCMT ref: 6CFFA178

Strings

sendmove, xrefs: 6CFFA24E
thumbimage, xrefs: 6CFFA149
thumbsize, xrefs: 6CFFA1BB
thumbhotimage, xrefs: 6CFFA16F
true, xrefs: 6CFFA263
thumbpushedimage, xrefs: 6CFFA195
step, xrefs: 6CFFA222

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: sendmove$step$thumbhotimage$thumbimage$thumbpushedimage$thumbsize$true
API String ID: 3832890014-1594985145
Opcode ID: f5a5d738ae4d010f27d5703624d866cf387393c834b203c961a238513accdd2f
Instruction ID: a86c8dfe4e83c50f2046168ba4be23d7798a61efe1071bb05ddd40902d973004
Opcode Fuzzy Hash: f5a5d738ae4d010f27d5703624d866cf387393c834b203c961a238513accdd2f
Instruction Fuzzy Hash: 504144B6A04208BBDB04DFA5DC40EEF77F8EF49344F008519B92897790EB31AA05CB65

Function 6CF9E790 Relevance: 27.3, APIs: 18, Instructions: 330stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF9E7D6
GetStockObject.GDI32(00000011), ref: 6CF9E7E9
GetObjectW.GDI32(00000000), ref: 6CF9E7F0
lstrlenW.KERNEL32(00000000,?,?,E243FD3F), ref: 6CF9E7FA
_memset.LIBCMT ref: 6CF9E818
_wcsncat.LIBCMT ref: 6CF9E82D
_wcsncpy.LIBCMT ref: 6CF9E842

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

CreateFontIndirectW.GDI32(00000000), ref: 6CF9E8A6
_memset.LIBCMT ref: 6CF9E939
SelectObject.GDI32(00000000,00000000), ref: 6CF9E9A8
GetTextMetricsW.GDI32(00000000,-00000090), ref: 6CF9E9CA
SelectObject.GDI32(00000000,?), ref: 6CF9E9E4
_memset.LIBCMT ref: 6CF9E9F2
__itow.LIBCMT ref: 6CF9EA04
DeleteObject.GDI32 ref: 6CF9EA51
DeleteObject.GDI32(00000000), ref: 6CF9EAE2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object$_memset$DeleteSelect$CreateFontIndirectMetricsStockText__itow_malloc_wcsncat_wcsncpylstrlen
String ID:
API String ID: 235911522-0
Opcode ID: c088b83e11e68b2323b000f1ee46215ae86194b2c38a253e217a4a0d26cac93e
Instruction ID: f97b158415854f693dc0557c6fb78998f18fb7183ca738dbd18a9d0a2f5c7efd
Opcode Fuzzy Hash: c088b83e11e68b2323b000f1ee46215ae86194b2c38a253e217a4a0d26cac93e
Instruction Fuzzy Hash: 82E16DB1D01219DBEB18CF64D980BEEB7B5BF49304F1481E9E549A7780DB709A84CFA0

Function 6CFBC6B0 Relevance: 27.3, APIs: 18, Instructions: 322COMMON

Download Yara Rule

APIs

DeleteDC.GDI32(00000000), ref: 6CFBC6F4

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 101366d0fc4c30f9bf1c4397e4af91de4bb9c2d5d70bda66b939f786f2ea19f0
Instruction ID: c41ecb4466c42c682ca88f0aa5c4632b2ba1be24e7be605fbc5e4c393c4410b3
Opcode Fuzzy Hash: 101366d0fc4c30f9bf1c4397e4af91de4bb9c2d5d70bda66b939f786f2ea19f0
Instruction Fuzzy Hash: B6D1F4B5E01209DBDB04DFA8D994BAFBBB5BF8C300F208559E905B7380D775A945CBA0

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4

Function 6CFF8280 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 6CFF82AF
SysAllocString.OLEAUT32(errorLine), ref: 6CFF82F5
SysAllocString.OLEAUT32(errorCharacter), ref: 6CFF8306
SysAllocString.OLEAUT32(errorCode), ref: 6CFF8317
SysAllocString.OLEAUT32(errorMessage), ref: 6CFF8328
SysAllocString.OLEAUT32(errorUrl), ref: 6CFF8339

Strings

errorUrl, xrefs: 6CFF8334
errorCode, xrefs: 6CFF8312
(, xrefs: 6CFF82CD
errorLine, xrefs: 6CFF82F0
errorMessage, xrefs: 6CFF8323
errorCharacter, xrefs: 6CFF8301

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocString$_memcmp
String ID: ($errorCharacter$errorCode$errorLine$errorMessage$errorUrl
API String ID: 3266598443-2821095632
Opcode ID: f8716b0b74952b043ce0361401ff2c157e16f81f5ec684c799c39a1eea2bd1ae
Instruction ID: c1979b2985ce464bf239f6011d2a282f0e15f14ea97b3277465477578ce97708
Opcode Fuzzy Hash: f8716b0b74952b043ce0361401ff2c157e16f81f5ec684c799c39a1eea2bd1ae
Instruction Fuzzy Hash: 05610D75E00219EFDB44CFA4C884BAEB7B5FF49304F208159E919A73A1D770A945CF91

Function 6CF70DB0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 152stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70E1F
GlobalFree.KERNEL32 ref: 6CF70E2F
_memset.LIBCMT ref: 6CF70E61
lstrcpyW.KERNEL32(?,?), ref: 6CF70E7F
GlobalFree.KERNEL32 ref: 6CF70E8F
_memset.LIBCMT ref: 6CF70EE0
SHBrowseForFolderW.SHELL32(?), ref: 6CF70EED
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF70F10
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF70F28
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 6CF70F5B
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF70F76
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF70F8E

Strings

@, xrefs: 6CF70ED3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Global$lstrcpyn$AllocFree_memset$BrowseFolderFromListPathlstrcpy
String ID: @
API String ID: 2971311640-2766056989
Opcode ID: 54795fabb5fed06c259e2321284bb3ab6fb6f9a62e1547f8fa975d6fc0e89beb
Instruction ID: 14e4f2041299231cb09a5334c70f575f5e9626ffaa425f2f93b1b70c11332822
Opcode Fuzzy Hash: 54795fabb5fed06c259e2321284bb3ab6fb6f9a62e1547f8fa975d6fc0e89beb
Instruction Fuzzy Hash: 4A5125B6905341DFC724DF68D584AAAB7F9EFC9314F104A2EF94987240E770A948CBA1

Function 6D00FDE0 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

return, xrefs: 6D00FECE
8!, xrefs: 6D00FF58

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: 8!$return
API String ID: 0-1804769167
Opcode ID: 6dfcbcb4621d3068cae841be017b41699b3ffd577e70ab6391970a7e7e78e1a7
Instruction ID: 4c390427e19da1d7bb9639053be5be08c98eedd36acd939096ab3c662f053ca1
Opcode Fuzzy Hash: 6dfcbcb4621d3068cae841be017b41699b3ffd577e70ab6391970a7e7e78e1a7
Instruction Fuzzy Hash: 31C1FC74E04209AFEB08CF99C894BADBBB6FF88305F20C559E9159B385C734E946CB50

Function 6CF8BCD0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF8BD16
GetClassInfoExW.USER32(00000000,?,00000030), ref: 6CF8BD2F
GetClassInfoExW.USER32(00000000,?,00000030), ref: 6CF8BD47
RegisterClassExW.USER32(00000030), ref: 6CF8BD7A
GetLastError.KERNEL32 ref: 6CF8BD8C
_memset.LIBCMT ref: 6CF8BDC5
GetClassInfoExW.USER32(00000000,00000000), ref: 6CF8BDE8
GetClassInfoExW.USER32(00000000,00000000), ref: 6CF8BE0A

Strings

0, xrefs: 6CF8BD1E
0, xrefs: 6CF8BDCD

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Class$Info$_memset$ErrorLastRegister
String ID: 0$0
API String ID: 3232360322-203156872
Opcode ID: 8f413ee0bae34592debb1ab9db79b82d4f2677b30ff59983c1e2240ceb5150ce
Instruction ID: 52884e14e1806d64715ff72a76edf1a7d6f5fd91dd79a4683a8f7e405cff644f
Opcode Fuzzy Hash: 8f413ee0bae34592debb1ab9db79b82d4f2677b30ff59983c1e2240ceb5150ce
Instruction Fuzzy Hash: E751F575A02208EFDB14DFA5C885BEDBBB4BF49304F348659E905A7362DB30AA45CF50

Function 6CFEE570 Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 409COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,00000000), ref: 6CFEE62F
LoadCursorW.USER32(00000000,00007F89), ref: 6CFEE640
SetCursor.USER32(00000000), ref: 6CFEE647
PtInRect.USER32(?,?,?), ref: 6CFEE6B3
PtInRect.USER32(?,?,?), ref: 6CFEE73B

Part of subcall function 6CFEF6A0: _memset.LIBCMT ref: 6CFEF6B1

PtInRect.USER32(?,?,?), ref: 6CFEE8EF
PtInRect.USER32(?,?,?), ref: 6CFEE940
PtInRect.USER32(?,?,?), ref: 6CFEE9B0
PtInRect.USER32(?,?,?), ref: 6CFEEA50

Strings

listitemchecked, xrefs: 6CFEEA06
link, xrefs: 6CFEE6C5

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$Cursor$Load_memset
String ID: link$listitemchecked
API String ID: 1396307209-30625825
Opcode ID: a2b404409ffe00f147fec37b03e8edeabd5481ef884eede281a721a2ebe0c912
Instruction ID: c5442ba22402f823636c41dd2bca7e99732dc779096e4088f524588959e487b1
Opcode Fuzzy Hash: a2b404409ffe00f147fec37b03e8edeabd5481ef884eede281a721a2ebe0c912
Instruction Fuzzy Hash: 7D02F375A04609EFDB04CF98D890EAEB7B2FF89314F188268E5159B751D730AD86CF90

Function 6CFC1D90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 6CFC1DF9
SelectObject.GDI32(?,00000000), ref: 6CFC1EC7
73A24D40.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6CFC1EF1
SelectObject.GDI32(?,?), ref: 6CFC1F36
DeleteDC.GDI32(?), ref: 6CFC1F40
GdiFlush.GDI32 ref: 6CFC1F46
SelectObject.GDI32(?,?), ref: 6CFC1F54
DeleteObject.GDI32(00000000), ref: 6CFC1F5E
DeleteDC.GDI32(?), ref: 6CFC1F68

Strings

(, xrefs: 6CFC1E43

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object$Select$Delete$Flush
String ID: (
API String ID: 3202616065-3887548279
Opcode ID: 8788dd1bf1fb2a505616a39cae790a437c4c26a8090981f26899490eabddaac9
Instruction ID: 51a077cab3b0495b4b300aabddc3f0c754a2d1ce69dd91ee099ecc2a89ee66e3
Opcode Fuzzy Hash: 8788dd1bf1fb2a505616a39cae790a437c4c26a8090981f26899490eabddaac9
Instruction Fuzzy Hash: 1A61A3B5E01209EFCF04DFA8D994BAEBBB5BF88304F108519E919A7240D734A945CF61

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 88e4ee1587b6acc04eade602774f77907f811befdb6ad9f01a68df4d4fc2eb7d
Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
Opcode Fuzzy Hash: 88e4ee1587b6acc04eade602774f77907f811befdb6ad9f01a68df4d4fc2eb7d
Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69

Function 6CF70FE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF71051
GlobalFree.KERNEL32 ref: 6CF7105D
_memset.LIBCMT ref: 6CF710B5
SHBrowseForFolderW.SHELL32(?), ref: 6CF710C2
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF710E5
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF710FC
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 6CF7112A
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF71145
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF7115D

Strings

@, xrefs: 6CF710A8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Globallstrcpyn$Alloc$BrowseFolderFreeFromListPath_memset
String ID: @
API String ID: 4260312955-2766056989
Opcode ID: ab0073e9efc28a63ffdaa4986b6d58ae086ea2a2b56b48178d3d7ca254a9d46b
Instruction ID: 9df70922e99de6a3bed11f8274f8e9ee60be66f187678dc383f911251d35ac1d
Opcode Fuzzy Hash: ab0073e9efc28a63ffdaa4986b6d58ae086ea2a2b56b48178d3d7ca254a9d46b
Instruction Fuzzy Hash: 444125B1505301DFCB14EF28D985A9AB7F8EBC9714F108A2EF54987350E770E948CBA1

Function 6D00AA80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6D00AA92
CharNextW.USER32(?), ref: 6D00AAAD
_wcstoul.LIBCMT ref: 6D00AAC7
__wcsicoll.LIBCMT ref: 6D00AAEC
CharNextW.USER32(?), ref: 6D00AB07
_wcstoul.LIBCMT ref: 6D00AB21
__wcsicoll.LIBCMT ref: 6D00AB43

Part of subcall function 6D018646: __fassign.LIBCMT ref: 6D01863C

Strings

font, xrefs: 6D00AB3A
disabledtextcolor, xrefs: 6D00AAE3
textcolor, xrefs: 6D00AA89

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$CharNext_wcstoul$__fassign
String ID: disabledtextcolor$font$textcolor
API String ID: 2265040770-51903553
Opcode ID: 14be05346f97a35a9ab67283bed6ca2f093144579346e1afc616faa417683b21
Instruction ID: 297aa1234a67a48b00d416c891cb72a66c8458a5e0e290085d49736b167b28ad
Opcode Fuzzy Hash: 14be05346f97a35a9ab67283bed6ca2f093144579346e1afc616faa417683b21
Instruction Fuzzy Hash: F93130B5D04208BBEF04DFA4DD44FAE77B9AF89304F20C559F9189B280E7349A04CBA1

Function 6CF6FD00 Relevance: 16.6, APIs: 11, Instructions: 143stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6FD45
GlobalFree.KERNEL32 ref: 6CF6FD51
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6FD87
GlobalFree.KERNEL32 ref: 6CF6FD94
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6FDCE
GlobalFree.KERNEL32 ref: 6CF6FDDB
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF6FE15
GlobalFree.KERNEL32 ref: 6CF6FE25
IsWindow.USER32(?), ref: 6CF6FE3F
SetTimer.USER32(?,00000000,00000000,00000000), ref: 6CF6FE67
SetTimer.USER32(?,00000000,00000000,00000000), ref: 6CF6FEB3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGloballstrcpyn$Timer$Window
String ID:
API String ID: 4073460630-0
Opcode ID: ec1a67c90fe7f78a616723eb73665824e564e9f6139a5d9219711835869e8cf8
Instruction ID: 0bcd5ab3e9e711f0abcc1f91fab8d1443ee5af6db0f3d3f4330c18fa737b7aa1
Opcode Fuzzy Hash: ec1a67c90fe7f78a616723eb73665824e564e9f6139a5d9219711835869e8cf8
Instruction Fuzzy Hash: 7A51B271A01214DFCB64EF29C980FDA77B8FF8A714F204599E245A7A41DB70AD84CFA0

Function 6CF789D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF78A07
__CxxThrowException@8.LIBCMT ref: 6CF78A1C
std::exception::exception.LIBCMT ref: 6CF78AAF
__CxxThrowException@8.LIBCMT ref: 6CF78AC4

Strings

Type is not convertible to UInt64, xrefs: 6CF78AA8
Real out of UInt64 range, xrefs: 6CF78A74
Negative integer can not be converted to UInt64, xrefs: 6CF78A00

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: Negative integer can not be converted to UInt64$Real out of UInt64 range$Type is not convertible to UInt64
API String ID: 3728558374-2599800953
Opcode ID: 3d469ef026abe9d1a441f1509606ed4036ba2f181ccaca28293f5da19c7def93
Instruction ID: 20cfb49e5d90496235d796a3d4d573406e063f946fc23976cc426ef54e268366
Opcode Fuzzy Hash: 3d469ef026abe9d1a441f1509606ed4036ba2f181ccaca28293f5da19c7def93
Instruction Fuzzy Hash: FF31B471A0120DABEF24DFE5E545BEEB7B4EF49304F2042DED804B2650D7325A55CB61

Function 6CF788B0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF788F5
__CxxThrowException@8.LIBCMT ref: 6CF7890A
std::exception::exception.LIBCMT ref: 6CF78981
__CxxThrowException@8.LIBCMT ref: 6CF78996

Strings

Type is not convertible to Int64, xrefs: 6CF7897A
unsigned integer out of Int64 range, xrefs: 6CF788EE
Real out of Int64 range, xrefs: 6CF78946

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: Real out of Int64 range$Type is not convertible to Int64$unsigned integer out of Int64 range
API String ID: 3728558374-1238791498
Opcode ID: 8375be8fb7bc49fde0740ae818ef5e1128f4b7ff5d2e7bfa75a5c0f1875457f4
Instruction ID: ed9285c4d09153084efdfe53b9404fcbfa8aca6ff4fea464fd7b968a33458e6e
Opcode Fuzzy Hash: 8375be8fb7bc49fde0740ae818ef5e1128f4b7ff5d2e7bfa75a5c0f1875457f4
Instruction Fuzzy Hash: 0321E57190110DDB9B10CBE4E945BEEB774EB4A314F2046DFD418A3A90DB318615CB72

Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
lstrcatW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),?,?,00406300,00000000), ref: 004061CE
WriteFile.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3

Strings

File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1), xrefs: 004061C1, 004061C6, 004061CD, 004061DC
@bG, xrefs: 00406162

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: @bG$File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1)
API String ID: 3734993849-1405478896
Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC

Function 6D00AEB0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6D00AEC0
__wcsicoll.LIBCMT ref: 6D00AEE6
__wcsicoll.LIBCMT ref: 6D00AEFB

Strings

bkimage, xrefs: 6D00AEB7
autoplay, xrefs: 6D00AEDD
autosize, xrefs: 6D00AF16
true, xrefs: 6D00AEF2, 6D00AF2B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: autoplay$autosize$bkimage$true
API String ID: 3832890014-909319370
Opcode ID: ebf0ebe206b3448ccc7401b6658e0a949df204eaab3291ffbb80ee503564b284
Instruction ID: aa624e47f295b0b9739b0fcc10daf36ca5caf3ec855e94f0fe4af16aa37c75db
Opcode Fuzzy Hash: ebf0ebe206b3448ccc7401b6658e0a949df204eaab3291ffbb80ee503564b284
Instruction Fuzzy Hash: 23115EF1A08208BBEF04DBA5ED91EAE73A96F49245F108559B91C87350FB30EA04C761

Function 6CFBA490 Relevance: 15.4, APIs: 10, Instructions: 350filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF95A40: CharNextW.USER32(00000000,00000000,?,00000000,E243FD3F), ref: 6CF95B51
Part of subcall function 6CF95A40: CharNextW.USER32(00000000,00000000,?,00000000,E243FD3F), ref: 6CF95B80

std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CFBA53D
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00000000,E243FD3F), ref: 6CFBA560
GetFileSize.KERNEL32(000000FF,00000000), ref: 6CFBA592
std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CFBA654
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,6D03A17C,6D02AEC8), ref: 6CFBA8F1
GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,?,?,?,00000000,E243FD3F), ref: 6CFBA914

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,?), ref: 6CFBA965
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,?,?,?,00000000,E243FD3F), ref: 6CFBA972

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: File$DebugHeap$CharCreateNextSizeStringString::_std::_$CloseHandleRead_free
String ID:
API String ID: 441641967-0
Opcode ID: 95c762f18a44ea26cd14cabd8eda98f2f6fba3ecfcf39014f10afc5b0db7835f
Instruction ID: 5d9872d4310718a30ccf3d968151bf8744ca17757f06a64b62502f237cc7cf81
Opcode Fuzzy Hash: 95c762f18a44ea26cd14cabd8eda98f2f6fba3ecfcf39014f10afc5b0db7835f
Instruction Fuzzy Hash: C0F15AB0D05218DBDB24DBA4DD45BEEB7B4AF44308F1042D9D20A77680DB756B89CFA2

Function 6CF9ECB0 Relevance: 15.3, APIs: 10, Instructions: 332filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,6CFD127E,00000000,E243FD3F), ref: 6CF9ED4B
GetFileSize.KERNEL32(000000FF,00000000), ref: 6CF9ED80
std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CF9EE48
CreateFileW.KERNEL32(6CFD127E,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,6D03A17C,6D02AEC8,6CFD127E), ref: 6CF9F0EB
GetFileSize.KERNEL32(000000FF,00000000,?,?,?,?,?,?,6D03A17C,6D02AEC8,6CFD127E,000000FF,?,?,00000000,E243FD3F), ref: 6CF9F10E

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

ReadFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,6CFD127E,000000FF), ref: 6CF9F15F
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,6CFD127E,000000FF,?,?,00000000,E243FD3F), ref: 6CF9F16C
AddFontMemResourceEx.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,6D03A17C,6D02AEC8,6CFD127E,000000FF), ref: 6CF9F1B1

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: File$CreateDebugHeapSize$CloseFontHandleReadResourceStringString::__freestd::_
String ID:
API String ID: 4282563726-0
Opcode ID: 792ddfa91bc4ac2fe058a586323b39312043020f8177c418edfd48bbc31bcf2e
Instruction ID: 4fc2a3f5b7a67c54c0d955bacfdf5f0a584f328d424932543898f296be66a487
Opcode Fuzzy Hash: 792ddfa91bc4ac2fe058a586323b39312043020f8177c418edfd48bbc31bcf2e
Instruction Fuzzy Hash: C6E11AB1D01218DBEF64DB64DC44BEEB7B5AF44318F2082D9E11967680DB705B88CFA6

Function 6CF6C1F0 Relevance: 15.2, APIs: 10, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF6C409
__CxxThrowException@8.LIBCMT ref: 6CF6C41E
std::exception::exception.LIBCMT ref: 6CF6C42D
__CxxThrowException@8.LIBCMT ref: 6CF6C442
std::exception::exception.LIBCMT ref: 6CF6C451
__CxxThrowException@8.LIBCMT ref: 6CF6C466
std::exception::exception.LIBCMT ref: 6CF6C475
__CxxThrowException@8.LIBCMT ref: 6CF6C48A
std::exception::exception.LIBCMT ref: 6CF6C499
__CxxThrowException@8.LIBCMT ref: 6CF6C4AE

Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8B0
Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8CA
Part of subcall function 6CF7C861: __CxxThrowException@8.LIBCMT ref: 6CF7C8DB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 98789ab34e48563927e6eb5b552af0e1e37041b9a65638be89243978c0691e09
Instruction ID: b87adcd26f41f7be21479bb4c5483d264e590ab9c8c9332931658447630b6793
Opcode Fuzzy Hash: 98789ab34e48563927e6eb5b552af0e1e37041b9a65638be89243978c0691e09
Instruction Fuzzy Hash: 328139B19017449FD721DF69C444BEABBE0BF59304F54C95ED8AAA7701EB30A508CBA2

Function 6CF61DB0 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF61EF6
__CxxThrowException@8.LIBCMT ref: 6CF61F0B
std::exception::exception.LIBCMT ref: 6CF61F1A
__CxxThrowException@8.LIBCMT ref: 6CF61F2F
std::exception::exception.LIBCMT ref: 6CF61F3E
__CxxThrowException@8.LIBCMT ref: 6CF61F53
std::exception::exception.LIBCMT ref: 6CF61F62
__CxxThrowException@8.LIBCMT ref: 6CF61F77
std::exception::exception.LIBCMT ref: 6CF61F86
__CxxThrowException@8.LIBCMT ref: 6CF61F9B

Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8B0
Part of subcall function 6CF7C861: std::exception::exception.LIBCMT ref: 6CF7C8CA
Part of subcall function 6CF7C861: __CxxThrowException@8.LIBCMT ref: 6CF7C8DB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 56c914a97d086034f148216e17a1df1b1e8a80cc3f8cce88ae2f35f16c4e6001
Instruction ID: db3ce2cc4671254af53128ca852f57d7d2cea897a015c4464b1ae26dfcf7e4c1
Opcode Fuzzy Hash: 56c914a97d086034f148216e17a1df1b1e8a80cc3f8cce88ae2f35f16c4e6001
Instruction Fuzzy Hash: B4518DB1901704DFC761CF69D980AEEBBF0FF58600F54866EE449A7B51E731A908CB62

Function 6CFFC830 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 331COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(00000000,00000001), ref: 6CFFC8FF
GetMonitorInfoW.USER32(00000000), ref: 6CFFC906
GetWindowRect.USER32(00000000), ref: 6CFFCA94
MapWindowPoints.USER32(00000000), ref: 6CFFCADE
GetWindowRect.USER32(00000000,00000000), ref: 6CFFCBB9
MoveWindow.USER32(FFFFFFFF,?,?,?,?), ref: 6CFFCD73

Strings

MenuElement, xrefs: 6CFFC9BB
(, xrefs: 6CFFC8E6

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Window$MonitorRect$FromInfoMovePoints
String ID: ($MenuElement
API String ID: 2634076724-3031226456
Opcode ID: 380706f7346b6cc6c972e9be4683504f7cfec73a6f7fbc2b026ac9220ac75e9c
Instruction ID: c0ddf747cad7b15f63852b4895b944856a12cfdf27663d032d46f70175973eb7
Opcode Fuzzy Hash: 380706f7346b6cc6c972e9be4683504f7cfec73a6f7fbc2b026ac9220ac75e9c
Instruction Fuzzy Hash: E4029374E042688FDB28CF98C994BDDB7B1BF89304F1481A9D519AB355DB306E86CF90

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 425adf467cb2c86b17273659995b3ed8045270cb1554a1bec104c33d48d0e7ae
Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
Opcode Fuzzy Hash: 425adf467cb2c86b17273659995b3ed8045270cb1554a1bec104c33d48d0e7ae
Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98

Function 6CF8C9E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CF8C9B0: _wcslen.LIBCMT ref: 6CF8C9BD

_wcslen.LIBCMT ref: 6CF8C9F8
_malloc.LIBCMT ref: 6CF8CA20

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

_wcscpy.LIBCMT ref: 6CF8CA3A
_wcscat.LIBCMT ref: 6CF8CA4C
_wcscat.LIBCMT ref: 6CF8CA7B
_free.LIBCMT ref: 6CF8CA98
_wcscat.LIBCMT ref: 6CF8CAB6

Strings

?, xrefs: 6CF8CA05

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _wcscat$_wcslen$AllocateHeap_free_malloc_wcscpy
String ID: ?
API String ID: 3373672540-1684325040
Opcode ID: 1eff190317c42efdf50057d75f0da352851831f57c92b7e1028e0c35714c2136
Instruction ID: 7d3b675f2579f691c8c4f408612ac76515321f8a2dcb28d69e8f3d9a38b2389b
Opcode Fuzzy Hash: 1eff190317c42efdf50057d75f0da352851831f57c92b7e1028e0c35714c2136
Instruction Fuzzy Hash: 9B3114B5E05208EFDB04DFA8D891D9EB7B5EF49308F1441A8E909AB700E731EA55CB91

Function 6CFD22C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFD2020
__wcsicoll.LIBCMT ref: 6CFD2038
__wcsicoll.LIBCMT ref: 6CFD2050
__wcsicoll.LIBCMT ref: 6CFD2068
__wcsicoll.LIBCMT ref: 6CFD208F
__wcsicoll.LIBCMT ref: 6CFD20AC
_memset.LIBCMT ref: 6CFD20FE
__fassign.LIBCMT ref: 6CFD2145
__fassign.LIBCMT ref: 6CFD21E9

Strings

Default, xrefs: 6CFD2044
Style, xrefs: 6CFD205C
Font, xrefs: 6CFD202C
Image, xrefs: 6CFD2014

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$__fassign$_memset
String ID: Default$Font$Image$Style
API String ID: 4232687799-1745633971
Opcode ID: 150fc99b664d1a204c52007f106f1a3c8a7534ce7c05dd73007adfc477f3914b
Instruction ID: 07b8a6aa5cc5c1d6046fcc438e2450ed3255a9f16017333114e940654022b84a
Opcode Fuzzy Hash: 150fc99b664d1a204c52007f106f1a3c8a7534ce7c05dd73007adfc477f3914b
Instruction Fuzzy Hash: 9801CCB1D0411996EF248A20DC55BBB73B26F91205F1846E9D90953A80EB33AE58CAE1

Function 6CFC0608 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 6CFC063B
__fassign.LIBCMT ref: 6CFC0650
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$CharNext__fassign
String ID:
API String ID: 3170261096-0
Opcode ID: 34da8000f445b1908d7baa84d8fb6b52ef566aa960d555c9ec28565a4fe85862
Instruction ID: b696ff742f430d94723672abaa802f31ab1bee635093fa326603fbfeca4f9afb
Opcode Fuzzy Hash: 34da8000f445b1908d7baa84d8fb6b52ef566aa960d555c9ec28565a4fe85862
Instruction Fuzzy Hash: 99D15AB5A05169CBDB14CF25D890BEEB7B2BF85304F1081D9E849AB740DB30AE95CF91

Function 6CFC08F1 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 6CFC0913
__fassign.LIBCMT ref: 6CFC0928
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$CharNext__fassign
String ID:
API String ID: 3170261096-0
Opcode ID: 467c6e0afe294e38f2c25249ddfcf6cc004b50960beb5cc2b1631f68aa995e83
Instruction ID: a058481970e8f6e69040f90a89ac772c4b5490523603e54bb9e116577b08869d
Opcode Fuzzy Hash: 467c6e0afe294e38f2c25249ddfcf6cc004b50960beb5cc2b1631f68aa995e83
Instruction Fuzzy Hash: E1C18FB5E041598BDB14CF65D890BEEB7B1BF85304F1081D9E84AAB740DB34AE95CF90

Function 6CFC06DA Relevance: 13.8, APIs: 9, Instructions: 266COMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000002), ref: 6CFC0718
SetBkMode.GDI32(?,00000001), ref: 6CFC0726
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$Mode
String ID:
API String ID: 3279056331-0
Opcode ID: d2bcb055ef642ee4a7a8d6a1ae63258eeed9bfb31d54b27261c37fb628f0ea8b
Instruction ID: d5eb39dc0bb2af3118213423542674ec28b3fe085c1d86f2235f1fb5683de6ab
Opcode Fuzzy Hash: d2bcb055ef642ee4a7a8d6a1ae63258eeed9bfb31d54b27261c37fb628f0ea8b
Instruction Fuzzy Hash: 7FC18FB5A04169CBDB18CF25DC90BEEB7B1AF85305F1081D9E44ABB680DB349E95CF90

Function 6CFC0969 Relevance: 13.8, APIs: 9, Instructions: 263COMMON

Download Yara Rule

APIs

CharNextW.USER32(?), ref: 6CFC098B
__fassign.LIBCMT ref: 6CFC09A0
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$CharNext__fassign
String ID:
API String ID: 3170261096-0
Opcode ID: 6b0cb7c70d7acc016cb0d1bd8b85d3a60ed9e715b22fa55d529227f68a897717
Instruction ID: 772c0b0e1a4d56394f5ecc7a8fae32b9730af54d5fbaa6c55ff0423baf20660b
Opcode Fuzzy Hash: 6b0cb7c70d7acc016cb0d1bd8b85d3a60ed9e715b22fa55d529227f68a897717
Instruction Fuzzy Hash: 99C16EB5A041699BDB14CF25DC90BEEB7B1BF85304F1081D9E84ABB640DB309E99CF91

Function 6D00C690 Relevance: 13.7, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 6D00C6AA
_memcmp.LIBCMT ref: 6D00C6EB
_memcmp.LIBCMT ref: 6D00C714
_memcmp.LIBCMT ref: 6D00C755
_memcmp.LIBCMT ref: 6D00C796
_memcmp.LIBCMT ref: 6D00C7D7
_memcmp.LIBCMT ref: 6D00C818
_memcmp.LIBCMT ref: 6D00C856
_memcmp.LIBCMT ref: 6D00C894

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4646cfe65b599575e1d7ab05af9833a4cc928617717895434b101d411332641e
Instruction ID: 227d0c44f5c0c00749fcf1d2e9866c83c9862737b76b128c32bf27fe3e78a8a6
Opcode Fuzzy Hash: 4646cfe65b599575e1d7ab05af9833a4cc928617717895434b101d411332641e
Instruction Fuzzy Hash: EF714CB599020AFBFB05CF64C881BAE37B0FB46304F508518F9159B390D379E994CBA8

Function 6CF72360 Relevance: 13.6, APIs: 9, Instructions: 134stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF723D4
GlobalFree.KERNEL32 ref: 6CF723E4
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF7241B
GlobalFree.KERNEL32 ref: 6CF7242C
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF72465
GlobalFree.KERNEL32 ref: 6CF72476
wsprintfW.USER32 ref: 6CF724BE
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF724DD
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF724F4

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Globallstrcpyn$Free$Allocwsprintf
String ID:
API String ID: 2453304079-0
Opcode ID: 752f79c33eec7e93b02696ed95d6592212b9f53ab8a116d530f2d2004a99b747
Instruction ID: cbbbc54eff257541a0f28cdd4cf8c3ce5b6704c5f820913b163b3b281348a476
Opcode Fuzzy Hash: 752f79c33eec7e93b02696ed95d6592212b9f53ab8a116d530f2d2004a99b747
Instruction Fuzzy Hash: 3E51AC72504301CFCB24EF68E884A9AB7F8FFC9314F104A2EE59587740D771A988CBA1

Function 6CFF8850 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 238COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6CFF88FC
LoadCursorW.USER32(00000000,00007F89), ref: 6CFF890D
SetCursor.USER32(00000000), ref: 6CFF8914
PtInRect.USER32(?,?,?), ref: 6CFF8984
PtInRect.USER32(?,?,?), ref: 6CFF89FC
PtInRect.USER32(?,?,?), ref: 6CFF8AAC

Strings

link, xrefs: 6CFF8A0E

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$Cursor$Load
String ID: link
API String ID: 1264107634-917281265
Opcode ID: 9f485841b770dc05d8fa2b9f6ecb111a074c9fb674093785f596c67bc2e24a5c
Instruction ID: 04fce0c779886a11ef5df9f13f8e9d5641bfe083055245c22f18678933a72118
Opcode Fuzzy Hash: 9f485841b770dc05d8fa2b9f6ecb111a074c9fb674093785f596c67bc2e24a5c
Instruction Fuzzy Hash: BEA12174A0420ADFDB08CF89C495AAFB7B1FF46314F548259E525ABB65C730E982CF90

Function 6CFD00E0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 215COMMON

Download Yara Rule

APIs

CharNextW.USER32(6CFCF034,?,6CFCFD34,6CFCF036,6CFCF036), ref: 6CFD0161
CharNextW.USER32(6CFCF036,6CFCF036,6CFCF036,6CFCFD34,00000022,6CFCF036,?,6CFCFD34,6CFCF036,6CFCF036), ref: 6CFD01D3

Strings

Expected attribute value, xrefs: 6CFD0273
Error while parsing attributes, xrefs: 6CFD01F3
Error while parsing attribute string, xrefs: 6CFD02BF

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CharNext
String ID: Error while parsing attribute string$Error while parsing attributes$Expected attribute value
API String ID: 3213498283-2127762582
Opcode ID: 12003965d743afd6d44b7290757c0fc7f9acd454cc927292aafca884a3304f62
Instruction ID: dff65bd2148920d7dca8ac74cd2ddd4adc32b1adfa714b99ee7939a027c1d9b5
Opcode Fuzzy Hash: 12003965d743afd6d44b7290757c0fc7f9acd454cc927292aafca884a3304f62
Instruction Fuzzy Hash: 7D91F338601245EFCB08CF55C4D09AE7BB2FF8A354B258199F89A8F764D770E981DB90

Function 6CFFC5E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(00000000,00000001), ref: 6CFFC647
GetMonitorInfoW.USER32(00000000), ref: 6CFFC64E

Part of subcall function 6CF977F0: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,?,00000016,00000000,?,6CFD1441,00000000,?,00000000,?), ref: 6CF97841

Mailbox.LIBCMTD ref: 6CFFC6EE
SetForegroundWindow.USER32(00000001), ref: 6CFFC780
MoveWindow.USER32(00000001,?,?,00000000,00000000,00000000), ref: 6CFFC7AC
SetWindowPos.USER32(00000001,000000FF,?,?,00000000,?), ref: 6CFFC816

Strings

(, xrefs: 6CFFC62E

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Window$Monitor$ForegroundFromInfoMailboxMove
String ID: (
API String ID: 286081148-3887548279
Opcode ID: 7bc4a18db34b21aa22712961edd52866db811d3b9b3767e803d4dd9a4ea7652a
Instruction ID: 82884f42c1591282eb3c29bae2fce9f51a93bbc777789926bc7896c8a45947da
Opcode Fuzzy Hash: 7bc4a18db34b21aa22712961edd52866db811d3b9b3767e803d4dd9a4ea7652a
Instruction Fuzzy Hash: 1881A175E012189FCB18DFA8D990BDEBBB5BF88304F208299E51AA7355DB306A45CF50

Function 6CF6A970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CF6A99C
std::_Lockit::_Lockit.LIBCPMT ref: 6CF6A9BF
std::bad_exception::bad_exception.LIBCMT ref: 6CF6AA40
__CxxThrowException@8.LIBCMT ref: 6CF6AA4E
std::_Lockit::_Lockit.LIBCPMT ref: 6CF6AA61
std::locale::facet::_Facet_Register.LIBCPMT ref: 6CF6AA7B

Strings

bad cast, xrefs: 6CF6AA38

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 0639ed60e7ddb341529af80b77f43d2f4c3e97d7b570aab337caa2d0af130dec
Instruction ID: 18c3e0599714498965580151b6a7a423dca179681803f982ef24aa46995f531a
Opcode Fuzzy Hash: 0639ed60e7ddb341529af80b77f43d2f4c3e97d7b570aab337caa2d0af130dec
Instruction Fuzzy Hash: 58317031804215DBDB24EF56DA80BEEB7F4EB05324F15426AD816A7A90DB30AD45CBA1

Function 6CF6AB50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6CF6AB7C
std::_Lockit::_Lockit.LIBCPMT ref: 6CF6AB9F
std::bad_exception::bad_exception.LIBCMT ref: 6CF6AC20
__CxxThrowException@8.LIBCMT ref: 6CF6AC2E
std::_Lockit::_Lockit.LIBCPMT ref: 6CF6AC41
std::locale::facet::_Facet_Register.LIBCPMT ref: 6CF6AC5B

Strings

bad cast, xrefs: 6CF6AC18

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: ce9d47679183e988cb942c6c73598a81b81f78e4b7a2d6871c3f6ba56bc4a915
Instruction ID: 3ef934b1474a654b1ca7de5fb258f5ee191bc7119bbf92b26d6eaa963cbf12a1
Opcode Fuzzy Hash: ce9d47679183e988cb942c6c73598a81b81f78e4b7a2d6871c3f6ba56bc4a915
Instruction Fuzzy Hash: C831CE31800215DFDB24DF66D980FEEB7F4EB05728F15526AD826A7B80DB30AD45CBA1

Function 6D010610 Relevance: 12.3, APIs: 8, Instructions: 349windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F01), ref: 6D0106BD
SetCursor.USER32(00000000), ref: 6D0106C4

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

PtInRect.USER32(?,?,?), ref: 6D0108AB
GetWindowTextLengthW.USER32(00000000), ref: 6D0108C4
SendMessageW.USER32(00000000,000000B1,00000000,00000000), ref: 6D0108F4
SendMessageW.USER32(00000000,000000B1,00000000,00000000), ref: 6D01097C
SendMessageW.USER32(00000000,00000201,?), ref: 6D0109BA
PtInRect.USER32(?,?,?), ref: 6D010A09

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: MessageSend$CursorRect$LengthLoadTextWindow_malloc
String ID:
API String ID: 3472238731-0
Opcode ID: 665766a7d85b20c2d36c4decfe30b68cf3c3c83973ccd24f846c7df846103c45
Instruction ID: a7ba1d1e66ce96474225c9d1313cc23c81300b8cdbd183a07ce29637ae48136c
Opcode Fuzzy Hash: 665766a7d85b20c2d36c4decfe30b68cf3c3c83973ccd24f846c7df846103c45
Instruction Fuzzy Hash: 60F1CA34A08105DFEB04DFA9C894BEEB7B2BF89305F54C169E855AB391CB34A945CF90

Function 6CFC0731 Relevance: 12.3, APIs: 8, Instructions: 347COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?), ref: 6CFC0870

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ObjectSelect
String ID:
API String ID: 1517587568-0
Opcode ID: 0ef97b5ff27f91663cd1cbf58f55dd70308402121e25d2a838bf4d9bbfe2661a
Instruction ID: 40fc3c22b807b4bb0f1c8c21114ee96aa024a8aa5580d1970b453270168cca27
Opcode Fuzzy Hash: 0ef97b5ff27f91663cd1cbf58f55dd70308402121e25d2a838bf4d9bbfe2661a
Instruction Fuzzy Hash: B7F14B75E051299FDB14DF25CC90BEEB7B6AF84304F1082D9E449A7680DB31AE95CF90

Function 6CF67EF0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF67F08

Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A806
Part of subcall function 6CF7A7F1: __CxxThrowException@8.LIBCMT ref: 6CF7A81B
Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A82C

std::_Xinvalid_argument.LIBCPMT ref: 6CF67F26
std::_Xinvalid_argument.LIBCPMT ref: 6CF67F41
_memmove.LIBCMT ref: 6CF67FA5

Strings

invalid string position, xrefs: 6CF67F03
null, xrefs: 6CF67EF6
string too long, xrefs: 6CF67F21, 6CF67F3C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$null$string too long
API String ID: 443534600-1829795388
Opcode ID: a006c55f80490a0e9d7a8464cc4eba3800e47f71cce6d136b71a3f3896e7bf70
Instruction ID: 844ed9155b0d402aa28b38f40549dfc729eaa60bc86758526f50a21d165b4519
Opcode Fuzzy Hash: a006c55f80490a0e9d7a8464cc4eba3800e47f71cce6d136b71a3f3896e7bf70
Instruction Fuzzy Hash: 52217E323042009BD725CE6DE890E2AB7E5AB95714B214A2FF4968BF81D761E845C7A1

Function 6CFEA4C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

nativebkcolor, xrefs: 6CFEA55E
normalimage, xrefs: 6CFEA4C9
disabledimage, xrefs: 6CFEA53B
hotimage, xrefs: 6CFEA4EF
focusedimage, xrefs: 6CFEA515

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: disabledimage$focusedimage$hotimage$nativebkcolor$normalimage
API String ID: 0-2366741308
Opcode ID: 8c1192c757eb81ccb724b332944aed94fda73dc970eb320773b7ee155241f32a
Instruction ID: 91862dfe000c6b3279bd74481070448df1ff9238bb9739e4a6d53dd38cd5992b
Opcode Fuzzy Hash: 8c1192c757eb81ccb724b332944aed94fda73dc970eb320773b7ee155241f32a
Instruction Fuzzy Hash: EE315276E48208BBDB44DFA5DC80E9E7BB9AF48314F10C118F9199B644EB30EA04CB51

Function 6CF9E3E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SelectObject.GDI32(40750C45,000A0DE0), ref: 6CF9E418
GetTextMetricsW.GDI32(?,6D04B28C), ref: 6CF9E430
SelectObject.GDI32(?,?), ref: 6CF9E444
SelectObject.GDI32(40750C45,000090B9), ref: 6CF9E473
GetTextMetricsW.GDI32(40750C45,6CF9ECB5), ref: 6CF9E490
SelectObject.GDI32(40750C45,?), ref: 6CF9E4A4

Strings

, xrefs: 6CF9E407, 6CF9E44A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ObjectSelect$MetricsText
String ID:
API String ID: 3697559710-2974417871
Opcode ID: 0ce89019157fe6a9122ec5f23bd49abfa830fc19059c15b241558dbdeec8ea83
Instruction ID: 3a1169ca01258913cf421b659d977c34537b90141b1f35caf801316316de9b63
Opcode Fuzzy Hash: 0ce89019157fe6a9122ec5f23bd49abfa830fc19059c15b241558dbdeec8ea83
Instruction Fuzzy Hash: AC212975E01104EFDB04DBA8C898FAEB3B5FB88305F14C1A9E91997381D734AA45CF91

Function 6CF70940 Relevance: 12.1, APIs: 8, Instructions: 118stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF709AF
GlobalFree.KERNEL32 ref: 6CF709BB
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF709F6
GlobalFree.KERNEL32 ref: 6CF70A03
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70A3F
GlobalFree.KERNEL32 ref: 6CF70A4C
GetClientRect.USER32(00000000,?), ref: 6CF70A97
InvalidateRect.USER32(00000000,00000001,00000001), ref: 6CF70AA5

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGloballstrcpyn$Rect$ClientInvalidate
String ID:
API String ID: 4036540652-0
Opcode ID: 7a9d405de76073f2bb3616b5a2a7695ceb2f3e364a0e0b29d39e61cb75ddb2c0
Instruction ID: 2093cb814e89e6ae7dfbe4e8c19674110b39238bcc056cf2ea4b6c25e02e6993
Opcode Fuzzy Hash: 7a9d405de76073f2bb3616b5a2a7695ceb2f3e364a0e0b29d39e61cb75ddb2c0
Instruction Fuzzy Hash: 6041BA72901340DFDB25DF28E980F9BB7F8BF8A714F10891AE85587640DB71E944CBA1

Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403E10
GetSysColor.USER32(00000000), ref: 00403E2C
SetTextColor.GDI32(?,00000000), ref: 00403E38
SetBkMode.GDI32(?,?), ref: 00403E44
GetSysColor.USER32(?), ref: 00403E57
SetBkColor.GDI32(?,?), ref: 00403E67
DeleteObject.GDI32(?), ref: 00403E81
CreateBrushIndirect.GDI32(?), ref: 00403E8B

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94

Function 6D00EFC0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 381librarycomloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000), ref: 6D00F03F
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 6D00F05E
CoCreateInstance.COMBASE(?,00000000,00000017,6D0361F0,00000000), ref: 6D00F0CD

Strings

showactivex, xrefs: 6D00F364
DllGetClassObject, xrefs: 6D00F055
UIActiveX, xrefs: 6D00F336

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AddressCreateInstanceLibraryLoadProc
String ID: DllGetClassObject$UIActiveX$showactivex
API String ID: 3919134875-1617538497
Opcode ID: 4136bcf3668e97fa6da682afd4cc046713982366145c82943486a45a3c8bee09
Instruction ID: 5113eb43602de3c510f77e227a7c689af087fe9f99ce196ef0602ec1e7f22c68
Opcode Fuzzy Hash: 4136bcf3668e97fa6da682afd4cc046713982366145c82943486a45a3c8bee09
Instruction Fuzzy Hash: 4D02E874A00609DFDB08CF98C894FAEBBB5FF88315F148269E515AB391C735A942CF94

Function 6CF96EA0 Relevance: 10.8, APIs: 7, Instructions: 339COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 6CF97040
RemoveFontMemResourceEx.GDI32(?,00000000,00000000,00000000,00000000,00000000), ref: 6CF9710A
DeleteDC.GDI32(00000000), ref: 6CF97128
DeleteDC.GDI32(00000000), ref: 6CF97144
DeleteObject.GDI32(00000000), ref: 6CF97160
DeleteObject.GDI32(00000000), ref: 6CF9717C
DeleteObject.GDI32(00000000), ref: 6CF971D7

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Delete$Object$FontRemoveResource
String ID:
API String ID: 1657001981-0
Opcode ID: 2831eefa517d983d9b958218a973cf006f2f07df8d4f69cbd778c69f6e90294f
Instruction ID: 5be5e09ac7483ed05185ac18f8a3dd7aafe526629418ed8cb0af06afd7c6ad04
Opcode Fuzzy Hash: 2831eefa517d983d9b958218a973cf006f2f07df8d4f69cbd778c69f6e90294f
Instruction Fuzzy Hash: 71F10C70E05248DBEF08DB98C9A4BEEB7B1EF8430CF244169D1066B781CB756E46CB95

Function 6D012AC0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

source='%d,%d,%d,%d' dest='%d,%d,%d,%d', xrefs: 6D012EA3
source, xrefs: 6D012C64

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: source$source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
API String ID: 0-1800100143
Opcode ID: a3bc263554a728433494731337da7deefedfb65a0c464da665d7cff6d4052171
Instruction ID: 78dac6f7e83f2828b664c246c28efb8f0a1d9cecd4e4f2138cd54b8b9615084c
Opcode Fuzzy Hash: a3bc263554a728433494731337da7deefedfb65a0c464da665d7cff6d4052171
Instruction Fuzzy Hash: BED125709052599FDB29CB98CD90BEEB3B5FB49304F5042E9D50AAB390DB706E84CF90

Function 6CFCE1D0 Relevance: 10.8, APIs: 7, Instructions: 262COMMON

Download Yara Rule

APIs

OffsetRect.USER32(00000000,?,00000000), ref: 6CFCE303
OffsetRect.USER32(00000000,00000000,?), ref: 6CFCE352
OffsetRect.USER32(00000000,?,?), ref: 6CFCE39F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: ef7d93e1615edd272f323bad3f8624fa0611d7b3aebdb80b296ca6fc3f9ee7b7
Instruction ID: 25b2fa027c5b5fdad228a56e188b93646ba9068a3dcf3c050b60752cb4f050c4
Opcode Fuzzy Hash: ef7d93e1615edd272f323bad3f8624fa0611d7b3aebdb80b296ca6fc3f9ee7b7
Instruction Fuzzy Hash: B4C1C375E00209DFCB14CFA8C995AEEFBB1BF88304F248269D915AB355DB30A941CF90

Function 6CFC05E6 Relevance: 10.7, APIs: 7, Instructions: 248COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 474e97de5e8f3dfd103972b36db357444f9c138b3c71fa8efbf2bb29466bbe56
Instruction ID: 82879cd9cdf8d6c5f41ce275eaa9d64ea9529ee4f8c0789de527435e02a14664
Opcode Fuzzy Hash: 474e97de5e8f3dfd103972b36db357444f9c138b3c71fa8efbf2bb29466bbe56
Instruction Fuzzy Hash: 7FB17FB5A041698BDB14CF25DC90BEEB7B1AF85304F1081D9E44ABB740DB30AE99CF90

Function 6CFC06C8 Relevance: 10.7, APIs: 7, Instructions: 244COMMON

Download Yara Rule

APIs

CharNextW.USER32(00000000,-00000001,00000000,00000000,00000000,-00000001), ref: 6CFC09E6
CharNextW.USER32(00000000,-00000001,00000000,00000000,00000000,-00000001), ref: 6CFC09F5
_memmove.LIBCMT ref: 6CFC173C
_memmove.LIBCMT ref: 6CFC1779
_memmove.LIBCMT ref: 6CFC17B0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove$CharNext
String ID:
API String ID: 135983253-0
Opcode ID: f8edf6d1e4c99712bce565ddcb68cbc9cff3e0b890f62d38c20ab01e75a6b0ad
Instruction ID: 863edfba1738b4ac4aa45eb1aac24714b4d44b8efdce3e9f901006c874375b82
Opcode Fuzzy Hash: f8edf6d1e4c99712bce565ddcb68cbc9cff3e0b890f62d38c20ab01e75a6b0ad
Instruction Fuzzy Hash: FBB16FB5E041699BDB14CF25DC90BEEB7B1AF85304F1081D9E44ABB640DB34AE99CF90

Function 6CFFAC70 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000064,00000000), ref: 6CFFAE4B
MulDiv.KERNEL32(?,00000064,00000000), ref: 6CFFAE79
MulDiv.KERNEL32(00000000,00000064,00000000), ref: 6CFFAEA4
MulDiv.KERNEL32(?,00000064,00000000), ref: 6CFFAECF

Part of subcall function 6CF8D450: _memset.LIBCMT ref: 6CF8D4A7
Part of subcall function 6CF8D450: _vswprintf_s.LIBCMT ref: 6CF8D4D7

Strings

dest='%d,%d,%d,%d', xrefs: 6CFFAF08
dest='%d,%d,%d,%d' source='%d,%d,%d,%d', xrefs: 6CFFAF40

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset_vswprintf_s
String ID: dest='%d,%d,%d,%d'$dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
API String ID: 1381849029-1766977312
Opcode ID: 192dd72079752d40741c651ed52d0604b1f4cc3ad7384122b732572dcfaf50a7
Instruction ID: ed215d4fe7c2b09ffdde6c11aad389b889cc2d0358552edafe5663ad68f17176
Opcode Fuzzy Hash: 192dd72079752d40741c651ed52d0604b1f4cc3ad7384122b732572dcfaf50a7
Instruction Fuzzy Hash: 34B1B275A006199FDF08CFA8C994AEEB7B6BF8C304F148169D819BB355DB35A901CF60

Function 6D008990 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6D008A42
LoadCursorW.USER32(00000000,00007F89), ref: 6D008A53
SetCursor.USER32(00000000), ref: 6D008A5A
PtInRect.USER32(?,?,?), ref: 6D008AC6
PtInRect.USER32(?,FFFFFFFF,00000000), ref: 6D008B4E

Strings

link, xrefs: 6D008AD8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$Cursor$Load
String ID: link
API String ID: 1264107634-917281265
Opcode ID: 6ab8c7b2676cc97e5dcb7a9edce9f99c19bd162e1081c93a7cc4e8583b1e1b21
Instruction ID: 9b74f353083304eda1fa8670a2d7a53c9bc0d2be2260cd7f7cc459db45f61165
Opcode Fuzzy Hash: 6ab8c7b2676cc97e5dcb7a9edce9f99c19bd162e1081c93a7cc4e8583b1e1b21
Instruction Fuzzy Hash: 8571EE74A0410AEFFB04DF88C594BAEB7B2BF45305F648268E515AB791C770AE41CFA1

Function 6CF6C6A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CF6C6E0
__wcsicoll.LIBCMT ref: 6CF6C7CA
__wcsicoll.LIBCMT ref: 6CF6C7E3

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

Strings

itemselect, xrefs: 6CF6C7D6
click, xrefs: 6CF6C6D3
textchanged, xrefs: 6CF6C7BD

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$_free
String ID: click$itemselect$textchanged
API String ID: 209974405-2202503670
Opcode ID: a39bba4b4719e4ec70a9353d9e16c4d822c04cd307857fc339062e541abbdec3
Instruction ID: 38e7cd7e594ec7a0f4ae097c5c459b2fe284a8944f214370b4a461826a56e259
Opcode Fuzzy Hash: a39bba4b4719e4ec70a9353d9e16c4d822c04cd307857fc339062e541abbdec3
Instruction Fuzzy Hash: CE517F75A002089FDB14EB61C884FEAF3B8FF49314F108699D56957B81DB30AA45CBE0

Function 6D00E0F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,6D00DD05), ref: 6D00E10E
GetGUIThreadInfo.USER32(00000000,00000030), ref: 6D00E192
ClientToScreen.USER32(00000000,?), ref: 6D00E1B6
ScreenToClient.USER32(00000000), ref: 6D00E1E1
PtInRect.USER32(?,?,?), ref: 6D00E1F3

Part of subcall function 6CFBD570: CreatePenIndirect.GDI32(?), ref: 6CFBD5C7
Part of subcall function 6CFBD570: SelectObject.GDI32(?,?), ref: 6CFBD5D8
Part of subcall function 6CFBD570: MoveToEx.GDI32(?,00000000,?,00000000), ref: 6CFBD602
Part of subcall function 6CFBD570: LineTo.GDI32(?,?,?), ref: 6CFBD61A
Part of subcall function 6CFBD570: SelectObject.GDI32(?,?), ref: 6CFBD628
Part of subcall function 6CFBD570: DeleteObject.GDI32(?), ref: 6CFBD632

Strings

0, xrefs: 6D00E185

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ClientObject$RectScreenSelect$CreateDeleteIndirectInfoLineMoveThread
String ID: 0
API String ID: 3254868366-4108050209
Opcode ID: 47dcdd26aa9176dbe0d979b36e5c7c92c4813059be11b18dc49f42c8f6b36ba8
Instruction ID: 289911584b92236edcc58c8c96c8d01cf9b9e88e099f2458550ca013aaed13b7
Opcode Fuzzy Hash: 47dcdd26aa9176dbe0d979b36e5c7c92c4813059be11b18dc49f42c8f6b36ba8
Instruction Fuzzy Hash: 6B5193B5E112089FDB18DF98C994F9DB7B6BF88300F208159E915AB395D730E942CFA0

Function 6CFD6C60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119comCOMMON

Download Yara Rule

APIs

OleDuplicateData.OLE32(?,0000003F,00000000), ref: 6CFD6CA5
OleDuplicateData.OLE32(?,00000000,00000000), ref: 6CFD6CC6
OleDuplicateData.OLE32(?,00000000,00000000), ref: 6CFD6CE7
OleDuplicateData.OLE32(?,00000000,00000000), ref: 6CFD6D05
OleDuplicateData.OLE32(?,00000000,00000000), ref: 6CFD6D23

Strings

?, xrefs: 6CFD6C7A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DataDuplicate
String ID: ?
API String ID: 3352741105-1684325040
Opcode ID: 6a88c401dfb01664e245a6f4449440666ddbaaac4e9b98fd988777c5f95af444
Instruction ID: 03cce967916e5c197242931ac08f77f207e68f6b8e214f774e2a9d9db23a853b
Opcode Fuzzy Hash: 6a88c401dfb01664e245a6f4449440666ddbaaac4e9b98fd988777c5f95af444
Instruction Fuzzy Hash: A3518078600209EFCB04CF54D594A6ABBB6FF8A310F25C599FC598B355D731E982CB90

Function 6CF71DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF8C980: _free.LIBCMT ref: 6CF8C99A

lstrcpynW.KERNEL32(?,?,00000080,?), ref: 6CF71E9F
GlobalFree.KERNEL32 ref: 6CF71EAC
wsprintfW.USER32 ref: 6CF71EFC
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF71F1A
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF71F31

Strings

logo.ico, xrefs: 6CF71E0D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Globallstrcpyn$AllocFree_freewsprintf
String ID: logo.ico
API String ID: 1028138156-87942624
Opcode ID: 4d5d9a81430c432f8030d864616a63194024cfa0e8e58b2800374860ec386f2f
Instruction ID: c081a5184512f84731e58d05f173bfd2b4989d240ef36706cc9cd82ac899d034
Opcode Fuzzy Hash: 4d5d9a81430c432f8030d864616a63194024cfa0e8e58b2800374860ec386f2f
Instruction Fuzzy Hash: CE415A75601208DFDB14EF64C990FEEB7B9FB99304F104599E90997790EB70A988CBA0

Function 6CFC7D80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,?), ref: 6CFC7DBC
SetCursor.USER32(00000000,?,6CFCB863,?), ref: 6CFC7DC3
LoadCursorW.USER32(00000000,00007F00), ref: 6CFC7DD2
SetCursor.USER32(00000000,?,6CFCB863,?), ref: 6CFC7DD9

Strings

timer, xrefs: 6CFC7E3A
menu, xrefs: 6CFC7E7F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Cursor$Load
String ID: menu$timer
API String ID: 1675784387-2593718399
Opcode ID: 151bb494f3861f2785e3dcbaa6ee67c4f811020e5d0e79e1f01cc2f105a9cdb2
Instruction ID: d17bc278eca2857387686ac47b05f917da2fd51d253043351fa0e0a0afa5c1a7
Opcode Fuzzy Hash: 151bb494f3861f2785e3dcbaa6ee67c4f811020e5d0e79e1f01cc2f105a9cdb2
Instruction Fuzzy Hash: 8A410835704105EFDB08CF98C990FAEB7B6BF8A304F644199E9099B791C731AE41DB91

Function 6CFDEA00 Relevance: 10.6, APIs: 7, Instructions: 105COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000), ref: 6CFDEA1D
CreateDirectoryW.KERNEL32(00000000,00000000), ref: 6CFDEA2E
_memmove.LIBCMT ref: 6CFDEABC
_wcscpy.LIBCMT ref: 6CFDEB12
_wcscat.LIBCMT ref: 6CFDEB25
GetFileAttributesW.KERNEL32(?), ref: 6CFDEB34
CreateDirectoryW.KERNEL32(?,00000000), ref: 6CFDEB48

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AttributesCreateDirectoryFile$_memmove_wcscat_wcscpy
String ID:
API String ID: 2338554099-0
Opcode ID: 1c19844620437a9fd7c786082129c7871277636a168854b53bb07bdabf4d4baf
Instruction ID: dd938782a7d3482c1d343b2f45d982fac08173eb80e3d57483f517a17f58fefa
Opcode Fuzzy Hash: 1c19844620437a9fd7c786082129c7871277636a168854b53bb07bdabf4d4baf
Instruction Fuzzy Hash: 6D416DB1D0011CEBCB18CF64D884AEDB7B5BF99314F5486D9E9199B680DB30AB84CF90

Function 6CF76DA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF76DB2

Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A806
Part of subcall function 6CF7A7F1: __CxxThrowException@8.LIBCMT ref: 6CF7A81B
Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A82C

std::_Xinvalid_argument.LIBCPMT ref: 6CF76DC8
std::_Xinvalid_argument.LIBCPMT ref: 6CF76DE3
_memmove.LIBCMT ref: 6CF76E47

Strings

invalid string position, xrefs: 6CF76DAD
string too long, xrefs: 6CF76DC3, 6CF76DDE

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 0bf71d3d6722a080aa535bd6c0e10ec8180165a6661a0eb8dc5cc259704d4cc7
Instruction ID: d5b91e56e577a394a233f9beeca7bf11b84f54b34e78c3ef00cb89934f88c261
Opcode Fuzzy Hash: 0bf71d3d6722a080aa535bd6c0e10ec8180165a6661a0eb8dc5cc259704d4cc7
Instruction Fuzzy Hash: FD21F4323001015BD7259F6DF8D0BAABBA6BF91269B64061BF515CBF81C721E894C3B5

Function 6CFB8EF0 Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(6CFC9EE5,00000000), ref: 6CFB8F1A
CreateRectRgnIndirect.GDI32(00000000), ref: 6CFB8F24
CreateRectRgnIndirect.GDI32(?), ref: 6CFB8F34
CreateRoundRectRgn.GDI32(?,?,?,?,?,?), ref: 6CFB8F5E
CombineRgn.GDI32(?,?,?,00000001), ref: 6CFB8F7B
ExtSelectClipRgn.GDI32(6CFC9EE5,?,00000001), ref: 6CFB8F8E
DeleteObject.GDI32(?), ref: 6CFB8FBB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CreateRect$ClipIndirect$CombineDeleteObjectRoundSelect
String ID:
API String ID: 2381484079-0
Opcode ID: a9ba6cf34c85f65dc44863694384809c2f104038ef8777261299c7fde3605c81
Instruction ID: 25eda804341aae549eb505695fe5fa55350d19b8d8be77426bc418aefb19447a
Opcode Fuzzy Hash: a9ba6cf34c85f65dc44863694384809c2f104038ef8777261299c7fde3605c81
Instruction Fuzzy Hash: 253182B5A01208EFCB44DF98C994EAE7BF5BF8C304B209159FA0997341D734E945CBA0

Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00445D80,00428BB1,74DF23A0,00000000), ref: 00404FD6
lstrlenW.KERNEL32(004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FE6
lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FF9
SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00428BB1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: b07d39edd45b6d2841688a986433f0381924528bdc22dd5a03576e07f79a18b6
Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
Opcode Fuzzy Hash: b07d39edd45b6d2841688a986433f0381924528bdc22dd5a03576e07f79a18b6
Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D

Function 6CF784B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CF784C0

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

std::exception::exception.LIBCMT ref: 6CF784E0
__CxxThrowException@8.LIBCMT ref: 6CF784F5
_malloc.LIBCMT ref: 6CF78511
_memmove.LIBCMT ref: 6CF7852B

Strings

Comments must start with /, xrefs: 6CF784D2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorException@8FreeHeapLastThrow_free_malloc_memmovestd::exception::exception
String ID: Comments must start with /
API String ID: 3800161811-656592030
Opcode ID: 9312605a7a7d15e5fb2eb3d27fef34dbd61caa43aa7a48ab2c3e5ebd9473b673
Instruction ID: ade33099ec66f4dbe1a8675c2203682850ef96aa2ecf868f121694ae7eb6c48b
Opcode Fuzzy Hash: 9312605a7a7d15e5fb2eb3d27fef34dbd61caa43aa7a48ab2c3e5ebd9473b673
Instruction Fuzzy Hash: 5D110471800215ABDB21DF69E844FDB7BB89F42258B148267E845AF600E770E619CBF1

Function 6CF70100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CFA21E0: LoadLibraryW.KERNEL32(Shcore.dll,?,6CF7011B,00000002), ref: 6CFA21FE
Part of subcall function 6CFA21E0: GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6CFA2216

LoadLibraryA.KERNEL32(user32.dll,?,00000002), ref: 6CF7012C
GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 6CF7013E
FreeLibrary.KERNEL32(00000000,?,00000002), ref: 6CF7014B

Strings

SetProcessDPIAware, xrefs: 6CF70138
user32.dll, xrefs: 6CF70127

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Library$AddressLoadProc$Free
String ID: SetProcessDPIAware$user32.dll
API String ID: 1413238409-1137607222
Opcode ID: 3b687c12ba8d36797486a877c003045770cc7cc7fb6099d77d634c86485e4399
Instruction ID: 10d3c7ed29e351ad28c3c1d6a68b98971b5524b5496d9b621ef8561eff1092fd
Opcode Fuzzy Hash: 3b687c12ba8d36797486a877c003045770cc7cc7fb6099d77d634c86485e4399
Instruction Fuzzy Hash: F4F0A932B0611457DA10576DBC09BFEB3ADCFC5126F1502A7FC0DD2740DF91891685E1

Function 6D000B90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6D000BA2
__wcsicoll.LIBCMT ref: 6D000BBC

Strings

IListOwner, xrefs: 6D000BE8
IList, xrefs: 6D000BB3
List, xrefs: 6D000B99

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: IList$IListOwner$List
API String ID: 3832890014-3096783137
Opcode ID: df73d55f3cbb0cf7fcf2475e929d996f4487f76b50a2702434f8d59c83b129dd
Instruction ID: a3b24723f1f613da0697349e4d3a7c1a804325292fa5f09a65edaa4b881af027
Opcode Fuzzy Hash: df73d55f3cbb0cf7fcf2475e929d996f4487f76b50a2702434f8d59c83b129dd
Instruction Fuzzy Hash: 47112AB4D0810DFBFB04CF96D954BEEB7B4AB46309F1084A9D8046B680E735AB54CB90

Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
GetMessagePos.USER32 ref: 0040489D
ScreenToClient.USER32(?,?), ref: 004048B5
SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED

Strings

f, xrefs: 004048C9

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4

Function 6CFF28F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFF2900
__wcsicoll.LIBCMT ref: 6CFF292C
__wcsicoll.LIBCMT ref: 6CFF2941

Part of subcall function 6D018646: __fassign.LIBCMT ref: 6D01863C

Strings

sepimm, xrefs: 6CFF2923
sepheight, xrefs: 6CFF28F7
true, xrefs: 6CFF2938

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$__fassign
String ID: sepheight$sepimm$true
API String ID: 2467191783-591816474
Opcode ID: ffae46b786f3ae6388a8f9b1c12cd373aa147b8ae10878582d237162411bbc33
Instruction ID: 4151ec7f67773768280c21ec375704c9b99fd5b03db40632ba5fdbd2c5fcd892
Opcode Fuzzy Hash: ffae46b786f3ae6388a8f9b1c12cd373aa147b8ae10878582d237162411bbc33
Instruction Fuzzy Hash: CC01FDB2A04108B7DB04DBA4EC49DEF77B8AF49204F008119B81887750EB32EE04D7A6

Function 6D012770 Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,showtime), ref: 6D012780
lstrcmpiW.KERNEL32(?,true), ref: 6D012793
lstrcmpiW.KERNEL32(?,readonly), ref: 6D0127B5
lstrcmpiW.KERNEL32(?,true), ref: 6D0127C8

Strings

showtime, xrefs: 6D012777
readonly, xrefs: 6D0127AC
true, xrefs: 6D01278A, 6D0127BF

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: lstrcmpi
String ID: readonly$showtime$true
API String ID: 1586166983-2494685488
Opcode ID: 0813e8e7d76695150cb54d4ced02f7e6849fc129e70299e7271211e102fa8390
Instruction ID: 0184f57d00f5789085fe7b4d0de2073502e150925db6bc1b171daf64f7bddec5
Opcode Fuzzy Hash: 0813e8e7d76695150cb54d4ced02f7e6849fc129e70299e7271211e102fa8390
Instruction Fuzzy Hash: 67018F75A19108BBAB14DFB5DE85FAF77B9BF86340B208158F909C7250DB34DA04D7A0

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(02D51ED6,00000064,02D51EDA), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 6e71b36604eb8168b9de070626c23bed7d900371b4c5136878c27d07ffa20f21
Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
Opcode Fuzzy Hash: 6e71b36604eb8168b9de070626c23bed7d900371b4c5136878c27d07ffa20f21
Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58

Function 6CF7EFF7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CF7F018

Part of subcall function 6CF8132F: __getptd_noexit.LIBCMT ref: 6CF81332
Part of subcall function 6CF8132F: __amsg_exit.LIBCMT ref: 6CF8133F

__getptd.LIBCMT ref: 6CF7F029
__getptd.LIBCMT ref: 6CF7F037

Strings

RCC, xrefs: 6CF7F003
csm, xrefs: 6CF7F011
MOC, xrefs: 6CF7F00A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$RCC$csm
API String ID: 803148776-2671469338
Opcode ID: ecc59315e9d46fd33402cfd58b4de6f82dcd8e458b7157c143ed673569efd570
Instruction ID: 3459ba579ab1687c7d6dae4e4df265b18517bad35c23853465919ba0112899cf
Opcode Fuzzy Hash: ecc59315e9d46fd33402cfd58b4de6f82dcd8e458b7157c143ed673569efd570
Instruction Fuzzy Hash: 91E09A306012088EC320AB78D049BA837E9BB4930DF6996E6D51CCBB22C728E4849963

Function 6D025C70 Relevance: 9.1, APIs: 6, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6D025CB2
__CxxThrowException@8.LIBCMT ref: 6D025CC7

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: aa9a8f3a43c5978e449e0e4e3c43db1b1d4cb283d06bd1c9918d01fd953f620d
Instruction ID: 552e660ab6078d0d44158a1a147d76db4ad614b7c785b82576feab28fee06f66
Opcode Fuzzy Hash: aa9a8f3a43c5978e449e0e4e3c43db1b1d4cb283d06bd1c9918d01fd953f620d
Instruction Fuzzy Hash: 3341D3B1D02209DFDB54EFE9D944FEEBBB4AB15300F44456AD81887742E730A658CBA2

Function 6CFAE5D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 362COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFAE6F9

Part of subcall function 6CFADC70: _memset.LIBCMT ref: 6CFADC92
Part of subcall function 6CFADC70: _memset.LIBCMT ref: 6CFADCA5

Strings

bad codelengths, xrefs: 6CFAE88A, 6CFAEAB4

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset
String ID: bad codelengths
API String ID: 2102423945-697342978
Opcode ID: aa2f24aa11aa97b6f7d4a88d76cc73a289a1dcce7600cdbab700a2d5a7b7a7ab
Instruction ID: fca58248ba4bc752aa51067257e014ce17a3398a27b39a97c22c5bbdd7c38b35
Opcode Fuzzy Hash: aa2f24aa11aa97b6f7d4a88d76cc73a289a1dcce7600cdbab700a2d5a7b7a7ab
Instruction Fuzzy Hash: EBF1FA75A01259DFDB54CF58C880ADDBBB1BB88354F1482A9E80D9B746D731EE92CF80

Function 6D006990 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 325COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 6D006A8E
PtInRect.USER32(?,?,?), ref: 6D006CE3
LoadCursorW.USER32(00000000,00007F84), ref: 6D006CF4
SetCursor.USER32(00000000), ref: 6D006CFB

Part of subcall function 6CFC7AD0: IntersectRect.USER32(?,?,?), ref: 6CFC7B83

Strings

headerclick, xrefs: 6D006AF0

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect$Cursor$IntersectLoad
String ID: headerclick
API String ID: 2196809944-1247266998
Opcode ID: 3360027cf324e2a695450769901eebd67b8353525a078d57aa2ee9954e8cc060
Instruction ID: ff7b6f8a4168e6a96f41dd1717b97c8e214d39bccf809a6107acf00f4f0c1575
Opcode Fuzzy Hash: 3360027cf324e2a695450769901eebd67b8353525a078d57aa2ee9954e8cc060
Instruction Fuzzy Hash: 13E1D874A05209EFEB08DF98D590AADBBB2FF89314F548169E405AF755CB31AD81CF80

Function 6CF80985 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CF80991

Part of subcall function 6CF8132F: __getptd_noexit.LIBCMT ref: 6CF81332
Part of subcall function 6CF8132F: __amsg_exit.LIBCMT ref: 6CF8133F

__amsg_exit.LIBCMT ref: 6CF809B1
__lock.LIBCMT ref: 6CF809C1
InterlockedDecrement.KERNEL32(?), ref: 6CF809DE
_free.LIBCMT ref: 6CF809F1
InterlockedIncrement.KERNEL32(02CF1658), ref: 6CF80A09

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: ddf428729fa9a0e9998d54c79238122497e9bb373a0294ee91315dcc404fc215
Instruction ID: 54d4468ac3da7b32e55ee6f1ccaa483830efda27e8e12955a8c77c5cc2852cf0
Opcode Fuzzy Hash: ddf428729fa9a0e9998d54c79238122497e9bb373a0294ee91315dcc404fc215
Instruction Fuzzy Hash: A7019632D43A65DBEF21AF158444B9DB770BF41728F614115E850A7F80CB74A985CBD1

Function 6CF6E550 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(000000FF), ref: 6CF6E565
SelectObject.GDI32(00000000,00000000), ref: 6CF6E577
Rectangle.GDI32(00000000,?,?,?,?), ref: 6CF6E58D
SetTextColor.GDI32(00000000,00FFFFFF), ref: 6CF6E599
SetBkMode.GDI32(00000000,00000001), ref: 6CF6E5A2
TextOutW.GDI32(00000000,-00000003,?,00000000,00000000), ref: 6CF6E5C6

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Text$BrushColorCreateModeObjectRectangleSelectSolid
String ID:
API String ID: 3754304910-0
Opcode ID: 0d6c0df7b546a29bf73f72bf6d8f32ba198da1eb024be54875d0f996fc6ca7a5
Instruction ID: c4a025c4d80f42a4be356833029084718c42ab53ec8ebed67b4cc2aa388f7392
Opcode Fuzzy Hash: 0d6c0df7b546a29bf73f72bf6d8f32ba198da1eb024be54875d0f996fc6ca7a5
Instruction Fuzzy Hash: 1901FF74541204EFDB14DB24CDC9F7F77B9EF8AB00B10855DFA4AD2684D77498498B21

Function 6CFB4D90 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4680: _malloc.LIBCMT ref: 6CFA4687

_memset.LIBCMT ref: 6CFB4F2A
_free.LIBCMT ref: 6CFB4F56

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Strings

too large, xrefs: 6CFB4EC3
\, xrefs: 6CFB4DA8
bad file, xrefs: 6CFB4E9C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFreeHeapLast_free_malloc_memset
String ID: \$bad file$too large
API String ID: 639621159-1129545092
Opcode ID: 808f6470ea9ab12c2b7623a5e65935fb94a18a971e118f8f3d54347d079ec623
Instruction ID: b72038b22048faed44c17bc9f6cee54844350c36493532903935908d5a77975c
Opcode Fuzzy Hash: 808f6470ea9ab12c2b7623a5e65935fb94a18a971e118f8f3d54347d079ec623
Instruction Fuzzy Hash: F46142B5A00209EFDB04DF98D980BEE7BB5BF49308F148168E8099B741D735EA85CB91

Function 6CF66B30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66BA4
std::_Xinvalid_argument.LIBCPMT ref: 6CF66BBF
_memmove.LIBCMT ref: 6CF66C15

Part of subcall function 6CF67EF0: std::_Xinvalid_argument.LIBCPMT ref: 6CF67F08
Part of subcall function 6CF67EF0: std::_Xinvalid_argument.LIBCPMT ref: 6CF67F26
Part of subcall function 6CF67EF0: std::_Xinvalid_argument.LIBCPMT ref: 6CF67F41
Part of subcall function 6CF67EF0: _memmove.LIBCMT ref: 6CF67FA5

Strings

null, xrefs: 6CF66B6F, 6CF66B83, 6CF66C13
string too long, xrefs: 6CF66B9F, 6CF66BBA

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: null$string too long
API String ID: 2168136238-3995189588
Opcode ID: eaadd801780c5e5e7361eeba3eebd2d6d2eb38811d25851632bdfffd2db4a5f8
Instruction ID: aefb62e0f22f6bb77a3b3539043b975719a6cc7987813153abb2540f87cdfe23
Opcode Fuzzy Hash: eaadd801780c5e5e7361eeba3eebd2d6d2eb38811d25851632bdfffd2db4a5f8
Instruction Fuzzy Hash: F831E4723016109BE720CE6EE890A9FF3E9EF91368720462FF156CBE41C772984083A1

Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
CharNextW.USER32(?,?,?,00000000), ref: 004060D6
CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF

Strings

*?|<>/":, xrefs: 004060B6

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD

Function 6CF90C70 Relevance: 7.9, APIs: 5, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5a228d3e41a3945fc06308282805203889a7ffb8b427ecc5820832f5948f35
Instruction ID: ff9fcf115100764549f25132d41cd599f966643f4afb0e7d8feb2fd6e5927257
Opcode Fuzzy Hash: bb5a228d3e41a3945fc06308282805203889a7ffb8b427ecc5820832f5948f35
Instruction Fuzzy Hash: 5BF10D74A04259DFDB04CF99C890A9EB7B6FF89304F248169E8059FBA5C772AD45CF80

Function 6CFF0A30 Relevance: 7.7, APIs: 5, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 6CFF0A47
SetStretchBltMode.GDI32(?,00000004), ref: 6CFF0A56
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000001,00000168,000000C8,00CC0020), ref: 6CFF0AAE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,000000D2,000000C8,?,00CC0020), ref: 6CFF0B17
RestoreDC.GDI32(?,?), ref: 6CFF0C76

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Stretch$ModeRestoreSave
String ID:
API String ID: 1863604132-0
Opcode ID: 5d81c407f646ab8e41ad4791f0bb38f67f9747ac1e4edb0810d6938ce9c8de5a
Instruction ID: a7d3ab13ae875669f09440a462c154f6ae3c0df055850f47b65b4a098259226b
Opcode Fuzzy Hash: 5d81c407f646ab8e41ad4791f0bb38f67f9747ac1e4edb0810d6938ce9c8de5a
Instruction Fuzzy Hash: 0081DDB5A00505DFDB08CF98C894FEFB7B5BB88301F148269E915AB385DA35A806CF64

Function 6CF70720 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 149memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF62410: OutputDebugStringW.KERNELBASE(00000000), ref: 6CF624B7

GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF7081A
lstrcpynW.KERNEL32(00000004,?,00002004), ref: 6CF70830
GlobalAlloc.KERNEL32(00000040,0000200C), ref: 6CF7084A
lstrcpynW.KERNEL32(00000004,ui_properties,00002004), ref: 6CF7085E

Strings

ui_properties, xrefs: 6CF70855

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AllocGloballstrcpyn$DebugOutputString
String ID: ui_properties
API String ID: 3644820488-2455482335
Opcode ID: 005b58aa8aaf45d3b0eca4f9a301b012371451f442bf3aa279f420987586c61f
Instruction ID: 24fccf1222c40ef902673153a9f5881077290b0e2bd0c6805227ddb43ab4ddd6
Opcode Fuzzy Hash: 005b58aa8aaf45d3b0eca4f9a301b012371451f442bf3aa279f420987586c61f
Instruction Fuzzy Hash: B95136B1508380DFD320DF68C880B5BBBF9BBC9714F104A2EE59987751D774A848CBA2

Function 6CFE8ED0 Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 6CFE8FA8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fe0822d134302824ff3233bf7cf4024f226aff926cef9f095174179fc377a4f3
Instruction ID: 50e2bf463bfd6ad857ab08bd2c4a8d1c7a0e5c21ab64515dee8afb6869e93736
Opcode Fuzzy Hash: fe0822d134302824ff3233bf7cf4024f226aff926cef9f095174179fc377a4f3
Instruction Fuzzy Hash: CB610C74A003189FDB98DF18C890B99B7B6FF88314F1086D9E5199B791CB31AE85CF91

Function 6D0143D0 Relevance: 7.6, APIs: 5, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6CFCA8D0: _memset.LIBCMT ref: 6CFCA9DF

_Smanip.LIBCPMTD ref: 6D014535
_memset.LIBCMT ref: 6D01455C
_memset.LIBCMT ref: 6D014571
_memset.LIBCMT ref: 6D014641
_memset.LIBCMT ref: 6D01465A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset$Smanip
String ID:
API String ID: 343480837-0
Opcode ID: eb3f940afbf20ce479a9f405a5a18e45f679d55363f6ffacc7b80b93fbbcad05
Instruction ID: d40245a0b4415ff80c3ddeeccd29e8b798b6caaa5c5f504cc3a47a11a17dd868
Opcode Fuzzy Hash: eb3f940afbf20ce479a9f405a5a18e45f679d55363f6ffacc7b80b93fbbcad05
Instruction Fuzzy Hash: C0711CB4E0124ADFEB04DF98C494BAFB771AF45308F1482A9D9652B7C2C77A6406CF91

Function 6CFCEDE0 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 6CFCEE48
CharNextW.USER32(6CFA1E42,?,?,?,?,6CFCEDC8,?,?,6CFA1E42,?,?,?,00000000), ref: 6CFCEE8B
_wcslen.LIBCMT ref: 6CFCEEB7
CharNextW.USER32(6CFA1E42,?,?,?,6CFCEDC8,?,?,6CFA1E42,?,?,?,00000000), ref: 6CFCEEEE
_wcslen.LIBCMT ref: 6CFCEF4A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _wcslen$CharNext
String ID:
API String ID: 110608216-0
Opcode ID: 7c2d5bce05c20c2be5e3b09a1b4d0912324735b641d45aaf0460e6d5fcb0675c
Instruction ID: a53a45d73dfdfa5529bc8321a645bbf192f38729412efcc15c098cd78648660d
Opcode Fuzzy Hash: 7c2d5bce05c20c2be5e3b09a1b4d0912324735b641d45aaf0460e6d5fcb0675c
Instruction Fuzzy Hash: 9151D9B5B0010ADFCB04CF98C2858AEB7B2FF89304F258199D845AB755DB31AE41DBA1

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29

Function 6CFA2650 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFA26AC
VerSetConditionMask.NTDLL(00000000,00000000,00000002,00000003), ref: 6CFA26D5
VerSetConditionMask.NTDLL(00000000), ref: 6CFA26DD
VerSetConditionMask.NTDLL(00000000), ref: 6CFA26E5
VerifyVersionInfoW.KERNEL32(0000011C,00000023,?,6CFA21F5), ref: 6CFA271E

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion_memset
String ID:
API String ID: 3299124433-0
Opcode ID: 21e82d46449f7164485e61f90a04f63a4990b69f39b7de8d17fadebe8f1fcf16
Instruction ID: 0581b0dc706ecb9b86d67283669c9b48bc4be333abc6e05391591f5d250ff1d8
Opcode Fuzzy Hash: 21e82d46449f7164485e61f90a04f63a4990b69f39b7de8d17fadebe8f1fcf16
Instruction Fuzzy Hash: FA21EAB1E51218AADB64DFA5CC16BEEB7B4AF48700F508499E609AA280E7744A44CF94

Function 6CFBAA40 Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000000,6CFBA9C3,?,?,?,?,6CFBA9C3,00000000,00000000), ref: 6CFBAA4C
GlobalLock.KERNEL32(00000000), ref: 6CFBAA59
_memmove.LIBCMT ref: 6CFBAA6E
CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 6CFBAA87
GlobalUnlock.KERNEL32(00000000), ref: 6CFBAACF

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Global$AllocCreateLockStreamUnlock_memmove
String ID:
API String ID: 1569918835-0
Opcode ID: e89fa3bcd17fc6296a15dcdb2675852ad2402b06d66c575adffbf4defe8fa000
Instruction ID: fdb910281cf984b90f905fd7aefbc4de8549c656f67bc901fa777c1ba8cbd04f
Opcode Fuzzy Hash: e89fa3bcd17fc6296a15dcdb2675852ad2402b06d66c575adffbf4defe8fa000
Instruction Fuzzy Hash: CD11EA75E00209EFCB04DFA4C844BAEB7B8FF48304F108559E919A7340D7359A45CF51

Function 6CF6E5D0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(00000000,?,?,6D049BF8), ref: 6CF6E605
LineTo.GDI32(00000000,?,?), ref: 6CF6E617
LineTo.GDI32(00000000,?,?), ref: 6CF6E61F
LineTo.GDI32(00000000,?,?), ref: 6CF6E627
LineTo.GDI32(00000000,?,?), ref: 6CF6E62F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Line$Move
String ID:
API String ID: 3367123170-0
Opcode ID: a5b36daa4c49e24ff4c6e1dc0f0651dbbecabc77b1d8c7189f81364340a35a1d
Instruction ID: 6ed7a62ed57c81dcc006f0a4efbe7a78f4cec0d2080012c43443f5cc621d37f7
Opcode Fuzzy Hash: a5b36daa4c49e24ff4c6e1dc0f0651dbbecabc77b1d8c7189f81364340a35a1d
Instruction Fuzzy Hash: AF01D376901118AF8B05DF8ACCC4CBFFBBCFF89220B558159EA08A7211D630AD018BF5

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: fbfd7a6a6085d398f7947defe9e72fce66e027f12e5118b4d0e8a3d4981e6075
Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
Opcode Fuzzy Hash: fbfd7a6a6085d398f7947defe9e72fce66e027f12e5118b4d0e8a3d4981e6075
Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28

Function 6CF76F30 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 492COMMON

Download Yara Rule

APIs

Part of subcall function 6CF61850: std::_Lockit::_Lockit.LIBCPMT ref: 6CF61861

Part of subcall function 6CF77F70: std::_Lockit::_Lockit.LIBCPMT ref: 6CF77F9C
Part of subcall function 6CF77F70: std::_Lockit::_Lockit.LIBCPMT ref: 6CF77FBF

std::_Lockit::_Lockit.LIBCPMT ref: 6CF76FB8
_localeconv.LIBCMT ref: 6CF7702E
_strcspn.LIBCMT ref: 6CF7714A

Strings

e, xrefs: 6CF77041

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: LockitLockit::_std::_$_localeconv_strcspn
String ID: e
API String ID: 331173946-4024072794
Opcode ID: 18f40f194ea8bfbe5b6132b42b20870b99c6281bafb72dadfbe3e14560f39c63
Instruction ID: 7da293fb3d1ef8f910b4e2935119d3d473e6cb2e53d209da8022010dadd84762
Opcode Fuzzy Hash: 18f40f194ea8bfbe5b6132b42b20870b99c6281bafb72dadfbe3e14560f39c63
Instruction Fuzzy Hash: 94124B75E102488FDB15CFA8D980ADEBBB5EF4C304F15826AE819AB751D730AD05CFA0

Function 6CFE49E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 6CF8C420: _malloc.LIBCMT ref: 6CF8C450

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

Part of subcall function 6CFF4750: _memset.LIBCMT ref: 6CFF47C1

__wcsicoll.LIBCMT ref: 6CFE4D2F

Strings

left, xrefs: 6CFE4C92
TreeNodeUI, xrefs: 6CFE4D1C
align, xrefs: 6CFE4C97

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _malloc$__wcsicoll_memset
String ID: TreeNodeUI$align$left
API String ID: 2308959471-55002490
Opcode ID: f1b4e85378db6183a1bb90849131a59bc62cebade467a93d2ed8e81af2d11291
Instruction ID: aa19dc661b7afc79296b6cd521d3d591702fd7e6f50da2d7d25e276e5fc0f8f1
Opcode Fuzzy Hash: f1b4e85378db6183a1bb90849131a59bc62cebade467a93d2ed8e81af2d11291
Instruction Fuzzy Hash: D5F1B874E01109DFDB08CF94D594BAEF7B2FF88304F148269E919AB7A1CB366945CB90

Function 6CF97D60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 6CF97F32
GetTickCount.KERNEL32 ref: 6CF98027

Strings

WkeWebkitUI, xrefs: 6CF97EFE
RichEditUI, xrefs: 6CF97E65

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CountStateTick
String ID: RichEditUI$WkeWebkitUI
API String ID: 2629120050-4103725270
Opcode ID: 24d551acdd83a9fb6863e4f6d5e79b091d7270d4ea41ad54ec2e2225050e88ef
Instruction ID: 61814161108cc4796234617423ca48fbbee267d340e208358a4347021a1f416d
Opcode Fuzzy Hash: 24d551acdd83a9fb6863e4f6d5e79b091d7270d4ea41ad54ec2e2225050e88ef
Instruction Fuzzy Hash: B8A12D74A01205DFDF08CF95D490AEEB7B1FF89304F14826AE859AB761DB71A981CF90

Function 6CFADC70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFADC92
_memset.LIBCMT ref: 6CFADCA5

Strings

bad sizes, xrefs: 6CFADD18
bad codelengths, xrefs: 6CFADDAB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memset
String ID: bad codelengths$bad sizes
API String ID: 2102423945-2666559174
Opcode ID: e51ed98144e9a11ebf1466190d1976638b3b705680335c2bfcdbb3a8b638a81e
Instruction ID: ac93d84b5f2c96d5e43ff3694653c33b1526552cbacb852bc2140151ad44b4b3
Opcode Fuzzy Hash: e51ed98144e9a11ebf1466190d1976638b3b705680335c2bfcdbb3a8b638a81e
Instruction Fuzzy Hash: 3DA12774A00258CFDB14CF88C990BDDB7B2FF89304F1481A8D95AAB749D774AA99CF41

Function 6CF76920 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6CF76AE7

Strings

$, xrefs: 6CF76978
+, xrefs: 6CF76A7B
%, xrefs: 6CF76A6D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: b73b6cfec274752b59046f24017120ea6a816d69a34458135a7be2241708a4e8
Instruction ID: c0ec827b42b05813bdc472bd2a7f04e51d5db1105dfd4cb815478c3e84722571
Opcode Fuzzy Hash: b73b6cfec274752b59046f24017120ea6a816d69a34458135a7be2241708a4e8
Instruction Fuzzy Hash: A6519C73A493005AEB299F18E5807CB7BF5AB46740F149A5FF880D3791E725C84887E2

Function 6D018A4D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6D018ADD

Part of subcall function 6D01BED0: __87except.LIBCMT ref: 6D01BF0B

Strings

pow, xrefs: 6D018AB5, 6D018AD2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 032e842fed3110766de197a618141366459662f96ed815e04c814167120951d0
Instruction ID: 35568ea7b0755981e55806898dc5ecfdac6aab39997c8da14d4d26c7f2df7c8a
Opcode Fuzzy Hash: 032e842fed3110766de197a618141366459662f96ed815e04c814167120951d0
Instruction Fuzzy Hash: 6E515B7191C207A7F702ABD8CD513AE7BF4AB02710F508D68F4D5822D8EF35C5D88A96

Function 6CF76B30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 6CF76CE5

Strings

+, xrefs: 6CF76C79
$, xrefs: 6CF76B88
%, xrefs: 6CF76C6B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: c75a1d25a8ce30dd2a5ca606239695c808ee7bbe626089161810fe33e9ec7b2c
Instruction ID: 4ad87759305eaf292d4c6f46d666be03784a6c53afb357cb196a6ec16f811d7c
Opcode Fuzzy Hash: c75a1d25a8ce30dd2a5ca606239695c808ee7bbe626089161810fe33e9ec7b2c
Instruction Fuzzy Hash: 1D514873A093409AD7258F58E980BCB7BF5EB46305F149A5BF880D3791E735884587E2

Function 6CF94460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

MonitorFromWindow.USER32(?,00000001), ref: 6CF944A7
GetMonitorInfoW.USER32(00000000), ref: 6CF944AE
OffsetRect.USER32(?,?,?), ref: 6CF944E2

Strings

(, xrefs: 6CF94493

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Monitor$FromInfoOffsetRectWindow
String ID: (
API String ID: 1360704185-3887548279
Opcode ID: 17e33d7f26059eeb78e8bca84680fb53cce287eba9bf4a6e3abdc1991f910945
Instruction ID: ec9df9c2989acde0b5f0485db59a852530c5348bc0da3e917a1e4ab4f6a01d2c
Opcode Fuzzy Hash: 17e33d7f26059eeb78e8bca84680fb53cce287eba9bf4a6e3abdc1991f910945
Instruction Fuzzy Hash: BA516EB5D00209DFDB18CFA9C990AAEBBF1BF48304F20866AD415A7351D730AA45CF64

Function 6CF945E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

IsZoomed.USER32(00000000), ref: 6CF94619
IsZoomed.USER32(00000000), ref: 6CF94642

Part of subcall function 6CF8C0A0: SendMessageW.USER32(?,00000000,00000010,6CF94609), ref: 6CF8C0BA

Strings

maxbtn, xrefs: 6CF94657, 6CF946AF
restorebtn, xrefs: 6CF94682, 6CF946DA

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Zoomed$MessageSend
String ID: maxbtn$restorebtn
API String ID: 239802086-341968062
Opcode ID: b41be20924e18a23ebf02241d4fe3b6e1b71401f40b6616f7453c89f2e6e9e11
Instruction ID: ea6eef07a73f76ec3469fe3dd8d3abc7fb9dfaacc6f11d12f021241c26012171
Opcode Fuzzy Hash: b41be20924e18a23ebf02241d4fe3b6e1b71401f40b6616f7453c89f2e6e9e11
Instruction Fuzzy Hash: C8410B74A01109EFEB04DF94C991BAEB771BF44308F208569D426AB790DB706A40CF61

Function 6D0101C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

textchanged, xrefs: 6D010258

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID:
String ID: textchanged
API String ID: 0-1330398090
Opcode ID: 80c110b8fb3cf43a7268b31aaf5ca9adf3d65eb2df5822b5ba8be136f6a90c8e
Instruction ID: fdbef50ebeb5fe9e1b6617eaaa43a424edaeb1646552579e3af5debe22b88fc4
Opcode Fuzzy Hash: 80c110b8fb3cf43a7268b31aaf5ca9adf3d65eb2df5822b5ba8be136f6a90c8e
Instruction Fuzzy Hash: 8631F274B1521ADFDB08DF98C990BAEB7B1BF88304F204959E551AB741CB30E945CBA0

Function 6CF66070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66084

Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7B9
Part of subcall function 6CF7A7A4: __CxxThrowException@8.LIBCMT ref: 6CF7A7CE
Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7DF

std::_Xinvalid_argument.LIBCPMT ref: 6CF6609F

Strings

string too long, xrefs: 6CF6607F, 6CF6609A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 1ee426b9c55dc2d96c8c254a21a96cb400b1cd187bdb4490ad1a1e32cdeb1ce8
Instruction ID: 5075d4bad874c26973dbd13ee80df93b7181c620b72d58c0279ccb2b85cbd8ef
Opcode Fuzzy Hash: 1ee426b9c55dc2d96c8c254a21a96cb400b1cd187bdb4490ad1a1e32cdeb1ce8
Instruction Fuzzy Hash: 4221F8763087909BD7318E1DD850A2AB7F99F96A14F110A2EF5D2CBF92C772D844C3A1

Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
wsprintfW.USER32 ref: 00404483
SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496

Strings

%u.%u%s%s, xrefs: 00404470

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: dfea5b50e45ff8be8bfc9556fdf0d102cde058af48904552fdcaee68f5e7691e
Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
Opcode Fuzzy Hash: dfea5b50e45ff8be8bfc9556fdf0d102cde058af48904552fdcaee68f5e7691e
Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259

Function 6CFFBC30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFFBC61
__wcsicoll.LIBCMT ref: 6CFFBCBB

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

Strings

Menu, xrefs: 6CFFBC58
MenuElement, xrefs: 6CFFBCB2

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$_malloc
String ID: Menu$MenuElement
API String ID: 3028118121-135141346
Opcode ID: f489252e1bb71994702208b466949c193fab90b663dc98b9ba2b1e8801bcfb85
Instruction ID: 7c81bd85069b73fc5d7162258b5e4f8f9b00441a87edc3466c485460b1d6889a
Opcode Fuzzy Hash: f489252e1bb71994702208b466949c193fab90b663dc98b9ba2b1e8801bcfb85
Instruction Fuzzy Hash: 77215CB1D04209DBDB10DFA8C954BDEBBF0EB09354F104669E824BBB90E7355A05CBA1

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.KERNELBASE(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: c31ef68b78af8176afdd907103d282dc2699cb0537778d61dc9e8deda1771df0
Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
Opcode Fuzzy Hash: c31ef68b78af8176afdd907103d282dc2699cb0537778d61dc9e8deda1771df0
Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
Opcode Fuzzy Hash: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759

Function 6CFD09BD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFD0A11
__wcsicoll.LIBCMT ref: 6CFD0AC0
__wcsicoll.LIBCMT ref: 6CFD0AE9
__wcsicoll.LIBCMT ref: 6CFD0BE0
__wcsicoll.LIBCMT ref: 6CFD0CAB
__fassign.LIBCMT ref: 6CFD0CC7
__wcsicoll.LIBCMT ref: 6CFD12A0
__wcsicoll.LIBCMT ref: 6CFD13B2
__fassign.LIBCMT ref: 6CFD13DC
__fassign.LIBCMT ref: 6CFD13FD

Strings

name, xrefs: 6CFD0AB4
Image, xrefs: 6CFD0A05

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll$__fassign
String ID: Image$name
API String ID: 2467191783-1833322134
Opcode ID: 5df80941129d6a7853b1393d066237029e1f52c716a7458a1091bd49344f5215
Instruction ID: c55e95e38be6057326b235d70afacd26693fa3e34e00fa80d723e4d5167f74e5
Opcode Fuzzy Hash: 5df80941129d6a7853b1393d066237029e1f52c716a7458a1091bd49344f5215
Instruction Fuzzy Hash: D3211A71D08A688ADB65CF24DD647EBB7B0FB40309F1445D9D04EA6680EB797E88CF90

Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004062A4
lstrcatW.KERNEL32(00000000,...), ref: 004062C7

Strings

..., xrefs: 004062BF
%02x%c, xrefs: 0040629C

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

ShowPage, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$ShowPage$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-4061174037
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Section: "%s", xrefs: 004050A5
Skipping section: "%s", xrefs: 004050E1

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 6CFD2AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CFD2AF0
LoadCursorW.USER32(00000000,00007F00), ref: 6CFD2B31
RegisterClassExW.USER32(00000030), ref: 6CFD2B5C

Strings

0, xrefs: 6CFD2AF8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ClassCursorLoadRegister_memset
String ID: 0
API String ID: 2700477685-4108050209
Opcode ID: 770d566ba00494411457c176d63a48671cfdaf5789f263f6491bdd745d1c6dd0
Instruction ID: ae5c7d061c57bcd5937865167e0a1653a8cb182b56fd10d8c2b71b2b3202164c
Opcode Fuzzy Hash: 770d566ba00494411457c176d63a48671cfdaf5789f263f6491bdd745d1c6dd0
Instruction Fuzzy Hash: 32112DB4D153089BEB00DF94C955BEEBBB4BB45304F208148E8146B380D7BA5608CFA5

Function 6CFA21E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shcore.dll,?,6CF7011B,00000002), ref: 6CFA21FE
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6CFA2216

Strings

Shcore.dll, xrefs: 6CFA21F9
SetProcessDpiAwareness, xrefs: 6CFA220D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 2574300362-999387375
Opcode ID: f5e595b494c486cb8da4cfccd3121a2ea9cea6fee7744299ed569f8ed62c1c2a
Instruction ID: df9fd55923d59087a47e24ddd1611e3491232230376eb6b4e5e58c9fdc156468
Opcode Fuzzy Hash: f5e595b494c486cb8da4cfccd3121a2ea9cea6fee7744299ed569f8ed62c1c2a
Instruction Fuzzy Hash: 2E01DA74E05209EBEB04DFE6C488B9EFBB4BF48304F208599E81997750D7359A85CB90

Function 6CFCAB60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFCAB72
__wcsicoll.LIBCMT ref: 6CFCABA9

Strings

Container, xrefs: 6CFCABA0
IContainer, xrefs: 6CFCAB69

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: Container$IContainer
API String ID: 3832890014-2633171450
Opcode ID: 2f261fd32f391cc8f50018caa28b5becbface832012d810d0c2f89d9aa7e7dad
Instruction ID: cfe55739c2e6f91e5bfe6857438da9a320d084ba8a2021635287e737aa613b14
Opcode Fuzzy Hash: 2f261fd32f391cc8f50018caa28b5becbface832012d810d0c2f89d9aa7e7dad
Instruction Fuzzy Hash: C5F04FB1F04109EBDB00CF98D954BDFB7B9AB11349F109599E8049B740E330BE44C792

Function 6D0146C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6D0146D2
__wcsicoll.LIBCMT ref: 6D0146EC

Strings

Combo, xrefs: 6D0146C9
IListOwner, xrefs: 6D0146E3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: Combo$IListOwner
API String ID: 3832890014-3568159877
Opcode ID: bb1ab02747251185abb6c554d7819d6536c705fb33ef7d2acd71fecbe4dcbb97
Instruction ID: 29ab3869ad5207146a402d2352a996997009024ab61fd46f0a4eb4a7d9536736
Opcode Fuzzy Hash: bb1ab02747251185abb6c554d7819d6536c705fb33ef7d2acd71fecbe4dcbb97
Instruction Fuzzy Hash: DEF049B4E08209FBEB14CBD4DD40B9DB7F8AB4A309F5082A8E8046B350E771EA54C795

Function 6CFF6B30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 6CFF6B40
__wcsicoll.LIBCMT ref: 6CFF6B55

Strings

animation_direction, xrefs: 6CFF6B37
vertical, xrefs: 6CFF6B4C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __wcsicoll
String ID: animation_direction$vertical
API String ID: 3832890014-2065563771
Opcode ID: 1ca1b71ed8327c5c54c908c309a6465c5beed96fd593e45351f224470673295a
Instruction ID: 215d0d62a79c036c4fa5ba169966d5608279c0f8096ca3c67b5388aa3868431f
Opcode Fuzzy Hash: 1ca1b71ed8327c5c54c908c309a6465c5beed96fd593e45351f224470673295a
Instruction Fuzzy Hash: 09F0A7B1904108BBCB04CB95DC40E9E77B89B46304F008698FD1887741E732EA1487E4

Function 6CFF2980 Relevance: 6.4, APIs: 4, Instructions: 421COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,00000003), ref: 6CFF29E8

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Rect
String ID:
API String ID: 400858303-0
Opcode ID: a0f994200f0a4c08233bfc58a98500ef92ce7e72786673e74289eb85ba665d3d
Instruction ID: f5e1a7235f6bfcabee0f1b1d05bf213980988234c3117c390e519bf56490a95a
Opcode Fuzzy Hash: a0f994200f0a4c08233bfc58a98500ef92ce7e72786673e74289eb85ba665d3d
Instruction Fuzzy Hash: 1512AC75E01149CFCB24DFA8C494A9DF7B2FF89304F248269D865AB766DB31A846CF40

Function 6CF74D30 Relevance: 6.3, APIs: 4, Instructions: 312COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 6CF74D70
_memmove.LIBCMT ref: 6CF750D3

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove_strpbrk
String ID:
API String ID: 1758035326-0
Opcode ID: 416549fa5de29a775d1f6b57dd5e334b681cf1486a64927401a5d0ce5a606cf8
Instruction ID: 10ca7557e3d61835714eb13ce76be14a836038c2a5829ef06217ce45439a92c1
Opcode Fuzzy Hash: 416549fa5de29a775d1f6b57dd5e334b681cf1486a64927401a5d0ce5a606cf8
Instruction Fuzzy Hash: 5DC1F3B1D00249DFDB20CFA8E884BDEBBB4EF05308F14816AE455AB781D771D949CBA1

Function 6CF7C458 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CF7C4F3
__flush.LIBCMT ref: 6CF7C511
__write.LIBCMT ref: 6CF7C538
__flsbuf.LIBCMT ref: 6CF7C563

Part of subcall function 6CF7EF1D: __getptd_noexit.LIBCMT ref: 6CF7EF1D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 8a5368d134481dfc1ac6ff2f04e20732f090f3986a8d2edf82540c275bdfde9c
Instruction ID: ff1df46a9d0ad73b26b187ebf4255c3b35f1dd67955373012ee12c05827f6780
Opcode Fuzzy Hash: 8a5368d134481dfc1ac6ff2f04e20732f090f3986a8d2edf82540c275bdfde9c
Instruction Fuzzy Hash: 8741E671A017049FDF34EFB9E844AAF7BB5AF80368F24862BD42497A40D771E954CB60

Function 6CF644B0 Relevance: 6.1, APIs: 4, Instructions: 104memorystringCOMMON

Download Yara Rule

APIs

std::_DebugHeapString::_DebugHeapString.LIBCPMTD ref: 6CF6451F

Part of subcall function 6CF642C0: _memset.LIBCMT ref: 6CF6439C
Part of subcall function 6CF642C0: _memset.LIBCMT ref: 6CF64404

lstrlen.KERNEL32(E243FD3F,02CF2A64,6D03A180,6D03A17C,00000000,6D03A17C,E243FD3F,00000000,02CF3288), ref: 6CF64557
__alloca_probe_16.LIBCMT ref: 6CF6456B
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,00000001), ref: 6CF64589

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: DebugHeap_memset$ByteCharMultiStringString::_Wide__alloca_probe_16lstrlenstd::_
String ID:
API String ID: 3975281319-0
Opcode ID: 815a69db8d9e1f5dd3e4287e4806587fac41e3411f5572aa7c7036394bc54798
Instruction ID: 1e4df2de57a42657f17af52a7a9be17c287c609ee80679bbdcd6aca562b49ae6
Opcode Fuzzy Hash: 815a69db8d9e1f5dd3e4287e4806587fac41e3411f5572aa7c7036394bc54798
Instruction Fuzzy Hash: 3B41D231D01219DBEB50DB65CC50FEEBBB5EF49314F1046A9D829A77C0DB70AA48CBA1

Function 6D018651 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6D018660

Part of subcall function 6CF7AEF3: __getptd.LIBCMT ref: 6CF7AF06

__isctype_l.LIBCMT ref: 6D018683

Part of subcall function 6CF87CDC: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CF87CEB

Part of subcall function 6CF7EF1D: __getptd_noexit.LIBCMT ref: 6CF7EF1D

__isleadbyte_l.LIBCMT ref: 6D0186E4
___crtLCMapStringA.LIBCMT ref: 6D018735

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Locale$UpdateUpdate::_$String___crt__getptd__getptd_noexit__isctype_l__isleadbyte_l
String ID:
API String ID: 1963401427-0
Opcode ID: 6eef88952b45381a9a2943befd018f11ef96aac713e729d73a6585ac4c78cf63
Instruction ID: 7bac07b86aaefc287b0b1f7a98a6e1fc551f61a3aa93e9d66ddd325d5998ae1c
Opcode Fuzzy Hash: 6eef88952b45381a9a2943befd018f11ef96aac713e729d73a6585ac4c78cf63
Instruction Fuzzy Hash: 1E319031A0824ABEEF01CBA4CC85FFE7BB4AB01308F5481A9E5649B1D2DB31D645DB61

Function 6CF985D9 Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF98060: GetKeyState.USER32(00000011), ref: 6CF9806D
Part of subcall function 6CF98060: GetKeyState.USER32(00000001), ref: 6CF98083
Part of subcall function 6CF98060: GetKeyState.USER32(00000002), ref: 6CF9809B
Part of subcall function 6CF98060: GetKeyState.USER32(00000010), ref: 6CF980B3
Part of subcall function 6CF98060: GetKeyState.USER32(00000012), ref: 6CF980C9

GetTickCount.KERNEL32 ref: 6CF98618
GetActiveWindow.USER32 ref: 6CF986C4
GetWindow.USER32(?,00000004), ref: 6CF986E7
SetFocus.USER32(00000000), ref: 6CF986FA

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: State$Window$ActiveCountFocusTick
String ID:
API String ID: 206295357-0
Opcode ID: 69973243926f7b4bd8d4d25ad390017deee913ee7789aae1b6f0b8bc41cc2a63
Instruction ID: 449f15f453838d09e652c9bda4f31d0b56b20219f254f8bd44c3ff5dba82ae58
Opcode Fuzzy Hash: 69973243926f7b4bd8d4d25ad390017deee913ee7789aae1b6f0b8bc41cc2a63
Instruction Fuzzy Hash: 11417A74E052188FEB19CF94C885BD9B7B1FF48304F2082AAD809AB755D7356A81DF50

Function 6CFF01A0 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 6CFF020F
GetObjectW.GDI32(?,00000018,?), ref: 6CFF022A
_malloc.LIBCMT ref: 6CFF024A

Part of subcall function 6CF7CD40: __FF_MSGBANNER.LIBCMT ref: 6CF7CD59
Part of subcall function 6CF7CD40: __NMSG_WRITE.LIBCMT ref: 6CF7CD60
Part of subcall function 6CF7CD40: RtlAllocateHeap.NTDLL(00000000,00000001,00000001), ref: 6CF7CD85

GetBitmapBits.GDI32(?,?,?), ref: 6CFF0273

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Object$AllocateBitmapBitsHeapSelect_malloc
String ID:
API String ID: 2659638627-0
Opcode ID: 555c80ab6254c7debe1e3d405033179016fa8cb1bee1cd30a4a0f4d103e969a2
Instruction ID: 695e20202ae53d29e8ea6f9434904b22b591e6238c8c9dcc8a569c17d612a43c
Opcode Fuzzy Hash: 555c80ab6254c7debe1e3d405033179016fa8cb1bee1cd30a4a0f4d103e969a2
Instruction Fuzzy Hash: FD21DF74A00604EFCB04DFA8C994A9EBBB5BF88316F1441A8E9459B381D731A985CF50

Function 6D00ECE0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6D00ED2E
_wcsncpy.LIBCMT ref: 6D00ED43
CLSIDFromString.COMBASE(?,00000000), ref: 6D00ED64
CLSIDFromProgID.COMBASE(?,00000000), ref: 6D00ED7A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: From$ProgString_memset_wcsncpy
String ID:
API String ID: 2240319475-0
Opcode ID: b10da6f8e5a389e0627ed5e3ff2b7cecfc6a2a89ac6b189dce34d971138b4497
Instruction ID: b8352dcb068076d50ccaa3c369c7cb5bfbccf647bf120ade3cfa38599b55ca14
Opcode Fuzzy Hash: b10da6f8e5a389e0627ed5e3ff2b7cecfc6a2a89ac6b189dce34d971138b4497
Instruction Fuzzy Hash: 8B21EA71D042189BDB64DFA8D941BADB7B5BB48300F4085EAE50EB7240EB709A84CFA0

Function 6CFB8E50 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetClipBox.GDI32(6CF91B88,00000000), ref: 6CFB8E7A
CreateRectRgnIndirect.GDI32(00000000), ref: 6CFB8E84
CreateRectRgnIndirect.GDI32(?), ref: 6CFB8E94
ExtSelectClipRgn.GDI32(6CF91B88,?,00000001), ref: 6CFB8EAD

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ClipCreateIndirectRect$Select
String ID:
API String ID: 4223180713-0
Opcode ID: 1e462cc064f01cb61db1c866f4893b086155c1b6edb0ce7e7597b24d4a28e218
Instruction ID: 7c87f62061027a169d0a23ff001b6ca41e2ffca415184c2587d62a8baaa8a253
Opcode Fuzzy Hash: 1e462cc064f01cb61db1c866f4893b086155c1b6edb0ce7e7597b24d4a28e218
Instruction Fuzzy Hash: C621C9B4900209DFCB44DF68C594A9EBBF5FF88304B20855AED199B341D735EA56CFA0

Function 6D01AEAE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6D01AED4

Part of subcall function 6D01AD00: __fltout2.LIBCMT ref: 6D01AD2B

__cftog_l.LIBCMT ref: 6D01AEFA
__cftoe_l.LIBCMT ref: 6D01AF2C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 0dac57095f7608ba47102c14a722c9b91818809c659b40023dc67b9cf24b8f9f
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: AC11397244824ABBDF025EC5DC41EEE3FA2BB19254F658419FA2859021C737C5BAAB81

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00428BB1,74DF23A0,00000000), ref: 00406902

CreateFontIndirectW.GDI32(00420110), ref: 0040216A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D

Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
lstrcmpW.KERNEL32(?,Version ), ref: 00407276
lstrcpynW.KERNEL32(?,?,?), ref: 0040728D

Strings

Version , xrefs: 0040726D

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1

Function 6CF6AE80 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF6AE9F

Part of subcall function 6CF7B28C: std::exception::_Copy_str.LIBCMT ref: 6CF7B2A7

__CxxThrowException@8.LIBCMT ref: 6CF6AE90

Part of subcall function 6CF7D3D1: RaiseException.KERNEL32(?,?,6CF7C8E0,E243FD3F,?,?,?,?,6CF7C8E0,E243FD3F,6D042A94,6D049FF4,E243FD3F,-00000898,00000002,?), ref: 6CF7D413

__CxxThrowException@8.LIBCMT ref: 6CF6AEB4
std::exception::exception.LIBCMT ref: 6CF6AECA

Part of subcall function 6CF7B373: std::exception::operator=.LIBCMT ref: 6CF7B38C

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::exception::operator=
String ID:
API String ID: 3186241058-0
Opcode ID: 964f2c940c39114844f3296e68432f9dee055b88bacdfa34edf4e486f5948e3b
Instruction ID: 896e5c60f64b907e8c309e4bd1cdfad6c818271e053c365d0a13988aa52c324f
Opcode Fuzzy Hash: 964f2c940c39114844f3296e68432f9dee055b88bacdfa34edf4e486f5948e3b
Instruction Fuzzy Hash: C1F012B1D002086B9764DFE5E848DDF7BACDF08150F14482AF90497A00D774D5488BB1

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC

Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
GlobalFree.KERNEL32(00000000), ref: 004063CA

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674

Function 6CFF0330 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 450COMMON

Download Yara Rule

APIs

Part of subcall function 6CFC7D80: LoadCursorW.USER32(00000000,?), ref: 6CFC7DBC
Part of subcall function 6CFC7D80: SetCursor.USER32(00000000,?,6CFCB863,?), ref: 6CFC7DC3

Mailbox.LIBCMTD ref: 6CFF047A
Mailbox.LIBCMTD ref: 6CFF0847

Strings

colorchanged, xrefs: 6CFF069D

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: CursorMailbox$Load
String ID: colorchanged
API String ID: 3629072254-2145305739
Opcode ID: 9b22d9c97f9892d7abf7565604e7706c451b22809d9a1e794ed6c06cc08a3d6f
Instruction ID: 78820572235a6d6a8d4116855b39ac528c4fc3b991fc3a68c3a134f589637c3f
Opcode Fuzzy Hash: 9b22d9c97f9892d7abf7565604e7706c451b22809d9a1e794ed6c06cc08a3d6f
Instruction Fuzzy Hash: F832FB34A11618DFDB04CF94D994EEEB7B2FF88305F1482A9E8096B755DB71A942CF80

Function 6CFAEB30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CFAECD0

Strings

read past buffer, xrefs: 6CFAEC80
zlib corrupt, xrefs: 6CFAEC5E

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: _memmove
String ID: read past buffer$zlib corrupt
API String ID: 4104443479-1132150665
Opcode ID: d74f283a0ec629d65c0fe3e19426f6ae0e1cbdbce92a86378960719e9c3386cc
Instruction ID: e2b544cbf09aa1560a7abc6efc8f3484f2fe29a12ec6a607ec446d8e1c2101fc
Opcode Fuzzy Hash: d74f283a0ec629d65c0fe3e19426f6ae0e1cbdbce92a86378960719e9c3386cc
Instruction Fuzzy Hash: 5761F775A04249EFCB04CF98C4909ADBBB2FF89354F14C198E8499B745C731EA92CBD0

Function 6CFA46A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 6CFA4680: _malloc.LIBCMT ref: 6CFA4687

_free.LIBCMT ref: 6CFA46C7

Part of subcall function 6CF7B751: RtlFreeHeap.NTDLL(00000000,00000000,?,6CF81320,00000000), ref: 6CF7B767
Part of subcall function 6CF7B751: GetLastError.KERNEL32(00000000), ref: 6CF7B779

Strings

outofmem, xrefs: 6CFA46CF

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ErrorFreeHeapLast_free_malloc
String ID: outofmem
API String ID: 1323848136-748900114
Opcode ID: ad5045c66debb13b464c526b86f5091101df0747de96535f13913e388ceb0203
Instruction ID: 89feeb8b305d2b0c945d454ae7c2c26b0f2c21c8b71e32cdede0221eb3237684
Opcode Fuzzy Hash: ad5045c66debb13b464c526b86f5091101df0747de96535f13913e388ceb0203
Instruction Fuzzy Hash: 0151377190510ADBCF00CF84EA85AAEBF71FF42304F525695D8507B688CB34AA72CF92

Function 6CF66E30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66EA6
_memmove.LIBCMT ref: 6CF66EFC

Part of subcall function 6CF66240: std::_Xinvalid_argument.LIBCPMT ref: 6CF66257

Strings

string too long, xrefs: 6CF66EA1

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 6ffaacc9f3e52571795b154709b5d618ea96f0eaf37823db3eb272018de06c54
Instruction ID: 89d59984267d2e986308a5300faa1e9cdb39791d6d46db28b10e965945352ff9
Opcode Fuzzy Hash: 6ffaacc9f3e52571795b154709b5d618ea96f0eaf37823db3eb272018de06c54
Instruction Fuzzy Hash: A1316F727001119B8714CA6FE8D08AAB7AAFFE5366314053AF604CBE00D731ECA5C7B5

Function 6D0004F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6D000548
_memmove.LIBCMT ref: 6D0005B3

Strings

vector<T> too long, xrefs: 6D000543

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 256744135-3788999226
Opcode ID: a748a7ee850725892636f766aa08af9376bb10010f1de4f9b842d43b8d7cde5b
Instruction ID: b3f9a165b5ba3f770fccfced512d7499d74869a2e1e2e2f62bb91815bc44dd60
Opcode Fuzzy Hash: a748a7ee850725892636f766aa08af9376bb10010f1de4f9b842d43b8d7cde5b
Instruction Fuzzy Hash: 25510AB5D04109EFDB14CF99D590AAEFBB1FF89300F10825AE815AB384D731A942CF91

Function 6CF78230 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 6CF7825E

Part of subcall function 6CF7CC7D: __getptd.LIBCMT ref: 6CF7CC7D

Part of subcall function 6CF7AC97: ____lc_handle_func.LIBCMT ref: 6CF7AC9A
Part of subcall function 6CF7AC97: ____lc_codepage_func.LIBCMT ref: 6CF7ACA2

Strings

true, xrefs: 6CF782DB
false, xrefs: 6CF782AB

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: 4ee9368835e4d2b81d5de46b40581e5df7bb82bbd639f80c7983a96f895ab3eb
Instruction ID: 698cbff29cea5b664e485864e15144fa045adcaad6ecf8088dd4051050d81a42
Opcode Fuzzy Hash: 4ee9368835e4d2b81d5de46b40581e5df7bb82bbd639f80c7983a96f895ab3eb
Instruction Fuzzy Hash: 633105B19067C19BD721CF78A480B97BFE4AB06248F25497BC5969BB01E730E508CBB1

Function 6CF66D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66D94

Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7B9
Part of subcall function 6CF7A7A4: __CxxThrowException@8.LIBCMT ref: 6CF7A7CE
Part of subcall function 6CF7A7A4: std::exception::exception.LIBCMT ref: 6CF7A7DF

_memmove.LIBCMT ref: 6CF66DDB

Strings

string too long, xrefs: 6CF66D8F

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: a2e89673163182d5f8221bf0d604b416e11fb33985b9103d48c3d5ed67f91376
Instruction ID: 921214b74a6384476b8e8effad1b6092ca6349cfffd7bb06113b5280e95278a0
Opcode Fuzzy Hash: a2e89673163182d5f8221bf0d604b416e11fb33985b9103d48c3d5ed67f91376
Instruction Fuzzy Hash: 5D1196711082145FE7209E79E8C1B6AB7A8AF51718F240B2FF497C7E81D731E45883A1

Function 6CF66240 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66257

Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A806
Part of subcall function 6CF7A7F1: __CxxThrowException@8.LIBCMT ref: 6CF7A81B
Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A82C

Part of subcall function 6CF66FC0: std::_Xinvalid_argument.LIBCPMT ref: 6CF66FCD

_memmove.LIBCMT ref: 6CF662B7

Strings

invalid string position, xrefs: 6CF66252

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 7791aefd0d6e3c6ef7ec4ec634e28051cd80970404cd1986711c1c880733b933
Instruction ID: 1e6c9fac1da3f6bff0972d26c5abe43401f35f5fd65682a47320472cefe5080f
Opcode Fuzzy Hash: 7791aefd0d6e3c6ef7ec4ec634e28051cd80970404cd1986711c1c880733b933
Instruction Fuzzy Hash: 3011E2323152119B8F10DFAEE8C08EAB366BF94328754422AF405CBE40E772E959C7E1

Function 6CF72910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6CF7C861: _malloc.LIBCMT ref: 6CF7C87B

std::exception::exception.LIBCMT ref: 6CF729D5
__CxxThrowException@8.LIBCMT ref: 6CF729EA

Strings

ream, xrefs: 6CF7297B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: ream
API String ID: 4063778783-3784047043
Opcode ID: 920f95d1b42ccb21114d153cf6fa813f31fa8687ad79cede55de5c9968b7a6f6
Instruction ID: 00c923139b46ff111da785407168e79ea4f22dd5d02c8985e8851ffc974ce1e6
Opcode Fuzzy Hash: 920f95d1b42ccb21114d153cf6fa813f31fa8687ad79cede55de5c9968b7a6f6
Instruction Fuzzy Hash: 262192B1901609EFCB10DF98D880BDABBF8FF58714F10866AE85997741D774A608CBA1

Function 6CF66140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66156

Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A806
Part of subcall function 6CF7A7F1: __CxxThrowException@8.LIBCMT ref: 6CF7A81B
Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A82C

_memmove.LIBCMT ref: 6CF6618F

Strings

invalid string position, xrefs: 6CF66151

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: bd2caf31ac38acab3938b0ebde6104910adea7d525be2a3cb4eb62a07d8ab349
Instruction ID: aefa0acea7325141d1f323981299a169acb3992eef3d7bfdbdc8af657a5ab31d
Opcode Fuzzy Hash: bd2caf31ac38acab3938b0ebde6104910adea7d525be2a3cb4eb62a07d8ab349
Instruction Fuzzy Hash: 65019B323006505BD3218E6DEC9095BB7BADB85B54B25492EF181CBF46D671EC4583E1

Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040492E
CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

Strings

, xrefs: 00404906

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00428BB1,74DF23A0,00000000), ref: 00404FD6
Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FE6
Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00428BB1,74DF23A0,00000000), ref: 00404FF9
Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 15c68030ebc057a6bcbee2c0ec13fbcebe1f6febf3bc6cb13a7f0169c5a164a4
Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
Opcode Fuzzy Hash: 15c68030ebc057a6bcbee2c0ec13fbcebe1f6febf3bc6cb13a7f0169c5a164a4
Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138

Function 6CF66F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF66F4F

Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A806
Part of subcall function 6CF7A7F1: __CxxThrowException@8.LIBCMT ref: 6CF7A81B
Part of subcall function 6CF7A7F1: std::exception::exception.LIBCMT ref: 6CF7A82C

_memmove.LIBCMT ref: 6CF66F8A

Strings

invalid string position, xrefs: 6CF66F4A

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 5a48c30db64a3b36370962aa90df5e5017746503ac32f63c22c83d8e8e12f7f5
Instruction ID: fb7ce5be37ce208150030d894dbbbdb6bebb0beaa1eee4308c1650bf0977b1f0
Opcode Fuzzy Hash: 5a48c30db64a3b36370962aa90df5e5017746503ac32f63c22c83d8e8e12f7f5
Instruction Fuzzy Hash: 04014C313246118BC320CF7DE98081AB3F6AFC47043244A2DF096CBE59FB31D8468791

Function 6CF78B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF78B6B
__CxxThrowException@8.LIBCMT ref: 6CF78B80

Strings

Type is not convertible to double, xrefs: 6CF78B64

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: Type is not convertible to double
API String ID: 3728558374-279886761
Opcode ID: 445e2c99e0fd23ac735ab107e22629a6b871bd30fc9cdd6dc1e012bf7e44f1b5
Instruction ID: 270bddfc033e61aed1126cfb8a56b41ca492465a03a71159bc09a8df9c16d817
Opcode Fuzzy Hash: 445e2c99e0fd23ac735ab107e22629a6b871bd30fc9cdd6dc1e012bf7e44f1b5
Instruction Fuzzy Hash: ED01C4B1D0520DDFCB14CF98E4657ADBBB4DB4A314F2541CAD80D63750DA310A24C7A1

Function 6CFD4920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 6CFD4971

Strings

#, xrefs: 6CFD4933
#, xrefs: 6CFD4927

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: Parent
String ID: #$#
API String ID: 975332729-2529538431
Opcode ID: 19999726ba696aae739f2c9b408acfae1b36c7ebec84c988e2f07ca47e57eed5
Instruction ID: a316688f62c5a57b94cb6de01f2d39e0d3477833dadc5d17375ae82f12dc6851
Opcode Fuzzy Hash: 19999726ba696aae739f2c9b408acfae1b36c7ebec84c988e2f07ca47e57eed5
Instruction Fuzzy Hash: 0501B135505248EFCB04CF55C48059EBF74AF06314B29C1C8D8990B745C731AF81DBD5

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 13cbdd23df18d036de9d5c22efd7f5e469270204adcf9325ac20a19b3184ad94
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 13cbdd23df18d036de9d5c22efd7f5e469270204adcf9325ac20a19b3184ad94
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714

Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
CloseHandle.KERNEL32(?), ref: 00405C9D

Strings

Error launching installer, xrefs: 00405C74

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69

Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A

Strings

File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1), xrefs: 004062D1, 004062D6

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll" (overwriteflag=1)
API String ID: 3509786178-1122914040
Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E

Function 6CF70AD0 Relevance: 5.1, APIs: 4, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70B40
GlobalFree.KERNEL32 ref: 6CF70B4C
lstrcpynW.KERNEL32(?,?,00000080), ref: 6CF70B7E
GlobalFree.KERNEL32 ref: 6CF70B8B

Memory Dump Source

Source File: 00000000.00000002.2904975169.000000006CF61000.00000040.00000001.01000000.00000005.sdmp, Offset: 6CF60000, based on PE: true

Associated: 00000000.00000002.2904959906.000000006CF60000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D047000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2904975169.000000006D05F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905096444.000000006D061000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2905111806.000000006D062000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf60000_electrumx64.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: 427dddcbfa3afc6d9cee047b20ff6636ee5201ab1413be3f17002cdeebbc4f5a
Instruction ID: c35d972cf45c0156e05ea1106b22aef471cdd6157b478518b8459c15ced9c000
Opcode Fuzzy Hash: 427dddcbfa3afc6d9cee047b20ff6636ee5201ab1413be3f17002cdeebbc4f5a
Instruction Fuzzy Hash: A4318271901354DBCB24EF68D980F9AB7B8BF89314F10459AD95497740DBB1EA84CFA0

Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24

Memory Dump Source

Source File: 00000000.00000002.2903919733.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2903888749.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903948489.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2903964887.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000534000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2904054393.0000000000536000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_electrumx64.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report electrumx64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\licence.rtf

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\logo.ico

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\nsNiuniuSkin.dll

C:\Users\user\AppData\Local\Temp\nsxCF02.tmp\skin.zip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
electrumx64.exe

Function 6CF98747 Relevance: 81.8, APIs: 43, Strings: 3, Instructions: 1258
COMMON

Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304
filestringcomCOMMON

Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190
filestringCOMMON

Function 6CF92BA0 Relevance: 79.3, APIs: 17, Strings: 28, Instructions: 551
COMMON

Function 6CFCCF60 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 405
COMMON

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Function 6CFD1F70 Relevance: 39.1, APIs: 10, Strings: 12, Instructions: 611
COMMON

Function 6CFB9B30 Relevance: 32.1, APIs: 17, Strings: 1, Instructions: 588
filememoryCOMMON

Function 6CF717B0 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 256
stringCOMMON

Function 6CF96500 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 363
libraryCOMMON

Function 6CFD2D00 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 371
COMMON

Function 6CF70180 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 207
stringmemorywindowCOMMON

Function 6CF63BE0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 273
COMMON