Create Interactive Tour

Windows Analysis Report
TradingView Desktop.exe

Overview

General Information

Sample Name:	TradingView Desktop.exe
Analysis ID:	769746
MD5:	b91f1d5bf7dfcb98f34ff278ffbaa6fe
SHA1:	3d8b75f608bc44c278bd9323fd1b3153d8775152
SHA256:	2ec0754442f816dab7532fc89c9aa42452fa415b49fa0e7c601ec48877753f23
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Vidar stealer

Antivirus detection for URL or domain

Writes to foreign memory regions

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

.NET source code references suspicious native API functions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Is looking for software installed on the system

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

TradingView Desktop.exe (PID: 6076 cmdline: C:\Users\user\Desktop\TradingView Desktop.exe MD5: B91F1D5BF7DFCB98F34FF278FFBAA6FE)

CasPol.exe (PID: 4972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

cleanup

Malware Configuration

Threatname: Vidar

{
  "C2 url": [
    "https://t.me/ttruelive",
    "https://steamcommunity.com/profiles/76561199443972360"
  ],
  "Botnet": "1663",
  "Version": "56.2"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: TradingView Desktop.exe PID: 6076	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: CasPol.exe PID: 4972	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 4972	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: CasPol.exe PID: 4972	Windows_Trojan_Vidar_114258d5	unknown	unknown	0xd8b7b:$a1: BinanceChainWallet 0xda478:$a2: wallet.dat 0x92d41:$b1: CC\%s_%s.txt 0x92d80:$b2: History\%s_%s.txt 0x93796:$b2: History\%s_%s.txt 0x92d6c:$b3: Autofill\%s_%s.txt 0x93782:$b3: Autofill\%s_%s.txt
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.TradingView Desktop.exe.1b910a67940.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.TradingView Desktop.exe.1b910a67940.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.0.CasPol.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: TradingView Desktop.exe	ReversingLabs: Detection: 46%
Source: TradingView Desktop.exe	Virustotal: Detection: 54%			Perma Link

Antivirus detection for URL or domain

Source: http://95.216.207.27/1663	Avira URL Cloud: Label: malware
Source: http://95.216.207.27/update.zip4	Avira URL Cloud: Label: malware
Source: http://95.216.207.27:80/update.zip	Avira URL Cloud: Label: malware
Source: http://95.216.207.27:80	Avira URL Cloud: Label: malware
Source: http://95.216.207.27/	Avira URL Cloud: Label: malware
Source: http://95.217.27.105:80	Avira URL Cloud: Label: malware
Source: http://95.216.207.27/update.zip	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: TradingView Desktop.exe

Joe Sandbox ML: detected

Source: 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/ttruelive", "https://steamcommunity.com/profiles/76561199443972360"], "Botnet": "1663", "Version": "56.2"}

Source: TradingView Desktop.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\GGGgGvF.pdbBSJB source: TradingView Desktop.exe
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\GGGgGvF.pdb source: TradingView Desktop.exe
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\Hawk.pdb source: TradingView Desktop.exe, 00000000.00000002.241196327.000001B900020000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.246078514.000001B977E00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\Hawk.pdbBSJB source: TradingView Desktop.exe, 00000000.00000002.241196327.000001B900020000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.246078514.000001B977E00000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh

0_2_00007FFDC87C3AC9

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://t.me/ttruelive
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199443972360

Source: Joe Sandbox View

IP Address: 13.224.103.92 13.224.103.92

Source: CasPol.exe, 00000001.00000002.513138499.0000000027654000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27/
Source: CasPol.exe, 00000001.00000002.502567833.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27/1663
Source: CasPol.exe, 00000001.00000002.502549793.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27/update.zip
Source: CasPol.exe, 00000001.00000002.502549793.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27/update.zip4
Source: CasPol.exe, 00000001.00000003.255255649.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.502761416.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27:80
Source: CasPol.exe, 00000001.00000002.501772813.0000000000B7D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27:80/update.zip
Source: CasPol.exe, 00000001.00000002.502761416.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.216.207.27:80aaaak
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://95.217.27.105:80
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TradingView Desktop.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: CasPol.exe, 00000001.00000002.502459007.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.255269988.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: TradingView Desktop.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: TradingView Desktop.exe	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: TradingView Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: TradingView Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: TradingView Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: TradingView Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0L
Source: TradingView Desktop.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.502608210.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msix
Source: CasPol.exe, 00000001.00000002.513993841.0000000027FDA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msix;
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msixaaaO
Source: CasPol.exe, 00000001.00000002.502608210.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msixk
Source: TradingView Desktop.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: TradingView Desktop.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199443972360
Source: CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/)I
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.255255649.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.255269988.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ttruelive
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ttruelivehttps://steamcommunity.com/profiles/76561199443972360http://95.217.27.105:80hi
Source: CasPol.exe, 00000001.00000003.255318046.0000000000F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: TradingView Desktop.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: 65386444350250873792918786.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: CasPol.exe PID: 4972, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 Author: unknown

Source: Process Memory Space: CasPol.exe PID: 4972, type: MEMORYSTR

Matched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\TradingView Desktop.exe	Code function: 0_2_00007FFDC87C46C1	0_2_00007FFDC87C46C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60937929	1_2_60937929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6092114F	1_2_6092114F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6093FAD6	1_2_6093FAD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6091F2C9	1_2_6091F2C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6096DAE8	1_2_6096DAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6094D33B	1_2_6094D33B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60936B27	1_2_60936B27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6093B368	1_2_6093B368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6093F42E	1_2_6093F42E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60909E9C	1_2_60909E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6096D6A4	1_2_6096D6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60912E0B	1_2_60912E0B

Source: TradingView Desktop.exe

Static PE information: No import functions for PE file found

Source: TradingView Desktop.exe, 00000000.00000002.245716014.000001B977B2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TradingView Desktop.exe
Source: TradingView Desktop.exe, 00000000.00000002.241196327.000001B900020000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHawk.dll* vs TradingView Desktop.exe
Source: TradingView Desktop.exe, 00000000.00000000.236872324.000001B9779E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGGGgGvF.exe0 vs TradingView Desktop.exe
Source: TradingView Desktop.exe, 00000000.00000002.246078514.000001B977E00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHawk.dll* vs TradingView Desktop.exe
Source: TradingView Desktop.exe	Binary or memory string: OriginalFilenameGGGgGvF.exe0 vs TradingView Desktop.exe

Source: TradingView Desktop.exe

Static PE information: invalid certificate

Source: TradingView Desktop.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TradingView Desktop.exe	ReversingLabs: Detection: 46%
Source: TradingView Desktop.exe	Virustotal: Detection: 54%

Source: TradingView Desktop.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TradingView Desktop.exe C:\Users\user\Desktop\TradingView Desktop.exe
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TradingView Desktop.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/10@0/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: 09644236449087905114903911.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TradingView Desktop.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: TradingView Desktop.exe, c32234589ed1a32990563d176bc125462.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.TradingView Desktop.exe.1b977980000.0.unpack, c32234589ed1a32990563d176bc125462.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.TradingView Desktop.exe.1b977980000.2.unpack, c32234589ed1a32990563d176bc125462.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TradingView Desktop.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TradingView Desktop.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TradingView Desktop.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\GGGgGvF.pdbBSJB source: TradingView Desktop.exe
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\GGGgGvF.pdb source: TradingView Desktop.exe
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\Hawk.pdb source: TradingView Desktop.exe, 00000000.00000002.241196327.000001B900020000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.246078514.000001B977E00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\Hawk.pdbBSJB source: TradingView Desktop.exe, 00000000.00000002.241196327.000001B900020000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.246078514.000001B977E00000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6096D990 push eax; ret		1_2_6096D9C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60911F9E push ecx; mov dword ptr [esp], ebx		1_2_60911FD3

Source: initial sample

Static PE information: section name: .text entropy: 7.9085478167644805

Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe TID: 3628

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 3095

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 1_2_6092A5DC sqlite3_os_init,GetSystemInfo,

1_2_6092A5DC

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior

Source: TradingView Desktop.exe, 00000000.00000002.242996951.000001B9104B2000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.242108470.000001B9101FE000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.241478491.000001B9100E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %QDHgFSv
Source: CasPol.exe, 00000001.00000002.502269617.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TradingView Desktop.exe, 00000000.00000002.243289252.000001B9105C7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.243619426.000001B9106C5000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.244145632.000001B9107AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %mGSvAQDHgFSvAQA
Source: CasPol.exe, 00000001.00000002.502269617.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: TradingView Desktop.exe, 00000000.00000002.244545969.000001B910899000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %mGSvAQDHgFSvAQABAAAAiZhYrwEAiZhcrwEAiZhsrwEAi0UIi3dIg8Aq6FDL//+LRQiLT0iDwARQi0EE6L7f//+LR0iDxATo0+X//4tPSImHkAAAADPAOZmkrwYAXlt0BbgAAAAFXcIEAMzMzMzMVYvsUVNWjZ+UAAAAugBAAACL98dF/AAAAADo0f3//4vwhfZ0
Source: CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX"

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Code function: 0_2_00007FFDC87C33AE CheckRemoteDebuggerPresent,

0_2_00007FFDC87C33AE

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 44F000	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 465000	Jump to behavior
Source: C:\Users\user\Desktop\TradingView Desktop.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 961008	Jump to behavior

.NET source code references suspicious native API functions

Source: TradingView Desktop.exe, c57e08ca4e4607f7affd43ead0d384a0a.cs	Reference to suspicious API methods: ('c496cc3da43bb544d640b12368d1758a2', 'OpenProcess@kernel32.dll'), ('c20e54600e6528119c33a1de273eba089', 'LoadLibrary@kernel32.dll'), ('c57b6da7296a6ef77bdb95bfb8d8d3d52', 'GetProcAddress@kernel32.dll'), ('cd9157eb1ed9ed3feca542553607d6d07', 'GetProcAddress@kernel32.dll'), ('cec7c4bf9d947941c29795ee931d67684', 'GetProcAddress@kernel32.dll'), ('cd6ff29ad9d6ea60fa21a1ae4a5448a51', 'GetProcAddress@kernel32.dll'), ('c79bdbe734fcafb56dd6e53117e3f7099', 'GetProcAddress@kernel32.dll'), ('c76afb0c5ec57fa48cc8135aaed709424', 'GetProcAddress@kernel32.dll')
Source: 0.0.TradingView Desktop.exe.1b977980000.0.unpack, c57e08ca4e4607f7affd43ead0d384a0a.cs	Reference to suspicious API methods: ('c496cc3da43bb544d640b12368d1758a2', 'OpenProcess@kernel32.dll'), ('c20e54600e6528119c33a1de273eba089', 'LoadLibrary@kernel32.dll'), ('c57b6da7296a6ef77bdb95bfb8d8d3d52', 'GetProcAddress@kernel32.dll'), ('cd9157eb1ed9ed3feca542553607d6d07', 'GetProcAddress@kernel32.dll'), ('cec7c4bf9d947941c29795ee931d67684', 'GetProcAddress@kernel32.dll'), ('cd6ff29ad9d6ea60fa21a1ae4a5448a51', 'GetProcAddress@kernel32.dll'), ('c79bdbe734fcafb56dd6e53117e3f7099', 'GetProcAddress@kernel32.dll'), ('c76afb0c5ec57fa48cc8135aaed709424', 'GetProcAddress@kernel32.dll')
Source: 0.2.TradingView Desktop.exe.1b977980000.2.unpack, c57e08ca4e4607f7affd43ead0d384a0a.cs	Reference to suspicious API methods: ('c496cc3da43bb544d640b12368d1758a2', 'OpenProcess@kernel32.dll'), ('c20e54600e6528119c33a1de273eba089', 'LoadLibrary@kernel32.dll'), ('c57b6da7296a6ef77bdb95bfb8d8d3d52', 'GetProcAddress@kernel32.dll'), ('cd9157eb1ed9ed3feca542553607d6d07', 'GetProcAddress@kernel32.dll'), ('cec7c4bf9d947941c29795ee931d67684', 'GetProcAddress@kernel32.dll'), ('cd6ff29ad9d6ea60fa21a1ae4a5448a51', 'GetProcAddress@kernel32.dll'), ('c79bdbe734fcafb56dd6e53117e3f7099', 'GetProcAddress@kernel32.dll'), ('c76afb0c5ec57fa48cc8135aaed709424', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe	Queries volume information: C:\Users\user\Desktop\TradingView Desktop.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\TradingView Desktop.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.TradingView Desktop.exe.1b910a67940.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TradingView Desktop.exe.1b910a67940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TradingView Desktop.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4972, type: MEMORYSTR

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\.*ate
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\.
Source: CasPol.exe, 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.conf.jsonaaaaaa
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Exodus\backups
Source: CasPol.exe, 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: CasPol.exe, 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\a
Source: CasPol.exe, 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\aaaa
Source: TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\aaaa
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets\default_walletaH
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorageaaaaaaaaai
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\tateaaF
Source: CasPol.exe, 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: TradingView Desktop.exe	String found in binary or memory: set_UseMachineKeyStore
Source: CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match	File source: 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4972, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.TradingView Desktop.exe.1b910a67940.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TradingView Desktop.exe.1b910a67940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TradingView Desktop.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4972, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6090C1D6 sqlite3_clear_bindings,	1_2_6090C1D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6090EAE5 sqlite3_transfer_bindings,	1_2_6090EAE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_609254B1 sqlite3_bind_zeroblob,	1_2_609254B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6090F435 strncmp,sqlite3_bind_parameter_index,	1_2_6090F435
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_609255D4 sqlite3_bind_text16,	1_2_609255D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_609255FF sqlite3_bind_text,	1_2_609255FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60925686 sqlite3_bind_int64,	1_2_60925686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_609256E5 sqlite3_bind_int,	1_2_609256E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6092562A sqlite3_bind_blob,	1_2_6092562A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60925655 sqlite3_bind_null,	1_2_60925655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6092570B sqlite3_bind_double,	1_2_6092570B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_60925778 sqlite3_bind_value,	1_2_60925778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6090577D sqlite3_bind_parameter_name,	1_2_6090577D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_6090576B sqlite3_bind_parameter_count,	1_2_6090576B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	11 Process Discovery	Remote Desktop Protocol	3 Data from Local System	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Software Packing	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TradingView Desktop.exe	46%	ReversingLabs	ByteCode-MSIL.Infostealer.Bandra
TradingView Desktop.exe	55%	Virustotal		Browse
TradingView Desktop.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.TradingView Desktop.exe.1b910a67940.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://95.216.207.27/1663	100%	Avira URL Cloud	malware
http://95.216.207.27:80/update.zip	2%	Virustotal		Browse
http://95.216.207.27/update.zip4	100%	Avira URL Cloud	malware
http://95.216.207.27:80/update.zip	100%	Avira URL Cloud	malware
http://95.216.207.27:80	100%	Avira URL Cloud	malware
http://95.216.207.27/	100%	Avira URL Cloud	malware
http://95.217.27.105:80	100%	Avira URL Cloud	malware
http://95.216.207.27/update.zip	100%	Avira URL Cloud	malware
http://95.216.207.27:80aaaak	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199443972360	false		high
https://t.me/ttruelive	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://95.216.207.27:80/update.zip	CasPol.exe, 00000001.00000002.501772813.0000000000B7D000.00000004.00000010.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	65386444350250873792918786.1.dr	false		high
https://t.me/	CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	65386444350250873792918786.1.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	65386444350250873792918786.1.dr	false		high
https://web.telegram.org	CasPol.exe, 00000001.00000003.255318046.0000000000F63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msixk	CasPol.exe, 00000001.00000002.502608210.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	65386444350250873792918786.1.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	65386444350250873792918786.1.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	65386444350250873792918786.1.dr	false		high
http://95.216.207.27/update.zip4	CasPol.exe, 00000001.00000002.502549793.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	65386444350250873792918786.1.dr	false		high
https://t.me/ttruelivehttps://steamcommunity.com/profiles/76561199443972360http://95.217.27.105:80hi	TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	false		high
http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msix;	CasPol.exe, 00000001.00000002.513993841.0000000027FDA000.00000004.00000010.00020000.00000000.sdmp	false		high
http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msixaaaO	CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://95.216.207.27:80	CasPol.exe, 00000001.00000003.255255649.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.502761416.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	65386444350250873792918786.1.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	65386444350250873792918786.1.dr	false		high
http://95.216.207.27/	CasPol.exe, 00000001.00000002.513138499.0000000027654000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://95.216.207.27/1663	CasPol.exe, 00000001.00000002.502567833.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://95.216.207.27:80aaaak	CasPol.exe, 00000001.00000002.502761416.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://t.me/)I	CasPol.exe, 00000001.00000002.502080338.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://95.216.207.27/update.zip	CasPol.exe, 00000001.00000002.502549793.0000000000F69000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tvd-packages.tradingview.com/stable/latest/win32/TradingView.msix	CasPol.exe, 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.502608210.0000000000F88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	65386444350250873792918786.1.dr	false		high
http://95.217.27.105:80	TradingView Desktop.exe, 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, TradingView Desktop.exe, 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
13.224.103.92	unknown	United States	16509	AMAZON-02US	false
95.216.207.27	unknown	Germany	24940	HETZNER-ASDE	false
149.154.167.99	unknown	United Kingdom	62041	TELEGRAMRU	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	769746
Start date and time:	2022-12-19 10:45:37 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TradingView Desktop.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/10@0/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 8.2% (good quality ratio 6.7%) Quality average: 51.7% Quality standard deviation: 34%
HCA Information:	Successful, ratio: 83% Number of executed functions: 25 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:46:44	API Interceptor	1x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
13.224.103.92	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	https://jetechtoolcom.tk/active/ii/_user.php	Get hash	malicious	Browse
	https://publicate.it/p/CN1fp2BW2wVT312079	Get hash	malicious	Browse
	https://tradegopro.com/	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	http://megafonru.ru	Get hash	malicious	Browse
	https://noticiasahora.org/05/07/2022/canal-retransmitira-premier-padel-en-mas-de-60-territorios/	Get hash	malicious	Browse
	http://click.smartsheet.com/f/a/4XGoBH9j2G4-p2yjuEc4Vw~~/AARF7wA~/RgRkgSyZP0QkaHR0cHM6Ly9tdnNjOS5hcHAubGluay9lL0N1WGRRZGt3RXFiVwNzcGNCCmKamaeeYlbjlbBSJ2N1c3RvbWVyLnNlcnZpY2VAc2FsYXJ5c29sdXRpb25zLmNvbS5hdVgEAAAAAA~~	Get hash	malicious	Browse
	https://click.smartsheet.com/f/a/1XIucl39hzgzUvOOPd2reQ~~/AARF7wA~/RgRkeRsAP0Q_aHR0cHM6Ly9kb2MuY2xpY2t1cC5jb20vMzY3NTQyNTMvZC9oLzEzMW11ZC0yNjIvYTRlYjliNWQ5YTJiZDhhVwNzcGNCCmKGAJaWYq_h5zJSHWV4Y2VwdGlvbmFsbmVlZHNAbWluZGEuYXNuLmF1WAQAAAAA	Get hash	malicious	Browse
95.216.207.27	file.exe	Get hash	malicious	Browse	95.216.207.27/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-02US	Aftral_2B014C2B4ECB9336CAB77EB9_pdf.htm	Get hash	malicious	Browse	18.185.196.205
	Official Purchase Order 121322.exe	Get hash	malicious	Browse	3.64.163.50
	PaymentCopy121922.exe	Get hash	malicious	Browse	3.64.163.50
	EFT Attachments.html	Get hash	malicious	Browse	18.130.240.242
	H1NND2whgW.elf	Get hash	malicious	Browse	157.175.218.251
	r2p2FZwOa3.elf	Get hash	malicious	Browse	44.245.91.173
	SecuriteInfo.com.Variant.Cerbu.159497.16352.1761.exe	Get hash	malicious	Browse	76.223.105.230
	SecuriteInfo.com.W32.Trojan.SW.gen.Eldorado.12443.21800.exe	Get hash	malicious	Browse	35.77.200.33
	MV TAYDO STAR-VESSEL PARTICULARS.js	Get hash	malicious	Browse	3.65.48.84
	file.exe	Get hash	malicious	Browse	52.216.78.116
	file.exe	Get hash	malicious	Browse	52.217.100.44
	uiVa6TG1Hn.exe	Get hash	malicious	Browse	52.217.192.193
	SecuriteInfo.com.Win32.RansomX-gen.31051.15203.exe	Get hash	malicious	Browse	35.77.200.33
	v1eXHfmaLk.exe	Get hash	malicious	Browse	104.192.141.1
	http://ww1.citymanger.com/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2MzllMjM0NjJmYThlfHx8MTY3MTMwODEwMi4yMTA3fDM2MTBiOTQ4NzRjZTMyNTNjZDM5NzMwMjBlMTBhZDU0YzdmZDY0YjN8fHx8fDF8fDB8MHx8fHwxfHx8fHwwfDB8fHx8fHx8fHx8MHwwfHwwfHx8MHwwfFcxMD18fDF8VzEwPXxlNDg2YmQzNzVjNTUwMTRkZTNlMjFmY2UxMGNmN2I3Nzk1OTNhMTMyfDB8ZHAtdGVhbWludGVybmV0MTJfM3BofDB8MA%3D%3D&query=Commercial%20Credit%20Cards&afdToken=ChMI6Yzm7ruB_AIVsRRZBR3qCgFbElPcHWC0A69lhJq2UizR9de-aa78nx-1lwOsWjZvaE-ugjc18fdM9m5hvPrFP3svaxihZe9H5weiqNvx6XuUvWQVxLP2S-kQyZo6jyKt6HcRLYNtAw&pcsa=false&nb=0&nm=37&nx=205&ny=92&is=530x497&clkt=117	Get hash	malicious	Browse	13.224.189.74
	https://www.smore.com/rk3tf	Get hash	malicious	Browse	52.222.214.128
	https://uspprofile.com/common/oauth3/authorize?id=wZzsufze	Get hash	malicious	Browse	3.134.82.215
	http://templatesearch.org	Get hash	malicious	Browse	108.156.2.87
	http://s3-eu-west-1.amazonaws.com/cp-chk-files/e.txt?static=CPCheckMe&rand=1671247771397	Get hash	malicious	Browse	52.218.120.32
	https://pr1953.graphy.com/s/pages/1137030	Get hash	malicious	Browse	52.222.206.178

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\09644236449087905114903911

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\31553338626880382755.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=store
Category:	dropped
Size (bytes):	102563122
Entropy (8bit):	7.998367986163592
Encrypted:	true
SSDEEP:	1572864:DFeHSLCpIBzb1qJIc1rOvYHjFCRw5FsXOKGnQqOjLokHbj9GrfLVIqPRKBSCsUE:EH9IBfsJIc1rOvY0Rs9Zys2js7haohUE
MD5:	C3FA14996F8843A958F41487CC8B7B45
SHA1:	2407712081269F9F82EE57E7EC3DE37ECF4DE33D
SHA-256:	A2C76D93F02F2DB26B0AEFC1BF6AD0A7FBEBBB9B82E27724F181B27FB087EA7F
SHA-512:	284717AA723A31458785C8968559D0428297C6EB84542E489376C5B9831A6F239566BE4F976111C672DAC6FCC7EC2F77E807672BD3F71B486E71BD7B6B32D7C7
Malicious:	false
Reputation:	low
Preview:	PK..-.....,qYU................images/MediumTile.png.PNG........IHDR.............<.q.....pHYs.................sRGB.........gAMA......a.....IDATx.....D....H.N...L....T...T.P.N...ptp..t Vc3....O....f4..dY.....................................Ky...E..b.q.c.,.o.-.7e..w..l..T.b......1..k\|.OA.r3?.U...q..e{..T^.....k[.~.f\.C.....C`f....U0.. ?.....w........7..+N.X./..X..r..9....#..[.W.Z......5...X.S...OS...E.......C.......n.q].z......z.S;.....].V7..:m..\|}..m..15V..X..yj..R-7.Y../...JPm#7....j .N..zn'.."./q.....'...7%[.........z~;.\|...q!..8Y...OCQ.2..~...\..\|..d...3.?.r..O./8F`M8.....o'.ge/_y.O].r3.....~.\|.>..............^.s.}.k...x..K....6....8,O...az.l..V2.....Z.?j}e.P..\|.V...I..v0.....s...L...-./.U.P....^CP..V[...).Ca......}..~.+!c..E.}.....2.............^..j#{n.".....d.}.y.k.b.....E.Ew..x.....}A.+.6ru.R2V.f........+I...*.j ...".......P....cd..].....X....U_p..UY.....7c.V}.}..5.....J......<.....Xu=...Xe_p..=..../8F.g...xDd.........d.....o..Xu.....-

C:\ProgramData\36940701874687339868448405

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.4393511334109407
Encrypted:	false
SSDEEP:	24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
MD5:	8C31C5487A97BBE73711C5E20600C1F6
SHA1:	D4D6B04226D8FFC894749B3963E7DB7068D6D773
SHA-256:	A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
SHA-512:	394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\37246748894066899441523773

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\37541604114145269914839961

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\65386444350250873792918786

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2889923589460437
Encrypted:	false
SSDEEP:	192:Qo1/8dpUXbSzTPJP/6oVuss8Ewn7PrH944:QS/inXrVuss8Ewn7b944
MD5:	7901DD9DF50A993306401B7360977746
SHA1:	E5BA33E47A3A76CC009EC1D63C5D1A810BE40521
SHA-256:	1019C8ADA4DA9DEF665F59DB191CA3A613F954C12813BE5907E1F5CB91C09BE9
SHA-512:	90C785D22D0D7F5DA90D52B14010719A5554BB5A7F0029C3F4E11A97AD72A7A600D846174C7B40D47D24B0995CDBAC21E255EC63AC9C07CF6E106572EA181DD5
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\92681918866753298444543158

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 4, database pages 36, 1st free page 10, free pages 1, cookie 0x29, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	0.47881670276786453
Encrypted:	false
SSDEEP:	96:eVdU+bb3HDsX0ctSOaDN6tOVjN9DLjGQLBE3u:eVK+H3HDi9GN6IVj3XBBE3u
MD5:	C8A54C5A54BC6D813A12E47887D86821
SHA1:	98DDD99BBA14B47B75D4F8A53792221D162483FC
SHA-256:	00E175AD7C78A730A2754729174655A8686A663E878B88564F1D6164746FCF86
SHA-512:	BBC033381816DE6A86F34917F4A13486BE35DE0A4C4FD94EBF1306CDB106331C3417051B4269BA182D6410629513C92EB2700CCF6FDF4CF6415696B15C97ED51
Malicious:	false
Preview:	SQLite format 3......@ .......$...........)......................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TradingView Desktop.exe.log

Download File

Process:	C:\Users\user\Desktop\TradingView Desktop.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\TradingView[1].msix

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Zip archive data, at least v4.5 to extract, compression method=store
Category:	dropped
Size (bytes):	102563122
Entropy (8bit):	7.998367986163592
Encrypted:	true
SSDEEP:	1572864:DFeHSLCpIBzb1qJIc1rOvYHjFCRw5FsXOKGnQqOjLokHbj9GrfLVIqPRKBSCsUE:EH9IBfsJIc1rOvY0Rs9Zys2js7haohUE
MD5:	C3FA14996F8843A958F41487CC8B7B45
SHA1:	2407712081269F9F82EE57E7EC3DE37ECF4DE33D
SHA-256:	A2C76D93F02F2DB26B0AEFC1BF6AD0A7FBEBBB9B82E27724F181B27FB087EA7F
SHA-512:	284717AA723A31458785C8968559D0428297C6EB84542E489376C5B9831A6F239566BE4F976111C672DAC6FCC7EC2F77E807672BD3F71B486E71BD7B6B32D7C7
Malicious:	false
Preview:	PK..-.....,qYU................images/MediumTile.png.PNG........IHDR.............<.q.....pHYs.................sRGB.........gAMA......a.....IDATx.....D....H.N...L....T...T.P.N...ptp..t Vc3....O....f4..dY.....................................Ky...E..b.q.c.,.o.-.7e..w..l..T.b......1..k\|.OA.r3?.U...q..e{..T^.....k[.~.f\.C.....C`f....U0.. ?.....w........7..+N.X./..X..r..9....#..[.W.Z......5...X.S...OS...E.......C.......n.q].z......z.S;.....].V7..:m..\|}..m..15V..X..yj..R-7.Y../...JPm#7....j .N..zn'.."./q.....'...7%[.........z~;.\|...q!..8Y...OCQ.2..~...\..\|..d...3.?.r..O./8F`M8.....o'.ge/_y.O].r3.....~.\|.>..............^.s.}.k...x..K....6....8,O...az.l..V2.....Z.?j}e.P..\|.V...I..v0.....s...L...-./.U.P....^CP..V[...).Ca......}..~.+!c..E.}.....2.............^..j#{n.".....d.}.y.k.b.....E.Ew..x.....}A.+.6ru.R2V.f........+I...*.j ...".......P....cd..].....X....U_p..UY.....7c.V}.}..5.....J......<.....Xu=...Xe_p..=..../8F.g...xDd.........d.....o..Xu.....-

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.281319756954796
Encrypted:	false
SSDEEP:	12288:Febf0Th31Trp3TSP6X0HOupypy+66U6KvUJn5CmGreLzGGUsyHLu:Qj0Th31Trp3TSPlff+FQu
MD5:	1E48B22B14F52D042CFD550C8D71C23E
SHA1:	6774BBA22A6D58E0AA796A3529AC077F82920844
SHA-256:	5D440F7C7A294CA42A159EEB357BE1CC8ED3FA8A342EA779F728E57979DDCC9B
SHA-512:	7C18D177779796A70CDC13A839D1CC1E51E19E66D0795E83A5F63D25DD400E709D37D11F3E8F5823D3AB2966A95A5D99D9CAFCAA7F1B0D576660916F0CA6E360
Malicious:	false
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm>.6U..................................................................................................................................................................................................................................................................................................................................................<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.8256345038220765
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	TradingView Desktop.exe
File size:	404712
MD5:	b91f1d5bf7dfcb98f34ff278ffbaa6fe
SHA1:	3d8b75f608bc44c278bd9323fd1b3153d8775152
SHA256:	2ec0754442f816dab7532fc89c9aa42452fa415b49fa0e7c601ec48877753f23
SHA512:	6c058c2d4566b4aec5c6ddc5b8e30c47bc5be4242bf5e50890ea3a4a5b3e7efd8ff34a6dd542b3b7c932a2507574ab7866a415f1c20a1fc26ac15c73e22758a2
SSDEEP:	12288:++S3+5jXRqTRxK7ilVyptwO5Rczcn7GI:+tK9AhCtw0g
TLSH:	5F84129537F06C00C666AF729D4AA4C817BCD6013D82DBE330A481AD2F937D73D9A59E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...g..c................................. ....@...... ....................... ............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x639CC767 [Fri Dec 16 19:30:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/7/2019 4:00:00 PM 11/16/2022 4:00:00 AM
Subject Chain	CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
Version:	3
Thumbprint MD5:	463BFA4FA69A9E6C4D8813CCFAAF16EE
Thumbprint SHA-1:	A3958AE522F3C54B878B20D7B0F63711E08666B2
Thumbprint SHA-256:	5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
Serial:	06AEA76BAC46A9E8CFE6D29E45AAF033

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5bc00	0x70e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x568b8	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5b0d4	0x5b200	False	0.9302072616598079	data	7.9085478167644805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x60000	0x598	0x600	False	0.412109375	data	4.064852487923222	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x600a0	0x30c	data
RT_MANIFEST	0x603ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• TradingView Desktop.exe
• CasPol.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• TradingView Desktop.exe
• CasPol.exe

Click to jump to process

System Behavior

Analysis Process: TradingView Desktop.exePID: 6076, Parent PID: 3320

Function Logs

General

Target ID:	0
Start time:	10:46:32
Start date:	19/12/2022
Path:	C:\Users\user\Desktop\TradingView Desktop.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\TradingView Desktop.exe
Imagebase:	0x1b977980000
File size:	404712 bytes
MD5 hash:	B91F1D5BF7DFCB98F34FF278FFBAA6FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.241276533.000001B9000A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.245381455.000001B910A67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Read

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 4972, Parent PID: 6076

Function Logs

General

Target ID:	1
Start time:	10:46:34
Start date:	19/12/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Imagebase:	0x7d0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.502773888.00000000028D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.240444809.0000000000440000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.501898815.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Read

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Enumerated

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Network Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: TradingView Desktop.exePID: 6076, Parent PID: 3320COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	20.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.8%
Total number of Nodes:	108
Total number of Limit Nodes:	7

Executed Functions

Function 00007FFDC87C46C1 Relevance: 2.0, Strings: 1, Instructions: 786
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00007FFDC87C4D82

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: dc831420b1ecace572bc9dccb6dd0ed3d4ecb334f512b30cd1500229d932b4d4
Instruction ID: aff42b8c7f4522ede5442aa6c5962ce532924d2b88029c5d67cac8be3d67410a
Opcode Fuzzy Hash: dc831420b1ecace572bc9dccb6dd0ed3d4ecb334f512b30cd1500229d932b4d4
Instruction Fuzzy Hash: 6772C474D586298FEBA8DF15C894BE9B7B1FB58305F1041EAD00DA3291DB786AC4CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C33AE Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE ref: 00007FFDC87C34BA

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 20c66686ce77213742527ff3209d62d0d825ae23a5e79e37579df62b550e2e07
Instruction ID: fbf085363ce29acbe811554e0eefadef9ec8ccf0737baa7882c2354181c0e9bd
Opcode Fuzzy Hash: 20c66686ce77213742527ff3209d62d0d825ae23a5e79e37579df62b550e2e07
Instruction Fuzzy Hash: E5516B70D0868C9FDF55DFA8C845AEDBBF1FB56310F14426AD049E7292DB74A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C67F5 Relevance: 1.9, APIs: 1, Instructions: 381
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FFDC87C6A86

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1d4bd71d74aa17a906e2e338326e1ea2e69dfc5ae8d475515a8cfc40184167d1
Instruction ID: b8a691339718b7ee8fa2e9be0b97047ccc148f00e55fff5027cb6255fdcfe137
Opcode Fuzzy Hash: 1d4bd71d74aa17a906e2e338326e1ea2e69dfc5ae8d475515a8cfc40184167d1
Instruction Fuzzy Hash: 31C1F570908A5D8FDB98DF58C894BE9BBF1EB69301F1011AED40EE3291DB75A984CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C2683 Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f3b353372ec80fe7f987472deaff46088e63aef2894b38b1b29b4a23e348cf
Instruction ID: d1793603be97fc99ce23e1b2557e3e90a511c5b63358a243913d271dacc47a3a
Opcode Fuzzy Hash: 52f3b353372ec80fe7f987472deaff46088e63aef2894b38b1b29b4a23e348cf
Instruction Fuzzy Hash: 43A1E671A0D6885FEF55CF289854BE8BFB0EB5A310F1841AED09DD7293DA24AC45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C717D Relevance: 1.7, APIs: 1, Instructions: 212
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFDC87C72EE

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a07acf208ee11b9f97006d388cd8d3cb7ee6f63b4dbde54c76b655311868eb9c
Instruction ID: 36ca70d71db30ac0a5905604bd33189cabb322c1c7016798c7da0ff84beefc8b
Opcode Fuzzy Hash: a07acf208ee11b9f97006d388cd8d3cb7ee6f63b4dbde54c76b655311868eb9c
Instruction Fuzzy Hash: 43612270908A5C8FDB98DF58C894BE9BBF1FB6A310F1041AED04DE3291DB74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C2760 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075d878796bc25c938bcaa6faad01af6b95b1bd0809fab3a7d442e08e238cf11
Instruction ID: eb085e8d5b76708ee0dc1fe3df5bbfff924a66ba20927e21e0f3ce538aeeb989
Opcode Fuzzy Hash: 075d878796bc25c938bcaa6faad01af6b95b1bd0809fab3a7d442e08e238cf11
Instruction Fuzzy Hash: D1616B7090DA8C8FDF94DF58C894BE9BBB1FB69310F1441AED04DE7292DA34A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C2770 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e657a9cdf30634c5fe42dabc515b2392bda67a1928ff1f05d7d4135302437a3
Instruction ID: 30b00270b49b9ceec6078b881042cc713d3aab2bff48ada8edcf1b7521c08c29
Opcode Fuzzy Hash: 1e657a9cdf30634c5fe42dabc515b2392bda67a1928ff1f05d7d4135302437a3
Instruction Fuzzy Hash: E0515A70908A4C8FDF98DF58C894BE9BBB1FB69310F1441AED04DE7292DA74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C27CA Relevance: 1.7, APIs: 1, Instructions: 200
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFDC87C72EE

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 04db5f524a484d4c07a1613f7f9ab98352f656228ebdf04a08dbabb431da9d8a
Instruction ID: 826f944c0ebfbf4400b383d32bf7b4f82781df4efed4d9ba1389d493687d385c
Opcode Fuzzy Hash: 04db5f524a484d4c07a1613f7f9ab98352f656228ebdf04a08dbabb431da9d8a
Instruction Fuzzy Hash: D851D070908A1C8FDB98DF58C894BE9BBF1FB69311F1041AED04EE3251DB74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C2780 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da713c56555f36c30e85949919e39601db040f9bbb6485a5368aaf167d5fa4d9
Instruction ID: ecc57266bd2a6de846ffd5b4bb4c00fb5584c88f16036e1180a10e780193a3aa
Opcode Fuzzy Hash: da713c56555f36c30e85949919e39601db040f9bbb6485a5368aaf167d5fa4d9
Instruction Fuzzy Hash: 1D514770908A4C8FDF98DF58C894BE9BBF1FB69310F1081AED04DE7252DA74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C6E25 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FFDC87C6F69

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2820867f6760d2cab3ca9af7dd2d3540c8c2eee4b09bae920bc39521e6ca09c5
Instruction ID: af61e7f1c4c72081fec88833bafbe1ccc0693fb6e807c7d719bd80eea0bc20ea
Opcode Fuzzy Hash: 2820867f6760d2cab3ca9af7dd2d3540c8c2eee4b09bae920bc39521e6ca09c5
Instruction Fuzzy Hash: 71512470908A4C8FDF98DF58C894BE9BBF0FB6A310F1041AED04DE3291DA74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C2790 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4720d87d9b6720c1d2ec63d5aa9bba008beb79478f87dcdc99c75d23bc1ad0dc
Instruction ID: dbea8535584a125f3485967e992eb05eee752ff98ddb06cbe94916ff77663550
Opcode Fuzzy Hash: 4720d87d9b6720c1d2ec63d5aa9bba008beb79478f87dcdc99c75d23bc1ad0dc
Instruction Fuzzy Hash: 5D512570908A4C8FDF98DF58C894BE9BBB1FB69310F1091AED04DE7252DA74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C27A0 Relevance: 1.7, APIs: 1, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605e314c6febce4a1eba0425ef0072ac9de1872f69d6d31bdb90ef4564ded22e
Instruction ID: d8343097c8372fa5a1d47c2451dc25fd390feb7fab1b514aea78ab77145c6d4e
Opcode Fuzzy Hash: 605e314c6febce4a1eba0425ef0072ac9de1872f69d6d31bdb90ef4564ded22e
Instruction Fuzzy Hash: 98511370908A4C8FDF98DF58C884BE9BBF1FB69310F1091AED44DE3252DA74A985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C6FDD Relevance: 1.7, APIs: 1, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFDC87C7113

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c8e48cdcd660c779c6da5a91f9d2f8c412e71d034f77130bebbe95383a56711
Instruction ID: 5758dfc346c65bb307b6014a5a1975c71bdbd16ae859d6fe12e46ae67d0f9c3d
Opcode Fuzzy Hash: 0c8e48cdcd660c779c6da5a91f9d2f8c412e71d034f77130bebbe95383a56711
Instruction Fuzzy Hash: FB512430908A4C8FDF98DF58C894BE9BBB1FB6A314F1051AED44DE7251DA34A885CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C393E Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32 ref: 00007FFDC87C3A57

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 8b7f6d35a97e12395808a46489b63ef5fc1728d59e1bfe305496cb4fc3c7525b
Instruction ID: 448bc82a9cbc23b6bbe20ef2b959eb207cff9eb7002e1d9dcdea65fed0ac7697
Opcode Fuzzy Hash: 8b7f6d35a97e12395808a46489b63ef5fc1728d59e1bfe305496cb4fc3c7525b
Instruction Fuzzy Hash: 5D515A30D0864D8FDB59DFA8C855BEDBBB0FB5A311F10426ED049E72A2DB74A885CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C27EA Relevance: 1.7, APIs: 1, Instructions: 167
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FFDC87C7113

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6e0416747191b8902b388c33ffbbf44667108af1c58d5048bd5471b06ac770fe
Instruction ID: 6654f7f72de14ae43a85652581c21cc58aebca61abd691202ba84c40ea3faf59
Opcode Fuzzy Hash: 6e0416747191b8902b388c33ffbbf44667108af1c58d5048bd5471b06ac770fe
Instruction Fuzzy Hash: 6851E230918A4C8FDF98DF58C854BE9BBB1FB6A305F1091AE904EE3251DA30A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C6CBB Relevance: 1.7, APIs: 1, Instructions: 152threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FFDC87C6DBE

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9792db9bf4f840ade6a3ad8d2455aaf96f6f34efb6e2bf60c3e4e9072a7301c9
Instruction ID: f30be85102fe403703d4226f22d3eddff49daa22ec43de54d859bd430c9329bf
Opcode Fuzzy Hash: 9792db9bf4f840ade6a3ad8d2455aaf96f6f34efb6e2bf60c3e4e9072a7301c9
Instruction Fuzzy Hash: F5410570D08A4D8FDB94DF99C884BE9BBF1FBA9311F10826AD008E3255CB749985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C3521 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00007FFDC87C3602

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 669c8af6b879a129958d28faffbd1c379b4cc035ef48ecd464c6a9611dade399
Instruction ID: 6fb4034b72bc1ad7a45112f704699d3810d907d292a381bb6e2d27e4f4f51fe4
Opcode Fuzzy Hash: 669c8af6b879a129958d28faffbd1c379b4cc035ef48ecd464c6a9611dade399
Instruction Fuzzy Hash: F4412930E0864C8FDF99DFA8D894BA9BBF0FB5A310F14516ED049E7292DA709885CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C7369 Relevance: 1.6, APIs: 1, Instructions: 136threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FFDC87C7439

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 02409fd7e39f5163166968824c3cb89e6f0526b9c95eab27e162edfadd3b22ef
Instruction ID: aa364361eaa5c5ad2a0823e7f753c23ff82114b8e7e17c3a7a4edf5edaab6dc4
Opcode Fuzzy Hash: 02409fd7e39f5163166968824c3cb89e6f0526b9c95eab27e162edfadd3b22ef
Instruction Fuzzy Hash: B2416C30908A8C8FDF59DF98C894AA9BBB0FF56310F1441AED049D7292DA74A845CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFDC87C27FA Relevance: 1.6, APIs: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FFDC87C7439

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 31e103deb37d2a72e93f2f6ea454b34012ba3f1c9d69f1c31b985046707eb36f
Instruction ID: ab4cd971414b528f41b5bfbae0b55500d6ebe849216e05e65535fa97783ce4d5
Opcode Fuzzy Hash: 31e103deb37d2a72e93f2f6ea454b34012ba3f1c9d69f1c31b985046707eb36f
Instruction Fuzzy Hash: ED410570E08A4C8FDF98DF98D885AADBBB0EB5A310F10416ED04AE7251DA74A885CF55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFDC87C3AC9 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246741874.00007FFDC87C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC87C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffdc87c0000_TradingView Desktop.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfd07670c1835aa494591c2e1c2f43ead9ed7170ed3f00a7fce605925e08753
Instruction ID: 20ffa29a010ef2d0df2488c577d4f484fdaf8a4cea8ae7f498caf7c3988793b7
Opcode Fuzzy Hash: adfd07670c1835aa494591c2e1c2f43ead9ed7170ed3f00a7fce605925e08753
Instruction Fuzzy Hash: 2F311974E08A4D9FCF85DF58C890AADBBF1FB6A300F2011AAD019E7291DA75A941CB44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 4972, Parent PID: 6076COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	522
Total number of Limit Nodes:	66

Executed Functions

Function 6092A5DC Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 27%

			E6092A5DC(struct _SYSTEM_INFO* __edi) {
				void* _v8;
				intOrPtr _v24;
				void* _t17;
				void** _t19;

				memset(0x6097a408, 0, 9 << 2);
				_t19 = _t17 - 0x14 + 0xc;
				 *_t19 = 0x6097a408; // executed
				GetSystemInfo(__edi); // executed
				_push(0x6097a411);
				_v24 = 1;
				 *_t19 = 0x6096ef48;
				E6092A570();
				_v24 = 0;
				 *_t19 = 0x6096eef0;
				E6092A570();
				return 0;
			}

0x6092a5f1
0x6092a5f1
0x6092a5f3
0x6092a5f6
0x6092a5fc
0x6092a5fd
0x6092a605
0x6092a60c
0x6092a611
0x6092a619
0x6092a620
0x6092a62b

APIs

GetSystemInfo.KERNEL32(?,?,6097A2E8,?,6091275D,?,?,?,?,?,?,?,?,?,?,?), ref: 6092A5F6

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 63726090d7b0519ca0a120f46f43292c87a1ee72c259e0a55b20b3664a698629
Instruction ID: b1e9506a56663f34e76f9e23b8a38a5dae6981f4cb6c44d2ddb8744b9393cca7
Opcode Fuzzy Hash: 63726090d7b0519ca0a120f46f43292c87a1ee72c259e0a55b20b3664a698629
Instruction Fuzzy Hash: 5EE01A711283449BE710AF68D90A72FBAE6AFE1708F11886CE18497291EBB6D8419753

Uniqueness

Uniqueness Score: -1.00%

Function 60939559 Relevance: 9.4, APIs: 4, Strings: 2, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E60939559(signed int __eax, intOrPtr __edx) {
				char _v32;
				char _v36;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v61;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				char* _v80;
				intOrPtr _v84;
				char* _v88;
				intOrPtr _t195;
				signed char _t202;
				signed int _t204;
				signed int _t206;
				intOrPtr _t207;
				char _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t226;
				signed int _t231;
				intOrPtr _t232;
				signed int _t236;
				intOrPtr _t239;
				signed int _t244;
				signed int _t248;
				signed int _t250;
				signed int _t254;
				short _t262;
				intOrPtr _t267;
				intOrPtr _t284;
				signed int _t286;
				intOrPtr* _t290;
				intOrPtr _t291;
				intOrPtr* _t294;
				intOrPtr _t298;
				char _t302;
				signed int _t305;
				signed int _t317;
				signed int _t326;
				intOrPtr* _t343;
				signed int _t344;
				intOrPtr _t345;
				intOrPtr _t346;
				signed int _t349;
				signed int _t355;
				intOrPtr _t356;
				intOrPtr* _t357;
				void* _t380;

				_v48 = __eax;
				_v60 = __edx;
				_t294 =  *((intOrPtr*)(__eax + 4));
				E60904396(__eax);
				_t195 =  *((intOrPtr*)(_v48 + 8));
				_t344 = 0;
				if(_t195 == 2 || _v60 == 0 && _t195 == 1) {
					L93:
					if(_t344 == 0 && _v60 != 0) {
						_t344 = E6090B7DC( *_t294,  *((intOrPtr*)( *_v48 + 0x1e8)));
					}
					E60904423(_v48);
					return _t344;
				} else {
					_t202 =  *(_t294 + 0x16) & 0x0000ffff;
					_t9 =  &_v61;
					 *_t9 = _v60 != 0;
					if( *_t9 == 0) {
						L6:
						if((_t202 & 0x00000040) == 0) {
							if(_v60 <= 1) {
								L16:
								_t204 = E609044B6(_v48, 1, 1);
								_t344 = _t204;
								if(_t204 != 0) {
									goto L93;
								}
								_t206 =  *(_t294 + 0x16) & 0xfffffff7;
								 *(_t294 + 0x16) = _t206;
								if( *((intOrPtr*)(_t294 + 0x2c)) == 0) {
									 *(_t294 + 0x16) = _t206 | 0x00000008;
								}
								_t355 = 0;
								_v72 = _t294 + 0x20;
								do {
									while( *((intOrPtr*)(_t294 + 0xc)) == 0) {
										_t248 = E6092BFAF( *_t294); // executed
										_t355 = _t248;
										if(_t248 != 0) {
											break;
										}
										 *_t357 = 0;
										_t250 = E6092D249(_t294,  &_v32, 1); // executed
										_t355 = _t250;
										if(_t250 != 0) {
											break;
										}
										_t346 =  *((intOrPtr*)(_v32 + 0x38));
										_v52 = E60902C12(_t346 + 0x1c);
										_t254 =  *_t294;
										_v56 = _t254;
										_v68 =  *((intOrPtr*)(_t254 + 0x18));
										if(_v52 == 0) {
											_v52 = _v68;
										} else {
											_t254 = _t346 + 0x18;
											_v84 = 4;
											_v88 = _t346 + 0x5c;
											 *_t357 = _t254;
											L6096DBF8();
											if(_t254 != 0) {
												_t254 = _v68;
												_v52 = _t254;
											}
										}
										if(_v52 <= 0) {
											L50:
											_t302 = ( *((intOrPtr*)(_t294 + 0x24)) + 0x3fffff4 << 6) / 0xff - 0x17;
											 *((short*)(_t294 + 0x18)) = _t302;
											_t349 =  *((intOrPtr*)(_t294 + 0x24)) + 0x7fffff4 << 5;
											_v56 = _t349;
											_v68 = _t349 / 0xff;
											_t262 = _v68 - 0x17;
											 *((short*)(_t294 + 0x1a)) = _t262;
											 *((short*)(_t294 + 0x1c)) =  *((intOrPtr*)(_t294 + 0x24)) - 0x23;
											 *((short*)(_t294 + 0x1e)) = _t262;
											if(_t302 <= 0x7f) {
												 *((char*)(_t294 + 0x15)) = _t302;
											} else {
												 *((char*)(_t294 + 0x15)) = 0x7f;
											}
											 *((intOrPtr*)(_t294 + 0xc)) = _v32;
											 *((intOrPtr*)(_t294 + 0x2c)) = _v52;
											continue;
										} else {
											_v84 = 0x10;
											_v88 = "SQLite format 3";
											 *_t357 = _t346;
											L6096DBF8();
											if(_t254 != 0) {
												L54:
												_t326 = 0x1a;
												L55:
												_v76 = _t326;
												E6092CBEE(_v32);
												 *((intOrPtr*)(_t294 + 0xc)) = 0;
												_t355 = _v76;
												break;
											}
											if( *((char*)(_t346 + 0x12)) > 2) {
												 *(_t294 + 0x16) =  *(_t294 + 0x16) | 0x00000001;
											}
											_t326 = 0x1a;
											_t380 =  *((char*)(_t346 + 0x13)) - 2;
											if(_t380 > 0) {
												goto L55;
											} else {
												if(_t380 != 0 || ( *(_t294 + 0x16) & 0x00000010) != 0) {
													L38:
													_t267 = _t346 + 0x15;
													_v84 = 3;
													_v88 = "@  ";
													 *_t357 = _t267;
													L6096DBF8();
													_t326 = 0x1a;
													if(_t267 != 0) {
														goto L55;
													}
													_t305 = ( *(_t346 + 0x11) & 0x000000ff) << 0x00000010 | ( *(_t346 + 0x10) & 0x000000ff) << 0x00000008;
													if((_t305 - 0x00000001 & _t305) != 0 || _t305 > 0x10000) {
														goto L54;
													} else {
														if(_t305 <= 0x100) {
															goto L55;
														}
														_t329 = _t305 - ( *(_t346 + 0x14) & 0x000000ff);
														_v56 = _t305 - ( *(_t346 + 0x14) & 0x000000ff);
														if(_t305 ==  *(_t294 + 0x20)) {
															if(( *( *((intOrPtr*)(_t294 + 4)) + 0x1a) & 0x00000001) != 0 || _v52 <= _v68) {
																_t326 = 0x1a;
																if(_v56 <= 0x1df) {
																	goto L55;
																}
																 *(_t294 + 0x20) = _t305;
																 *((intOrPtr*)(_t294 + 0x24)) = _v56;
																 *((char*)(_t294 + 0x11)) = E60902C12(_t346 + 0x34) != 0;
																 *((char*)(_t294 + 0x12)) = E60902C12(_t346 + 0x40) != 0;
																goto L50;
															} else {
																_v80 =  &M6096F114;
																_v84 = 0xd03a;
																_v88 = "database corruption at line %d of [%.10s]";
																 *_t357 = 0xb;
																E60923A49();
																_t326 = 0xb;
																goto L55;
															}
														}
														_v76 = _t305;
														E6092CBEE(_v32);
														 *((intOrPtr*)(_t294 + 0x24)) = _v56;
														 *(_t294 + 0x20) = _v76;
														E6090364E( *((intOrPtr*)(_t294 + 0x50)), _t329);
														 *((intOrPtr*)(_t294 + 0x50)) = 0;
														_t284 = E6090B1C0( *_t294, _v76 - _v56, _v72);
														_t355 = _t284;
														if(_t284 == 0) {
															continue;
														}
														break;
													}
												} else {
													_v36 = 0;
													_t286 = E6090AC2A(_v56);
													_t326 = _t286;
													if(_t286 != 0) {
														goto L55;
													}
													if(_v36 != 0) {
														goto L38;
													}
													E6092CBEE(_v32);
													continue;
												}
											}
										}
									}
									if(_t355 != 0 || _v61 == 0) {
										L75:
										if(_t355 == 0) {
											goto L77;
										}
										goto L76;
									} else {
										_t355 = 8;
										if(( *(_t294 + 0x16) & 0x00000001) != 0) {
											L76:
											E6092CC03(_t294);
											L77:
											_t207 = _t355;
											if(_t207 != 5 ||  *((char*)(_t294 + 0x14)) != 0) {
												break;
											} else {
												goto L79;
											}
										}
										_t319 = _v48;
										_t226 =  *((intOrPtr*)( *_v48 + 0x3f));
										_t345 =  *_t294;
										_t355 =  *((intOrPtr*)(_t345 + 0x28));
										if(_t355 != 0) {
											goto L76;
										}
										 *((char*)(_t345 + 0x14)) = _t226 == 2;
										if( *((char*)(_t345 + 0xf)) != 1) {
											L97:
											_t355 = E60939318(_t294);
											goto L75;
										}
										_t229 =  *((intOrPtr*)(_t345 + 0xd0));
										if( *((intOrPtr*)(_t345 + 0xd0)) == 0) {
											_t231 = E60903CB5(_t345, 2);
											_t355 = _t231;
											if(_t231 == 0 && _v60 > 1) {
												_t355 = E60903F18(_t345, 4);
											}
											if(_t355 != 0) {
												goto L76;
											} else {
												L74:
												 *((char*)(_t345 + 0xf)) = 2;
												_t232 =  *((intOrPtr*)(_t345 + 0x18));
												 *((intOrPtr*)(_t345 + 0x24)) = _t232;
												 *((intOrPtr*)(_t345 + 0x20)) = _t232;
												 *((intOrPtr*)(_t345 + 0x1c)) = _t232;
												 *((intOrPtr*)(_t345 + 0x48)) = 0;
												 *((intOrPtr*)(_t345 + 0x4c)) = 0;
												goto L97;
											}
										}
										if( *((char*)(_t345 + 4)) == 0 || E6090433E(_t229, _t319 | 0xffffffff) == 0) {
											L66:
											_t298 =  *((intOrPtr*)(_t345 + 0xd0));
											_v52 = _t298;
											_t355 = 8;
											if( *((char*)(_t298 + 0x2e)) != 0) {
												goto L76;
											}
											_t236 = E60904167(_v52, 1, 0);
											_t355 = _t236;
											if(_t236 != 0) {
												goto L76;
											}
											 *((char*)(_v52 + 0x2c)) = 1;
											_t239 = _v52 + 0x34;
											_v84 = 0x30;
											_v88 =  *( *(_v52 + 0x20));
											 *_t357 = _t239;
											L6096DBF8();
											if(_t239 == 0) {
												goto L74;
											}
											E60904199(_v52, 1, 0);
											 *((char*)(_v52 + 0x2c)) = 0;
											_t355 = 0x205;
											goto L76;
										} else {
											_t244 = E60903CB5(_t345, 4);
											_t355 = _t244;
											if(_t244 != 0) {
												goto L76;
											}
											E6090433E( *((intOrPtr*)(_t345 + 0xd0)), 1);
											goto L66;
										}
									}
									L79:
									 *_t357 = _t294;
									_t207 = E60904757();
								} while (_t207 != 0);
								_t344 = _t355;
								if(_t355 != 0) {
									_t344 = _t355;
								} else {
									_t317 = _v48;
									if( *((char*)(_t317 + 8)) == 0) {
										 *((intOrPtr*)(_t294 + 0x28)) =  *((intOrPtr*)(_t294 + 0x28)) + 1;
										if( *((char*)(_t317 + 9)) != 0) {
											 *((char*)(_t317 + 0x24)) = 1;
											 *((intOrPtr*)(_t317 + 0x28)) =  *((intOrPtr*)(_t294 + 0x48));
											_t207 = _t317 + 0x1c;
											 *((intOrPtr*)(_t294 + 0x48)) = _t207;
										}
									}
									asm("sbb eax, eax");
									_t208 = _t207 + 2;
									 *((char*)(_v48 + 8)) = _t208;
									if(_t208 >  *((intOrPtr*)(_t294 + 0x14))) {
										 *((char*)(_t294 + 0x14)) = _t208;
									}
									if(_v61 != 0) {
										_t356 =  *((intOrPtr*)(_t294 + 0xc));
										 *((intOrPtr*)(_t294 + 0x4c)) = _v48;
										_t211 =  *(_t294 + 0x16) & 0xffffffdf;
										 *(_t294 + 0x16) = _t211;
										if(_v60 > 1) {
											 *(_t294 + 0x16) = _t211 | 0x00000020;
										}
										if( *((intOrPtr*)(_t294 + 0x2c)) != E60902C12( *((intOrPtr*)(_t356 + 0x38)) + 0x1c)) {
											_t216 = E6092B45F( *((intOrPtr*)(_t356 + 0x44)));
											_t344 = _t216;
											if(_t216 == 0) {
												E60902C37( *((intOrPtr*)(_t356 + 0x38)) + 0x1c,  *((intOrPtr*)(_t294 + 0x2c)));
											}
										}
									}
								}
								goto L93;
							} else {
								_t290 =  *((intOrPtr*)(_t294 + 0x48));
								while(_t290 != 0) {
									_t343 =  *_t290;
									if(_t343 == _v48) {
										_t290 =  *((intOrPtr*)(_t290 + 0xc));
										continue;
									} else {
										_t291 =  *_t343;
										L15:
										_t344 = 0x106;
										if(_t291 != 0) {
											goto L93;
										}
										goto L16;
									}
								}
								goto L16;
							}
						}
						L7:
						_t291 =  *((intOrPtr*)( *((intOrPtr*)(_t294 + 0x4c))));
						goto L15;
					}
					_t344 = 8;
					if((_t202 & 0x00000001) != 0) {
						goto L93;
					}
					if( *((char*)(_t294 + 0x14)) == 2) {
						goto L7;
					}
					goto L6;
				}
			}

0x60939562
0x60939565
0x60939568
0x6093956b
0x60939573
0x60939576
0x6093957a
0x60939aee
0x60939af0
0x60939b0a
0x60939b0a
0x60939b0f
0x60939b1d
0x6093958e
0x6093958e
0x60939596
0x60939596
0x6093959a
0x609395af
0x609395b1
0x609395be
0x609395e6
0x609395f3
0x609395f8
0x609395fc
0x00000000
0x00000000
0x60939606
0x60939609
0x60939611
0x60939616
0x60939616
0x6093961a
0x6093961f
0x60939622
0x60939622
0x6093962e
0x60939633
0x60939637
0x00000000
0x00000000
0x6093963d
0x6093964e
0x60939653
0x60939657
0x00000000
0x00000000
0x60939660
0x6093966b
0x6093966e
0x60939670
0x60939676
0x6093967d
0x609396a2
0x6093967f
0x6093967f
0x60939685
0x6093968d
0x60939691
0x60939694
0x6093969b
0x609396a7
0x609396aa
0x609396aa
0x6093969b
0x609396b1
0x6093984d
0x60939861
0x60939864
0x60939871
0x60939874
0x60939882
0x60939888
0x6093988b
0x60939895
0x60939899
0x609398a1
0x609398a9
0x609398a3
0x609398a3
0x609398a3
0x609398af
0x609398b5
0x00000000
0x609396b7
0x609396b7
0x609396bf
0x609396c7
0x609396ca
0x609396d1
0x609398bd
0x609398bd
0x609398c2
0x609398c5
0x609398c8
0x609398cd
0x609398d7
0x00000000
0x609398d7
0x609396db
0x609396dd
0x609396dd
0x609396e2
0x609396e7
0x609396eb
0x00000000
0x609396f1
0x609396f1
0x60939728
0x60939728
0x6093972b
0x60939733
0x6093973b
0x6093973e
0x60939743
0x6093974a
0x00000000
0x00000000
0x6093975e
0x60939765
0x00000000
0x60939777
0x6093977d
0x00000000
0x00000000
0x60939789
0x6093978b
0x60939791
0x609397de
0x60939816
0x60939822
0x00000000
0x00000000
0x60939828
0x6093982e
0x6093983b
0x60939849
0x00000000
0x609397e8
0x609397e8
0x609397f0
0x609397f8
0x60939800
0x60939807
0x6093980c
0x00000000
0x6093980c
0x609397de
0x60939796
0x60939799
0x609397a1
0x609397a7
0x609397ad
0x609397b2
0x609397c3
0x609397c8
0x609397cc
0x00000000
0x00000000
0x00000000
0x609397d2
0x609396f9
0x609396f9
0x60939706
0x6093970b
0x6093970f
0x00000000
0x00000000
0x60939719
0x00000000
0x00000000
0x6093971e
0x00000000
0x6093971e
0x609396f1
0x609396eb
0x609396b1
0x609398db
0x60939a2b
0x60939a2d
0x00000000
0x00000000
0x00000000
0x609398eb
0x609398eb
0x609398f3
0x60939a2f
0x60939a31
0x60939a36
0x60939a36
0x60939a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x60939a3a
0x609398f9
0x609398fe
0x60939901
0x60939903
0x60939908
0x00000000
0x00000000
0x60939910
0x60939918
0x60939b1e
0x60939b25
0x00000000
0x60939b25
0x6093991e
0x60939926
0x609399e5
0x609399ea
0x609399ee
0x60939a02
0x60939a02
0x60939a06
0x00000000
0x60939a08
0x60939a08
0x60939a08
0x60939a0c
0x60939a0f
0x60939a12
0x60939a15
0x60939a18
0x60939a1f
0x00000000
0x60939a1f
0x60939a06
0x60939930
0x60939964
0x60939964
0x6093996a
0x6093996d
0x60939976
0x00000000
0x00000000
0x60939986
0x6093998b
0x6093998f
0x00000000
0x00000000
0x60939998
0x6093999f
0x609399aa
0x609399b2
0x609399b6
0x609399b9
0x609399c0
0x00000000
0x00000000
0x609399cc
0x609399d4
0x609399d8
0x00000000
0x6093993e
0x60939945
0x6093994a
0x6093994e
0x00000000
0x00000000
0x6093995f
0x00000000
0x6093995f
0x60939930
0x60939a42
0x60939a42
0x60939a45
0x60939a4a
0x60939a52
0x60939a56
0x60939aec
0x60939a5c
0x60939a5c
0x60939a63
0x60939a65
0x60939a6c
0x60939a6e
0x60939a75
0x60939a7a
0x60939a7d
0x60939a7d
0x60939a6c
0x60939a84
0x60939a86
0x60939a8c
0x60939a92
0x60939a94
0x60939a94
0x60939a9b
0x60939a9d
0x60939aa3
0x60939aaa
0x60939aad
0x60939ab5
0x60939aba
0x60939aba
0x60939acc
0x60939ad1
0x60939ad6
0x60939ada
0x60939ae5
0x60939ae5
0x60939ada
0x60939acc
0x60939a9b
0x00000000
0x609395c0
0x609395c0
0x609395d3
0x609395c5
0x609395ca
0x609395d0
0x00000000
0x609395cc
0x609395cc
0x609395d9
0x609395d9
0x609395e0
0x00000000
0x00000000
0x00000000
0x609395e0
0x609395ca
0x00000000
0x609395d3
0x609395be
0x609395b3
0x609395b6
0x00000000
0x609395b6
0x6093959c
0x609395a3
0x00000000
0x00000000
0x609395ad
0x00000000
0x00000000
0x00000000
0x609395ad

APIs

memcmp.MSVCRT ref: 60939694
memcmp.MSVCRT ref: 609396CA
memcmp.MSVCRT ref: 6093973E
memcmp.MSVCRT ref: 609399B9

Strings

0, xrefs: 609399AA
SQLite format 3, xrefs: 609396BF

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: memcmp
String ID: 0$SQLite format 3
API String ID: 1475443563-3388949527
Opcode ID: 9f601aa4dab91157ce530ec4b4ece18d86d4909af750a772241c0dd8f9c91961
Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
Opcode Fuzzy Hash: 9f601aa4dab91157ce530ec4b4ece18d86d4909af750a772241c0dd8f9c91961
Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6092E279 Relevance: 6.7, APIs: 2, Strings: 2, Instructions: 705
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E6092E279(int __eax, intOrPtr __ecx, void* __edx, int* _a4, signed int _a8, signed int _a12) {
				char _v32;
				signed int _v36;
				char _v72;
				char _v84;
				signed int _v116;
				signed char _v119;
				signed char _v120;
				void _v136;
				signed int _v144;
				signed int _v148;
				void* _v152;
				int _v156;
				void* _v160;
				int _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				void* _v176;
				int _v180;
				int _v184;
				signed int _v188;
				void* _v192;
				void* _v196;
				void* _v200;
				signed int* _v236;
				void* _v240;
				void* _v244;
				void* _v248;
				intOrPtr* _t361;
				signed int _t364;
				intOrPtr _t369;
				void* _t377;
				intOrPtr _t379;
				intOrPtr _t380;
				intOrPtr _t381;
				void* _t382;
				signed int _t385;
				signed int _t404;
				signed int _t406;
				intOrPtr _t420;
				intOrPtr _t424;
				intOrPtr _t427;
				signed int _t434;
				signed int _t445;
				intOrPtr _t449;
				void* _t460;
				intOrPtr* _t463;
				void* _t474;
				char* _t480;
				void* _t492;
				void* _t495;
				signed int _t496;
				void* _t498;
				void* _t501;
				int _t504;
				signed int _t509;
				signed int _t524;
				void* _t526;
				int _t527;
				void* _t532;
				void* _t535;
				char* _t537;
				void* _t538;
				void* _t543;
				intOrPtr _t561;
				intOrPtr _t565;
				signed int _t566;
				intOrPtr _t571;
				intOrPtr _t572;
				void* _t573;
				void* _t586;
				void* _t588;
				void* _t589;
				void* _t596;
				void* _t597;
				signed int _t598;
				void* _t602;
				intOrPtr* _t608;
				signed int _t616;
				signed int _t619;
				intOrPtr _t620;
				void* _t621;
				intOrPtr _t622;
				signed int _t623;
				void* _t629;
				intOrPtr _t632;
				signed int _t636;
				signed int _t641;
				signed int _t642;
				intOrPtr* _t659;
				signed int _t661;
				signed int _t665;
				signed int _t670;
				intOrPtr* _t672;
				signed int _t677;
				void* _t678;
				void* _t685;
				void* _t688;
				intOrPtr* _t689;
				void** _t691;
				void** _t692;
				void** _t693;

				_v156 = __eax;
				_v160 = __edx;
				_v172 = __ecx;
				if(__edx == 0) {
					_t524 = 1;
					L5:
					if( *((char*)(_v172 + 0x3f)) == 2) {
						_t524 = 1;
						L9:
						_a8 = _a8 | 0x00000002;
						_v188 = 1;
						L10:
						if((_a12 & 0x00000100) != 0 && (_v188 | _t524) != 0) {
							_a12 = _a12 & 0xfffffcff;
							_a12 = _a12 | 0x00000200;
						}
						_t361 = E6090AAAC(0x2c);
						_v152 = _t361;
						_t665 = 7;
						if(_t361 == 0) {
							L132:
							return _t665;
						} else {
							 *((char*)(_t361 + 8)) = 0;
							 *_t361 = _v172;
							 *((intOrPtr*)(_t361 + 0x1c)) = _t361;
							 *(_t361 + 0x20) = 1;
							_v184 = 0;
							if(_t524 != 0 || _v188 != 0 && (_a12 & 0x00000040) == 0) {
								L37:
								_t364 = E6090AAAC(0x54);
								_v144 = _t364;
								if(_t364 == 0) {
									_t665 = 7;
									L127:
									 *_t691 = _v144;
									E60901C61();
									 *_t691 = _v152;
									E60901C61();
									 *_a4 = 0;
									goto L130;
								}
								_v32 = 0x400;
								_t369 =  *((intOrPtr*)(_v156 + 4));
								_t636 = 0x28;
								if(_t369 > 0x28) {
									_t636 = _t369 + 0x00000007 & 0xfffffff8;
								}
								 *_v144 = 0;
								if((_a8 & 0x00000002) == 0) {
									if(_v160 == 0) {
										_v192 = 0;
										_v180 = 0;
										goto L59;
									}
									_v180 = 0;
									goto L47;
								} else {
									if(_v160 == 0) {
										_v148 = 0;
										_t596 = 0;
										L135:
										_v180 = 1;
										_v192 = 0;
										_v164 = 0;
										_v176 = 0;
										L60:
										_v200 = _t596;
										_t377 = E6090AAAC(( *((intOrPtr*)(_v156 + 4)) + 0x00000007 & 0xfffffff8) + 0x119 + _t636 * 2 + _v148 * 2 + _v148 + _v164);
										_t526 = _t377;
										_t597 = _v200;
										if(_t377 != 0) {
											 *(_t526 + 0xcc) = _t377 + 0xd8;
											_t151 = _t526 + 0x108; // 0x108
											_t379 = _t151;
											 *((intOrPtr*)(_t526 + 0x3c)) = _t379;
											_t553 =  *((intOrPtr*)(_v156 + 4)) + 0x00000007 & 0xfffffff8;
											_t380 = _t379 + ( *((intOrPtr*)(_v156 + 4)) + 0x00000007 & 0xfffffff8);
											 *((intOrPtr*)(_t526 + 0x44)) = _t380;
											_t381 = _t380 + _t636;
											 *((intOrPtr*)(_t526 + 0x40)) = _t381;
											_t382 = _t381 + _t636;
											_v196 = _t382;
											 *((intOrPtr*)(_t526 + 0xa8)) = _t382;
											if(_t597 != 0) {
												_t162 = _v164 + 1; // 0x1
												 *(_t526 + 0xac) = _v148 + _t162 + _v196;
												memcpy(_v196, _t597, _v148);
												_t693 =  &(_t691[3]);
												if(_v164 != 0) {
													memcpy(_v148 + 1 +  *((intOrPtr*)(_t526 + 0xa8)), _v176, _v164);
													_t693 =  &(_t693[3]);
												}
												memcpy( *(_t526 + 0xac), _t597, _v148);
												memcpy( *(_t526 + 0xac) + _v148, "-journal", 0);
												_t460 = _v148 + 9 +  *(_t526 + 0xac);
												 *(_t526 + 0xd4) = _t460;
												memcpy(_t460, _t597, _v148);
												_t691 =  &(_t693[9]);
												_t553 = 0;
												_t463 =  *(_t526 + 0xd4) + _v148;
												 *_t463 = 0x6c61772d;
												 *((char*)(_t463 + 4)) = 0;
												E60901CF7(0, _t597);
											}
											 *_t526 = _v156;
											_t598 = _a12;
											 *(_t526 + 0x90) = _t598;
											if(_v192 == 0) {
												L73:
												 *((char*)(_t526 + 0xf)) = 1;
												 *((char*)(_t526 + 0x10)) = 4;
												_v156 = _a12 & 0x00000001;
												_v148 = 1;
												goto L76;
											} else {
												_t553 = _v192;
												if( *_v192 == 0) {
													goto L73;
												}
												_v36 = 0;
												_v236 =  &_v36;
												_v240 = _t598 & 0x00087f7f;
												_v244 =  *((intOrPtr*)(_t526 + 0x3c));
												_v248 =  *((intOrPtr*)(_t526 + 0xa8));
												_t678 = _v156;
												 *_t691 = _t678; // executed
												_t665 =  *((intOrPtr*)(_t678 + 0x18))();
												_t445 = _v36 & 0x00000001;
												_v156 = _t445;
												if((_t445 | _t665) != 0) {
													if(_t665 != 0) {
														L77:
														E60901565( *((intOrPtr*)(_t526 + 0x3c)));
														 *_t691 = _t526;
														E60901C61();
														L137:
														_t407 =  *_v144;
														if( *_v144 != 0) {
															E6092E1AB(_t407);
														}
														goto L127;
													}
													L75:
													_v148 = 0;
													L76:
													_t385 = E6090B1C0(_t526, _t553 | 0xffffffff,  &_v32);
													_t665 = _t385;
													if(_t385 == 0) {
														_t602 =  *(_t526 + 0xcc);
														_v164 = 0;
														if(_v180 == 0) {
															_v164 = 0x6093f934;
														}
														_t670 = _a8 & 0x00000001 ^ 0x00000001;
														_v168 = _v32;
														memset(_t602, 0, 0xc << 2);
														_t692 =  &(_t691[3]);
														 *((intOrPtr*)(_t602 + 0x14)) = _v168;
														 *((intOrPtr*)(_t602 + 0x18)) = 0x50;
														 *((char*)(_t602 + 0x1c)) = _v180 == 0;
														 *((char*)(_t602 + 0x1d)) = 2;
														 *((intOrPtr*)(_t602 + 0x20)) = _v164;
														 *(_t602 + 0x24) = _t526;
														 *((intOrPtr*)(_t602 + 0x10)) = 0x64;
														 *((char*)(_t526 + 6)) = _t670;
														 *((intOrPtr*)(_t526 + 0x9c)) = 0x3fffffff;
														 *((char*)(_t526 + 0xc)) = _v148;
														 *((char*)(_t526 + 4)) = _v148;
														 *((char*)(_t526 + 0x11)) = _v148;
														 *((char*)(_t526 + 0xe)) = _v180;
														 *((char*)(_t526 + 0xd)) = _v156;
														 *((char*)(_t526 + 7)) = _v148;
														if(_v148 == 0) {
															 *((char*)(_t526 + 8)) = 1;
															 *((char*)(_t526 + 0xb)) = 2;
															 *((char*)(_t526 + 0xa)) = 0x22;
															 *((char*)(_t526 + 9)) = 2;
														}
														 *((short*)(_t526 + 0x8c)) = 0x50;
														 *((intOrPtr*)(_t526 + 0xa0)) = 0xffffffff;
														 *((intOrPtr*)(_t526 + 0xa4)) = 0xffffffff;
														E60903DB1(_t526);
														if(_t670 != 0) {
															if(_v180 != 0) {
																 *((char*)(_t526 + 5)) = 4;
															}
														} else {
															 *((char*)(_t526 + 5)) = 2;
														}
														 *((intOrPtr*)(_t526 + 0xc4)) = E6092409F;
														 *_v144 = _t526;
														_t561 = _v172;
														 *((intOrPtr*)(_t526 + 0x80)) =  *((intOrPtr*)(_t561 + 0x28));
														 *((intOrPtr*)(_t526 + 0x84)) =  *((intOrPtr*)(_t561 + 0x2c));
														E60903EC1(_t526);
														_t527 =  *_v144;
														memset( &_v136, 0, 0x19 << 2);
														_t691 =  &(_t692[3]);
														_t399 =  *((intOrPtr*)(_t527 + 0x3c));
														if( *((intOrPtr*)( *((intOrPtr*)(_t527 + 0x3c)))) == 0) {
															L89:
															_t608 = _v144;
															 *((char*)(_t608 + 0x10)) = _a8;
															 *((intOrPtr*)(_t608 + 4)) = _v172;
															_t565 =  *_t608;
															 *((intOrPtr*)(_t565 + 0xb0)) = E60904757;
															 *((intOrPtr*)(_t565 + 0xb4)) = _t608;
															_t401 =  *((intOrPtr*)(_t565 + 0x3c));
															if( *((intOrPtr*)( *((intOrPtr*)(_t565 + 0x3c)))) != 0) {
																E6090162F(_t401, _t565 + 0xb0, 0xf);
															}
															_t672 = _v144;
															 *((intOrPtr*)(_v152 + 4)) = _t672;
															 *(_t672 + 8) = 0;
															 *(_t672 + 0xc) = 0;
															_t529 =  *_t672;
															if( *((char*)( *_t672 + 0xd)) != 0) {
																 *(_t672 + 0x16) =  *(_t672 + 0x16) | 0x00000001;
															}
															_t404 = (_v119 & 0x000000ff) << 0x00000010 | (_v120 & 0x000000ff) << 0x00000008;
															 *(_v144 + 0x20) = _t404;
															if(_t404 - 0x200 > 0xfe00 || (_t404 - 0x00000001 & _t404) != 0) {
																_t566 = _v144;
																 *(_t566 + 0x20) = 0;
																if(_v188 == 0 && _v160 != 0) {
																	 *((char*)(_t566 + 0x11)) = 0;
																	 *((char*)(_t566 + 0x12)) = 0;
																}
																_t641 = 0;
															} else {
																_t641 = _v116;
																_t677 = _v144;
																 *(_t677 + 0x16) =  *(_t677 + 0x16) | 0x00000002;
																 *((char*)(_t677 + 0x11)) = E60902C12( &_v84) != 0;
																 *((char*)(_t677 + 0x12)) = E60902C12( &_v72) != 0;
															}
															_t642 = _t641 & 0x000000ff;
															_t406 = E6090B1C0(_t529, _t642, _v144 + 0x20); // executed
															_t665 = _t406;
															if(_t406 == 0) {
																_t616 = _v144;
																 *((intOrPtr*)(_t616 + 0x24)) =  *((intOrPtr*)(_t616 + 0x20)) - _t642;
																if( *((char*)(_v152 + 9)) == 0) {
																	goto L106;
																}
																 *(_t616 + 0x40) = 1;
																_t532 = E609017A5(2);
																if( *0x6096e00c == 0) {
																	L105:
																	 *_t691 = _t532;
																	E609017DA();
																	_t424 =  *0x6097a2dc; // 0x0
																	_t623 = _v144;
																	 *((intOrPtr*)(_t623 + 0x44)) = _t424;
																	 *0x6097a2dc = _t623;
																	 *_t691 = _t532;
																	E6090180A();
																	goto L106;
																}
																_t427 = E609017A5(0);
																 *((intOrPtr*)(_v144 + 0x38)) = _t427;
																if(_t427 != 0) {
																	goto L105;
																}
																 *((char*)(_v172 + 0x40)) = 0;
																L136:
																_t665 = 7;
															}
															goto L137;
														} else {
															 *_t691 = 0;
															_v248 = 0;
															_t434 = E60901588(_t399, 0x64,  &_v136); // executed
															_t665 = _t434;
															if(_t434 == 0x20a || _t434 == 0) {
																goto L89;
															} else {
																goto L137;
															}
														}
													}
													goto L77;
												}
												E60903DB1(_t526);
												_t449 =  *((intOrPtr*)(_t526 + 0x94));
												if(_v32 < _t449) {
													if(_t449 <= 0x2000) {
														_v32 = _t449;
													} else {
														_v32 = 0x2000;
													}
												}
												_v156 = 0;
												goto L75;
											}
										}
										E60901CF7(0, _t597);
										goto L136;
									}
									_v180 = 1;
									_t541 = _v160;
									if( *_v160 == 0) {
										L47:
										_t685 = _v160;
										if( *_t685 == 0) {
											_v192 = _v160;
											L59:
											_v164 = 0;
											_v176 = 0;
											_v148 = 0;
											_t596 = 0;
											goto L60;
										}
										_t535 =  *((intOrPtr*)(_v156 + 8)) + 1;
										_t474 = E60901E96(0, _t535 + _t535);
										if(_t474 == 0) {
											goto L136;
										}
										 *_t474 = 0;
										_v240 = _t474;
										_v244 = _t535;
										_v248 = _t685;
										_t586 = _v156;
										 *_t691 = _t586;
										_v200 = _t474;
										_t665 =  *((intOrPtr*)(_t586 + 0x24))();
										_v148 = E60902023(_v200);
										_t111 = E60902023(_v160) + 1; // 0x1
										_t480 = _v160 + _t111;
										_v176 = _t480;
										_t537 = _t480;
										while(1) {
											_t596 = _v200;
											if( *_t537 == 0) {
												break;
											}
											_v200 = _t596;
											_t538 = _t537 + E60902023(_t537) + 1;
											_t537 = _t538 + E60902023(_t538) + 1;
										}
										if(_t665 != 0) {
											L56:
											E60901CF7(0, _t596);
											goto L137;
										}
										if(_v148 + 7 >=  *((intOrPtr*)(_v156 + 8))) {
											_v240 =  &M6096F114;
											_v244 = 0xac67;
											_v248 = "cannot open file at line %d of [%.10s]";
											 *_t691 = 0xe;
											_v200 = _t596;
											E60923A49();
											_t665 = 0xe;
											_t596 = _v200;
											goto L56;
										}
										_v164 = _t537 + 1 - _v176;
										_v192 = _v160;
										goto L60;
									}
									_t492 = E6090CB82(0, _t541);
									_t629 = _t492;
									if(_t492 == 0) {
										goto L136;
									}
									_v200 = _t629;
									_v148 = E60902023(_t492);
									_t596 = _v200;
									goto L135;
								}
							} else {
								_v184 = 0;
								if((_a12 & 0x00020000) == 0) {
									goto L37;
								}
								_t688 =  *((intOrPtr*)(_v156 + 8)) + 1;
								 *_t691 = _t688;
								_t543 = E60901A5C();
								_t495 = _v152;
								 *((char*)(_t495 + 9)) = 1;
								if(_t543 != 0) {
									if(_v188 == 0) {
										 *_t543 = 0;
										_v240 = _t543;
										_v244 = _t688;
										_v248 = _v160;
										_t588 = _v156;
										 *_t691 = _t588;
										_t496 =  *((intOrPtr*)(_t588 + 0x24))();
										_t665 = _t496;
										if(_t496 == 0) {
											L24:
											_t498 = E609017A5(4);
											_v184 = _t498;
											 *_t691 = _t498;
											E609017DA();
											_t501 = E609017A5(2);
											 *_t691 = _t501;
											_v200 = _t501;
											E609017DA();
											_t689 =  *0x6097a2dc; // 0x0
											_t589 = _v200;
											while(_t689 != 0) {
												_t659 =  *_t689;
												_v248 =  *((intOrPtr*)(_t659 + 0xa8));
												 *_t691 = _t543;
												_v200 = _t589;
												_t504 = strcmp(??, ??);
												_t589 = _v200;
												if(_t504 != 0 ||  *_t659 != _v156) {
													_t689 =  *((intOrPtr*)(_t689 + 0x44));
													continue;
												} else {
													_t509 =  *((intOrPtr*)(_v172 + 0x14)) - 1;
													_t661 = _t509 << 4;
													_v144 = _t509;
													while(_v144 >= 0) {
														_t632 =  *((intOrPtr*)( *((intOrPtr*)(_v172 + 0x10)) + _t661 + 4));
														if(_t632 == 0 ||  *((intOrPtr*)(_t632 + 4)) != _t689) {
															_v144 = _v144 - 1;
															_t661 = _t661 - 0x10;
															continue;
														} else {
															 *_t691 = _t589;
															E6090180A();
															 *_t691 = _v184;
															E6090180A();
															 *_t691 = _t543;
															E60901C61();
															 *_t691 = _v152;
															E60901C61();
															_t665 = 0x13;
															goto L132;
														}
													}
													 *((intOrPtr*)(_v152 + 4)) = _t689;
													 *((intOrPtr*)(_t689 + 0x40)) =  *((intOrPtr*)(_t689 + 0x40)) + 1;
													break;
												}
											}
											 *_t691 = _t589;
											E6090180A();
											 *_t691 = _t543;
											E60901C61();
											if(_t689 != 0) {
												L106:
												if( *((char*)(_v152 + 9)) == 0) {
													L123:
													 *_a4 = _v152;
													if(E6090B904(_v152, 0, 0) == 0) {
														E609109DE( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v152 + 4)))) + 0xcc)), 0x7d0);
													}
													_t665 = 0;
													L130:
													if(_v184 != 0) {
														 *_t691 = _v184;
														E6090180A();
													}
													goto L132;
												}
												_t571 =  *((intOrPtr*)(_v172 + 0x14));
												_t619 = 0;
												while(_t619 < _t571) {
													_t420 =  *((intOrPtr*)((_t619 << 4) +  *((intOrPtr*)(_v172 + 0x10)) + 4));
													if(_t420 == 0 ||  *((char*)(_t420 + 9)) == 0) {
														_t619 = _t619 + 1;
														continue;
													} else {
														while(1) {
															_t620 =  *((intOrPtr*)(_t420 + 0x18));
															if(_t620 == 0) {
																break;
															}
															_t420 = _t620;
														}
														_t621 = _v152;
														_t572 =  *((intOrPtr*)(_t621 + 4));
														if(_t572 >=  *((intOrPtr*)(_t420 + 4))) {
															while(1) {
																_t622 =  *((intOrPtr*)(_t420 + 0x14));
																if(_t622 == 0 ||  *((intOrPtr*)(_t622 + 4)) >= _t572) {
																	break;
																}
																_t420 = _t622;
															}
															_t573 = _v152;
															 *((intOrPtr*)(_t573 + 0x14)) = _t622;
															 *((intOrPtr*)(_t573 + 0x18)) = _t420;
															if(_t622 != 0) {
																 *((intOrPtr*)(_t622 + 0x18)) = _t573;
															}
															 *((intOrPtr*)(_t420 + 0x14)) = _v152;
															goto L123;
														}
														 *((intOrPtr*)(_t621 + 0x14)) = _t420;
														 *(_t621 + 0x18) = 0;
														 *((intOrPtr*)(_t420 + 0x18)) = _t621;
														goto L123;
													}
												}
												goto L123;
											}
											goto L37;
										}
										 *_t691 = _t543;
										E60901C61();
										 *_t691 = _v152;
										E60901C61();
										goto L132;
									}
									_t44 = E60902023(_v160) + 1; // 0x1
									memcpy(_t543, _v160, _t44);
									_t691 =  &(_t691[3]);
									goto L24;
								}
								 *_t691 = _t495;
								E60901C61();
								_t665 = 7;
								goto L132;
							}
						}
					}
					L6:
					_v188 = 0;
					if((_a12 & 0x00000080) == 0) {
						goto L10;
					}
					goto L9;
				}
				_t524 = 0 |  *__edx == 0x00000000;
				_v248 = ":memory:";
				 *_t691 = __edx;
				if(strcmp(??, ??) == 0) {
					goto L9;
				}
				if(_t524 == 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x6092e285
0x6092e28b
0x6092e291
0x6092e299
0x6092e2bd
0x6092e2c2
0x6092e2cc
0x6092e2e0
0x6092e2e5
0x6092e2e5
0x6092e2e9
0x6092e2f3
0x6092e2fa
0x6092e306
0x6092e30d
0x6092e30d
0x6092e319
0x6092e31e
0x6092e324
0x6092e32b
0x6092edaf
0x6092edbb
0x6092e331
0x6092e331
0x6092e33b
0x6092e33d
0x6092e340
0x6092e347
0x6092e353
0x6092e539
0x6092e53e
0x6092e543
0x6092e54b
0x6092ed4f
0x6092ed54
0x6092ed5a
0x6092ed5d
0x6092ed68
0x6092ed6b
0x6092ed73
0x00000000
0x6092ed73
0x6092e551
0x6092e55e
0x6092e561
0x6092e569
0x6092e56e
0x6092e56e
0x6092e577
0x6092e581
0x6092e5db
0x6092e70b
0x6092e715
0x00000000
0x6092e715
0x6092e5e1
0x00000000
0x6092e583
0x6092e58a
0x6092edcb
0x6092edd5
0x6092edd7
0x6092edd7
0x6092ede1
0x6092edeb
0x6092edf5
0x6092e74d
0x6092e774
0x6092e77a
0x6092e77f
0x6092e783
0x6092e789
0x6092e79d
0x6092e7a3
0x6092e7a3
0x6092e7a9
0x6092e7b8
0x6092e7bb
0x6092e7bd
0x6092e7c0
0x6092e7c2
0x6092e7c5
0x6092e7c7
0x6092e7cd
0x6092e7d5
0x6092e7e7
0x6092e7f1
0x6092e805
0x6092e805
0x6092e80e
0x6092e82b
0x6092e82b
0x6092e82b
0x6092e83d
0x6092e854
0x6092e85f
0x6092e865
0x6092e875
0x6092e875
0x6092e875
0x6092e87d
0x6092e883
0x6092e889
0x6092e88f
0x6092e88f
0x6092e89a
0x6092e89c
0x6092e89f
0x6092e8ac
0x6092e936
0x6092e936
0x6092e93a
0x6092e944
0x6092e94a
0x00000000
0x6092e8b2
0x6092e8b2
0x6092e8bb
0x00000000
0x00000000
0x6092e8bd
0x6092e8c7
0x6092e8d2
0x6092e8d9
0x6092e8e3
0x6092e8e7
0x6092e8ed
0x6092e8f3
0x6092e8f8
0x6092e8fb
0x6092e903
0x6092e958
0x6092e977
0x6092e97a
0x6092e97f
0x6092e982
0x6092ee09
0x6092ee0f
0x6092ee13
0x6092ed48
0x6092ed48
0x00000000
0x6092ee13
0x6092e95a
0x6092e95a
0x6092e964
0x6092e96c
0x6092e971
0x6092e975
0x6092e98c
0x6092e992
0x6092e9a3
0x6092e9a5
0x6092e9a5
0x6092e9b5
0x6092e9bb
0x6092e9ca
0x6092e9ca
0x6092e9d2
0x6092e9d5
0x6092e9e3
0x6092e9e7
0x6092e9f1
0x6092e9f4
0x6092e9f7
0x6092ea00
0x6092ea03
0x6092ea13
0x6092ea1c
0x6092ea25
0x6092ea2e
0x6092ea37
0x6092ea40
0x6092ea4a
0x6092ea4c
0x6092ea50
0x6092ea54
0x6092ea58
0x6092ea58
0x6092ea5c
0x6092ea65
0x6092ea6f
0x6092ea7b
0x6092ea82
0x6092ea91
0x6092ea93
0x6092ea93
0x6092ea84
0x6092ea84
0x6092ea84
0x6092ea97
0x6092eaa7
0x6092eaa9
0x6092eab5
0x6092eabb
0x6092eac3
0x6092eace
0x6092eadf
0x6092eadf
0x6092eae1
0x6092eae7
0x6092eb10
0x6092eb13
0x6092eb19
0x6092eb22
0x6092eb25
0x6092eb27
0x6092eb31
0x6092eb37
0x6092eb3d
0x6092eb4a
0x6092eb4a
0x6092eb4f
0x6092eb5b
0x6092eb5e
0x6092eb65
0x6092eb6c
0x6092eb72
0x6092eb74
0x6092eb74
0x6092eb87
0x6092eb8f
0x6092eb9e
0x6092eba7
0x6092ebad
0x6092ebbb
0x6092ebc6
0x6092ebca
0x6092ebca
0x6092ebfc
0x6092ebd0
0x6092ebd0
0x6092ebd3
0x6092ebd9
0x6092ebe8
0x6092ebf6
0x6092ebf6
0x6092ebfe
0x6092ec11
0x6092ec16
0x6092ec1a
0x6092ec20
0x6092ec2b
0x6092ec38
0x00000000
0x00000000
0x6092ec3a
0x6092ec4b
0x6092ec54
0x6092ec79
0x6092ec79
0x6092ec7c
0x6092ec81
0x6092ec86
0x6092ec8c
0x6092ec8f
0x6092ec95
0x6092ec98
0x00000000
0x6092ec98
0x6092ec58
0x6092ec63
0x6092ec68
0x00000000
0x00000000
0x6092ec70
0x6092ee04
0x6092ee04
0x6092ee04
0x00000000
0x6092eae9
0x6092eae9
0x6092eaf0
0x6092eafa
0x6092eaff
0x6092eb06
0x00000000
0x00000000
0x00000000
0x00000000
0x6092eb06
0x6092eae7
0x00000000
0x6092e975
0x6092e907
0x6092e90c
0x6092e915
0x6092e920
0x6092e92e
0x6092e922
0x6092e922
0x6092e922
0x6092e920
0x6092edbc
0x00000000
0x6092edbc
0x6092e8ac
0x6092e78d
0x00000000
0x6092e78d
0x6092e590
0x6092e59a
0x6092e5a3
0x6092e5eb
0x6092e5eb
0x6092e5f4
0x6092e727
0x6092e72d
0x6092e72d
0x6092e737
0x6092e741
0x6092e74b
0x00000000
0x6092e74b
0x6092e603
0x6092e609
0x6092e610
0x00000000
0x00000000
0x6092e616
0x6092e619
0x6092e61d
0x6092e621
0x6092e625
0x6092e62b
0x6092e62e
0x6092e637
0x6092e646
0x6092e65d
0x6092e65d
0x6092e661
0x6092e667
0x6092e687
0x6092e687
0x6092e690
0x00000000
0x00000000
0x6092e66d
0x6092e678
0x6092e683
0x6092e683
0x6092e694
0x6092e6ff
0x6092e701
0x00000000
0x6092e701
0x6092e6a8
0x6092e6ca
0x6092e6d2
0x6092e6da
0x6092e6e2
0x6092e6e9
0x6092e6ef
0x6092e6f4
0x6092e6f9
0x00000000
0x6092e6f9
0x6092e6b3
0x6092e6bf
0x00000000
0x6092e6bf
0x6092e5a9
0x6092e5ae
0x6092e5b2
0x00000000
0x00000000
0x6092e5b8
0x6092e5c3
0x6092e5c9
0x00000000
0x6092e5c9
0x6092e36c
0x6092e36c
0x6092e37d
0x00000000
0x00000000
0x6092e38c
0x6092e38d
0x6092e395
0x6092e397
0x6092e39d
0x6092e3a3
0x6092e3be
0x6092e3da
0x6092e3dd
0x6092e3e1
0x6092e3eb
0x6092e3ef
0x6092e3f5
0x6092e3f8
0x6092e3fb
0x6092e3ff
0x6092e41c
0x6092e421
0x6092e426
0x6092e42c
0x6092e42f
0x6092e439
0x6092e43e
0x6092e441
0x6092e447
0x6092e44c
0x6092e452
0x6092e519
0x6092e45d
0x6092e465
0x6092e469
0x6092e46c
0x6092e472
0x6092e479
0x6092e47f
0x6092e516
0x00000000
0x6092e493
0x6092e49c
0x6092e49f
0x6092e4a2
0x6092e4ff
0x6092e4b3
0x6092e4b9
0x6092e4f6
0x6092e4fc
0x00000000
0x6092e4c0
0x6092e4c0
0x6092e4c3
0x6092e4ce
0x6092e4d1
0x6092e4d6
0x6092e4d9
0x6092e4e4
0x6092e4e7
0x6092e4ec
0x00000000
0x6092e4ec
0x6092e4b9
0x6092e50e
0x6092e511
0x00000000
0x6092e511
0x6092e47f
0x6092e521
0x6092e524
0x6092e529
0x6092e52c
0x6092e533
0x6092ec9d
0x6092eca7
0x6092ed2e
0x6092ed37
0x6092ed44
0x6092ed91
0x6092ed91
0x6092ed96
0x6092ed98
0x6092ed9f
0x6092eda7
0x6092edaa
0x6092edaa
0x00000000
0x6092ed9f
0x6092ecb3
0x6092ecb6
0x6092ed2a
0x6092ecc8
0x6092eccd
0x6092ed29
0x00000000
0x6092ecd5
0x6092ecd9
0x6092ecd9
0x6092ecde
0x00000000
0x00000000
0x6092ecd7
0x6092ecd7
0x6092ece0
0x6092ece6
0x6092ecec
0x6092ecff
0x6092ecff
0x6092ed04
0x00000000
0x00000000
0x6092ecfd
0x6092ecfd
0x6092ed0b
0x6092ed11
0x6092ed14
0x6092ed19
0x6092ed1b
0x6092ed1b
0x6092ed24
0x00000000
0x6092ed24
0x6092ecee
0x6092ecf1
0x6092ecf8
0x00000000
0x6092ecf8
0x6092eccd
0x00000000
0x6092ed2a
0x00000000
0x6092e533
0x6092e401
0x6092e404
0x6092e40f
0x6092e412
0x00000000
0x6092e412
0x6092e3cb
0x6092e3d6
0x6092e3d6
0x00000000
0x6092e3d6
0x6092e3a5
0x6092e3a8
0x6092e3ad
0x00000000
0x6092e3ad
0x6092e353
0x6092e32b
0x6092e2ce
0x6092e2ce
0x6092e2dc
0x00000000
0x00000000
0x00000000
0x6092e2de
0x6092e2a0
0x6092e2a3
0x6092e2ab
0x6092e2b5
0x00000000
0x00000000
0x6092e2b9
0x00000000
0x6092e2bb
0x00000000
0x6092e2bb

APIs

strcmp.MSVCRT ref: 6092E2AE
strcmp.MSVCRT ref: 6092E472

Strings

-journal, xrefs: 6092E84B
@, xrefs: 6092E362

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: strcmp
String ID: -journal$@
API String ID: 1004003707-41206085
Opcode ID: c0f3e26fc0b8cf0921a580822ccb10f1b42ebb445531de93d43c77c58eb6f5b3
Instruction ID: d3546033577ab7c449e1d9ae4a568db5e705be1ba1c7c20995b0e62570cb2ed7
Opcode Fuzzy Hash: c0f3e26fc0b8cf0921a580822ccb10f1b42ebb445531de93d43c77c58eb6f5b3
Instruction Fuzzy Hash: C9722574A143648FEB21CF24C880B99BBB2BF65308F1485E9D8999B386E774DD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6092613D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E6092613D(intOrPtr _a4, void* _a8, int _a12, intOrPtr _a16, signed int _a20) {
				void* _v16;
				char _v32;
				char _v36;
				char _v40;
				signed int _v48;
				intOrPtr _v52;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v80;
				void* _v108;
				intOrPtr _v112;
				int _v116;
				void* _v120;
				intOrPtr _t54;
				void* _t61;
				int _t64;
				void* _t66;
				void* _t72;
				void* _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				int _t85;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t93;
				char* _t100;
				void* _t111;
				signed int _t112;
				void* _t114;
				void* _t117;
				intOrPtr* _t118;
				void* _t121;
				void* _t123;

				_t77 = _a4;
				_t54 = _a16;
				_v68 = _t54;
				_v64 = _a20;
				_v36 = 0;
				_t78 =  *((intOrPtr*)(_t77 + 0x30));
				_t90 =  *((intOrPtr*)(_t77 + 0x34));
				_v80 = _t90;
				_t121 = _v64 - _t90;
				if(_t121 > 0 || _t121 >= 0 && _t54 >= _t78) {
					L8:
					_t111 =  &_v60;
					memset(_t111, 0, 5 << 2);
					_t118 = _t117 + 0xc;
					_v52 = _v68;
					_v48 = _v64 & 0x7fffffff;
					_t100 =  &_v32;
					while(1) {
						_v108 = _t111;
						_v112 = _t100;
						_v116 = _a12;
						_v120 = _a8;
						 *_t118 =  *((intOrPtr*)(_t77 + 8)); // executed
						_t61 = ReadFile(??, ??, ??, ??, ??); // executed
						_t118 = _t118 - 0x14;
						__eflags = _t61;
						if(_t61 != 0) {
							break;
						}
						_t66 =  *0x6096ec9c();
						__eflags = _t66 - 0x26;
						if(_t66 != 0x26) {
							__eflags = E60911D8D( &_v36,  &_v40);
							if(__eflags != 0) {
								continue;
							}
							 *((intOrPtr*)(_t77 + 0x14)) = _v40;
							_v120 = 0x8407;
							 *_t118 =  *((intOrPtr*)(_t77 + 0x1c));
							_t64 = E6092597A(0x10a, "winRead", _v40, __eflags);
							goto L15;
						}
						break;
					}
					E6092586E(_v36);
					_t92 = _v32;
					_t64 = 0;
					__eflags = _t92 - _a12;
					if(_t92 < _a12) {
						_t93 = _t92 + _a8;
						__eflags = _t93;
						memset(_t93, 0, _a12 - _t92 << 0);
						_t64 = 0x20a;
					}
					goto L15;
				} else {
					_t112 = _a12;
					_t72 = _t112 + _v68;
					asm("adc edx, [ebp-0x3c]");
					_t123 = _t112 >> 0x1f - _v80;
					if(_t123 > 0 || _t123 >= 0 && _t72 > _t78) {
						_t114 = _v68 +  *((intOrPtr*)(_t77 + 0x2c));
						_t85 = _t78 - _v68;
						_t75 = memcpy(_a8, _t114, _t85);
						_t117 = _t117 + 0xc;
						_a8 = _t114 + _t85 + _t85;
						_a12 = _a12 - _t75;
						asm("cdq");
						_v68 = _v68 + _t75;
						asm("adc [ebp-0x3c], edx");
						goto L8;
					} else {
						memcpy(_a8, _v68 +  *((intOrPtr*)(_t77 + 0x2c)), _a12);
						_t64 = 0;
						L15:
						return _t64;
					}
				}
			}

0x60926146
0x60926149
0x6092614f
0x60926152
0x60926155
0x6092615c
0x6092615f
0x60926162
0x60926165
0x60926168
0x609261c1
0x609261c1
0x609261cd
0x609261cd
0x609261d2
0x609261dd
0x609261e0
0x60926219
0x60926219
0x6092621d
0x60926224
0x6092622b
0x60926232
0x60926235
0x6092623b
0x6092623e
0x60926240
0x00000000
0x00000000
0x60926242
0x60926248
0x6092624b
0x609261f0
0x609261f2
0x00000000
0x00000000
0x609261f7
0x609261fa
0x60926205
0x60926212
0x00000000
0x60926212
0x00000000
0x6092624b
0x60926250
0x60926255
0x60926258
0x6092625a
0x6092625d
0x60926264
0x60926264
0x60926269
0x6092626b
0x6092626b
0x00000000
0x60926170
0x60926170
0x6092617c
0x6092617f
0x60926182
0x60926185
0x609261aa
0x609261b0
0x609261b2
0x609261b2
0x609261b4
0x609261b7
0x609261ba
0x609261bb
0x609261be
0x00000000
0x6092618d
0x60926199
0x6092619b
0x60926270
0x60926277
0x60926277
0x60926185

APIs

ReadFile.KERNEL32 ref: 60926235

Strings

winRead, xrefs: 60926208

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: FileRead
String ID: winRead
API String ID: 2738559852-2759563040
Opcode ID: 30140f8871a9a04f84b380650a4b007acd67933d7a4534ec5d8c165dad46e3e8
Instruction ID: 6b38abc783a0277c6f6881ee7e3119bb34b275231ced1160a46fa4cacedc2904
Opcode Fuzzy Hash: 30140f8871a9a04f84b380650a4b007acd67933d7a4534ec5d8c165dad46e3e8
Instruction Fuzzy Hash: E841F2B5A14219DBCF04CFA9D88058EBBB6BF98314F15852AE824AB759D734EC11CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6092BFAF Relevance: 1.6, APIs: 1, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E6092BFAF(signed char* __eax) {
				signed int _v32;
				signed char _v36;
				char _v40;
				signed char _v44;
				void _v60;
				int _v64;
				signed int _v68;
				signed char* _v92;
				signed char _v96;
				signed int _v100;
				void* _v104;
				int _t154;
				signed char _t157;
				int _t160;
				signed char _t162;
				int _t166;
				signed char _t167;
				int _t171;
				int _t173;
				signed char _t175;
				signed char _t178;
				signed char _t182;
				signed char _t189;
				signed char _t194;
				signed char _t198;
				signed int _t202;
				signed char _t205;
				signed char _t206;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed char _t217;
				signed char _t228;
				int _t229;
				signed char* _t230;
				signed char _t239;
				signed char _t253;
				signed char _t256;
				signed char _t257;
				signed char _t258;
				signed char _t259;
				signed char* _t260;

				_t230 = __eax;
				if( *((char*)(__eax + 0xe)) == 0) {
					L2:
					_v64 = 0;
					if(_t230[0xd0] != 0 || _t230[0xf] != 0) {
						L69:
						_t146 = _t230[0xd0];
						if(_t230[0xd0] == 0) {
							L76:
							if(_v64 == 0 && _t230[0xf] == 0) {
								_v64 = E60903E2D(_t230,  &(_t230[0x18]));
							}
							if(_v64 == 0) {
								_t230[0xf] = 1;
								goto L82;
							} else {
								goto L80;
							}
						}
						_v44 = 0;
						E60904249(_t146);
						_t253 = _t230[0xd0];
						_t258 = 0;
						do {
							_t258 = _t258 + 1;
							 *_t260 = _t258;
							_t231 = 0;
							_t154 = E60926EE5(_t253, 0,  &_v44);
						} while (_t154 == 0xffffffff);
						_v64 = _t154;
						if(_t154 != 0 || _v44 != 0) {
							E6090B1A2(_t230);
							if(_t230[0x74] != 0) {
								_t157 = _t230[0x3c];
								_v96 = 0;
								_v104 = 0;
								_v100 = 0;
								 *_t260 = _t157;
								 *((intOrPtr*)( *_t157 + 0x48))();
							}
						}
						goto L76;
					} else {
						_t160 = E60903F18(_t230, 1);
						_v64 = _t160;
						if(_t160 != 0) {
							L80:
							E6090B39C(_t230, _t231);
							L82:
							return _v64;
						}
						if(_t230[0x10] > 1) {
							L28:
							if(_t230[0xd] != 0) {
								_v64 = 0x308;
								goto L80;
							}
							_t162 = E60903CB5(_t230, 4);
							_t259 = _t162;
							if(_t162 != 0) {
								L85:
								_v64 = _t259;
								goto L80;
							}
							if( *(_t230[0x40]) == 0) {
								_t256 =  *_t230;
								_v96 =  &_v44;
								_v100 = 0;
								_v104 = _t230[0xac];
								 *_t260 = _t256;
								_t194 =  *((intOrPtr*)(_t256 + 0x20))();
								_t259 = _t194;
								if(_t194 == 0 && _v44 != 0) {
									_v32 = 0;
									_v92 =  &_v32;
									_v96 = 0x802;
									_v100 = _t230[0x40];
									_v104 = _t230[0xac];
									 *_t260 = _t256;
									_t198 =  *((intOrPtr*)(_t256 + 0x18))();
									_t259 = _t198;
									if(_t198 == 0 && (_v32 & 0x00000001) != 0) {
										_v96 =  &M6096F114;
										_v100 = 0xae37;
										_v104 = "cannot open file at line %d of [%.10s]";
										 *_t260 = 0xe;
										E60923A49();
										E60901565(_t230[0x40]);
										_t259 = 0xe;
									}
								}
							}
							if( *(_t230[0x40]) == 0) {
								if(_t230[4] == 0) {
									E60903C80(_t230, 1);
								}
								L41:
								if(_t259 == 0) {
									L43:
									if(_t230[0xc] != 0) {
										L57:
										if(_t230[0xc] == 0) {
											_t166 = E60903E2D(_t230,  &_v44);
											_v64 = _t166;
											if(_t166 == 0) {
												_t167 =  *_t230;
												_t239 = _t230[0xd4];
												if(_v44 != 0) {
													_t231 =  &_v32;
													_v96 =  &_v32;
													_v100 = 0;
													_v104 = _t239;
													 *_t260 = _t167;
													_v64 =  *((intOrPtr*)(_t167 + 0x20))();
												} else {
													_v100 = 0;
													_v104 = _t239;
													 *_t260 = _t167;
													_t171 =  *((intOrPtr*)(_t167 + 0x1c))();
													if(_t171 != 0x170a) {
														_v64 = _t171;
													}
													_v32 = 0;
												}
												if(_v64 == 0) {
													if(_v32 == 0) {
														if(_t230[5] == 5) {
															_t230[5] = 0;
														}
													} else {
														_v64 = E6090AC2A(_t230);
													}
												}
											}
										}
										goto L69;
									}
									if(_t230[0x58] != 0) {
										L48:
										_v32 = 0;
										_t173 = E60903E2D(_t230,  &_v32);
										if(_t173 != 0) {
											L84:
											_v64 = _t173;
											goto L80;
										}
										if(_v32 == 0) {
											memset( &_v60, _t173, 4 << 2);
											_t260 =  &(_t260[0xc]);
											_t231 = 0;
											L54:
											_t175 =  &(_t230[0x64]);
											_v100 = 0x10;
											_v104 =  &_v60;
											 *_t260 = _t175;
											L6096DBF8();
											if(_t175 != 0) {
												E6090B1A2(_t230);
												if(_t230[0x74] != 0) {
													_t178 = _t230[0x3c];
													_v96 = 0;
													_v104 = 0;
													_v100 = 0;
													 *_t260 = _t178;
													 *((intOrPtr*)( *_t178 + 0x48))();
												}
											}
											goto L57;
										}
										 *_t260 = 0x18;
										_v104 = 0;
										_t231 = 0x10; // executed
										_t173 = E60901588(_t230[0x3c], 0x10,  &_v60); // executed
										if(_t173 == 0x20a) {
											goto L54;
										}
										if(_t173 != 0) {
											goto L84;
										}
										goto L54;
									}
									_t182 =  *(_t230[0xcc] + 0x28);
									if(_t182 == 0) {
										L47:
										if(_t230[0x74] == 0) {
											goto L57;
										}
										goto L48;
									}
									 *_t260 = _t182;
									if( *0x6096e088() > 0) {
										goto L48;
									}
									goto L47;
								}
								L42:
								E60903D5E(_t230, _t259);
								goto L85;
							}
							_t189 = E60903F52(_t230);
							_t259 = _t189;
							if(_t189 != 0) {
								goto L42;
							}
							_t259 = E6092BAF1(_t230, 1);
							_t230[0xf] = 0;
							goto L41;
						}
						_t257 =  *_t230;
						_v32 = 1;
						_t202 = _t230[0x40];
						_t12 =  *_t202 != 0;
						_v68 = (_t202 & 0xffffff00 | _t12) & 0x000000ff;
						if(_t12 != 0) {
							L8:
							if(_v32 == 0) {
								goto L43;
							}
							_v36 = 0;
							_t205 = _t230[0x3c];
							_t231 =  &_v36;
							_v104 =  &_v36;
							 *_t260 = _t205;
							_t206 =  *((intOrPtr*)( *_t205 + 0x24))();
							_t259 = _t206;
							if(_t206 != 0) {
								goto L85;
							}
							if(_v36 != 0) {
								goto L43;
							}
							_t208 = E60903E2D(_t230,  &_v40);
							_t259 = _t208;
							if(_t208 != 0) {
								goto L85;
							}
							_t29 =  &_v68;
							 *_t29 = _v68 == 0;
							if( *_t29 != 0) {
								L19:
								_v44 = 0;
								 *_t260 = 0;
								_v104 = 0;
								_t231 = 1;
								_t210 = E60901588(_t230[0x40], 1,  &_v44);
								if(_t210 != 0x20a) {
									_t259 = _t210;
								}
								if(_v68 != 0) {
									E60901565(_t230[0x40]);
								}
								_t211 = _v44;
								if(_t259 != 0) {
									goto L85;
								}
								if(_t211 == 0) {
									goto L43;
								} else {
									goto L28;
								}
								L25:
								_t259 = _t217;
								if(_t217 != 0xe) {
									goto L85;
								} else {
									goto L28;
								}
							}
							if(_v40 != 0) {
								_v44 = 0x801;
								_v92 =  &_v44;
								_v96 = 0x801;
								_v100 = _t230[0x40];
								_v104 = _t230[0xac];
								 *_t260 = _t257;
								_t217 =  *((intOrPtr*)(_t257 + 0x18))();
								if(_t217 != 0) {
									goto L25;
								}
								goto L19;
							} else {
								E60901752();
								if(E60903CB5(_t230, 2) == 0) {
									_v100 = 0;
									_v104 = _t230[0xac];
									 *_t260 = _t257;
									 *((intOrPtr*)(_t257 + 0x1c))();
									if(_t230[4] == 0) {
										E60903C80(_t230, 1);
									}
								}
								E60901766();
								goto L43;
							}
						}
						_v96 =  &_v32;
						_v100 = 0;
						_v104 = _t230[0xac];
						 *_t260 = _t257;
						_t228 =  *((intOrPtr*)(_t257 + 0x20))();
						_t259 = _t228;
						if(_t228 != 0) {
							goto L85;
						}
						goto L8;
					}
				}
				_t229 =  *(__eax + 0x28);
				_v64 = _t229;
				if(_t229 != 0) {
					goto L82;
				}
				goto L2;
			}

0x6092bfb8
0x6092bfbe
0x6092bfce
0x6092bfce
0x6092bfdc
0x6092c3fc
0x6092c3fc
0x6092c404
0x6092c46c
0x6092c470
0x6092c482
0x6092c482
0x6092c489
0x6092c494
0x00000000
0x00000000
0x00000000
0x00000000
0x6092c489
0x6092c406
0x6092c40d
0x6092c412
0x6092c418
0x6092c41a
0x6092c41a
0x6092c41b
0x6092c41e
0x6092c425
0x6092c42a
0x6092c42f
0x6092c434
0x6092c43e
0x6092c447
0x6092c449
0x6092c44e
0x6092c456
0x6092c45e
0x6092c466
0x6092c469
0x6092c469
0x6092c447
0x00000000
0x6092bfec
0x6092bff3
0x6092bff8
0x6092bffd
0x6092c48b
0x6092c48d
0x6092c498
0x6092c4a2
0x6092c4a2
0x6092c007
0x6092c185
0x6092c189
0x6092c4a3
0x00000000
0x6092c4a3
0x6092c196
0x6092c19b
0x6092c19f
0x6092c4b1
0x6092c4b1
0x00000000
0x6092c4b1
0x6092c1ab
0x6092c1b1
0x6092c1b6
0x6092c1ba
0x6092c1c8
0x6092c1cc
0x6092c1cf
0x6092c1d2
0x6092c1d6
0x6092c1de
0x6092c1e8
0x6092c1ec
0x6092c1f7
0x6092c201
0x6092c205
0x6092c208
0x6092c20b
0x6092c20f
0x6092c217
0x6092c21f
0x6092c227
0x6092c22f
0x6092c236
0x6092c23e
0x6092c243
0x6092c243
0x6092c20f
0x6092c1d6
0x6092c24d
0x6092c274
0x6092c27d
0x6092c27d
0x6092c282
0x6092c284
0x6092c294
0x6092c298
0x6092c36e
0x6092c372
0x6092c37d
0x6092c382
0x6092c387
0x6092c38d
0x6092c38f
0x6092c395
0x6092c3bc
0x6092c3bf
0x6092c3c3
0x6092c3cb
0x6092c3cf
0x6092c3d5
0x6092c397
0x6092c397
0x6092c39f
0x6092c3a3
0x6092c3a6
0x6092c3ae
0x6092c3b0
0x6092c3b0
0x6092c3b3
0x6092c3b3
0x6092c3dc
0x6092c3e2
0x6092c3f6
0x6092c3f8
0x6092c3f8
0x6092c3e4
0x6092c3ed
0x6092c3ed
0x6092c3e2
0x6092c3dc
0x6092c387
0x00000000
0x6092c372
0x6092c2a2
0x6092c2c8
0x6092c2c8
0x6092c2d4
0x6092c2db
0x6092c4ac
0x6092c4ac
0x00000000
0x6092c4ac
0x6092c2e8
0x6092c31e
0x6092c31e
0x6092c31e
0x6092c320
0x6092c320
0x6092c326
0x6092c32e
0x6092c332
0x6092c335
0x6092c33c
0x6092c340
0x6092c349
0x6092c34b
0x6092c350
0x6092c358
0x6092c360
0x6092c368
0x6092c36b
0x6092c36b
0x6092c349
0x00000000
0x6092c33c
0x6092c2ed
0x6092c2f4
0x6092c2fc
0x6092c301
0x6092c30b
0x00000000
0x00000000
0x6092c30f
0x00000000
0x00000000
0x00000000
0x6092c315
0x6092c2aa
0x6092c2af
0x6092c2be
0x6092c2c2
0x00000000
0x00000000
0x00000000
0x6092c2c2
0x6092c2b1
0x6092c2bc
0x00000000
0x00000000
0x00000000
0x6092c2bc
0x6092c286
0x6092c28a
0x00000000
0x6092c28a
0x6092c251
0x6092c256
0x6092c25a
0x00000000
0x00000000
0x6092c268
0x6092c26a
0x00000000
0x6092c26a
0x6092c00d
0x6092c00f
0x6092c016
0x6092c01c
0x6092c022
0x6092c025
0x6092c050
0x6092c054
0x00000000
0x00000000
0x6092c05a
0x6092c061
0x6092c066
0x6092c069
0x6092c06d
0x6092c070
0x6092c073
0x6092c077
0x00000000
0x00000000
0x6092c081
0x00000000
0x00000000
0x6092c08c
0x6092c091
0x6092c095
0x00000000
0x00000000
0x6092c09f
0x6092c09f
0x6092c0a3
0x6092c129
0x6092c129
0x6092c133
0x6092c13a
0x6092c142
0x6092c147
0x6092c151
0x6092c153
0x6092c153
0x6092c159
0x6092c15e
0x6092c15e
0x6092c163
0x6092c168
0x00000000
0x00000000
0x6092c17f
0x00000000
0x00000000
0x00000000
0x00000000
0x6092c170
0x6092c170
0x6092c175
0x00000000
0x6092c17b
0x00000000
0x6092c17b
0x6092c175
0x6092c0ad
0x6092c0f8
0x6092c102
0x6092c106
0x6092c111
0x6092c11b
0x6092c11f
0x6092c122
0x6092c127
0x00000000
0x00000000
0x00000000
0x6092c0af
0x6092c0af
0x6092c0c2
0x6092c0c4
0x6092c0d2
0x6092c0d6
0x6092c0d9
0x6092c0e0
0x6092c0e9
0x6092c0e9
0x6092c0e0
0x6092c0ee
0x00000000
0x6092c0ee
0x6092c0ad
0x6092c02a
0x6092c02e
0x6092c03c
0x6092c040
0x6092c043
0x6092c046
0x6092c04a
0x00000000
0x00000000
0x00000000
0x6092c04a
0x6092bfdc
0x6092bfc0
0x6092bfc3
0x6092bfc8
0x00000000
0x00000000
0x00000000

APIs

memcmp.MSVCRT ref: 6092C335

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 7c3f7abf581dc60df0f61027b48660af0664a25e191bccfd15ed0f0d338d4bdc
Instruction ID: cbd010cd0bba6434008ed18edfaa5631bc5b952032936672837205308734108d
Opcode Fuzzy Hash: 7c3f7abf581dc60df0f61027b48660af0664a25e191bccfd15ed0f0d338d4bdc
Instruction Fuzzy Hash: 71E17AB0918305DFEB01DF65D48479EBBF6AF64348F048869E854AB259D778C888CF92

Uniqueness

Uniqueness Score: -1.00%

Function 609252D4 Relevance: 1.3, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 609252EA

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 410eb0f2e0c30fac5e10564bd1219a3bf4c9d9611939515d83151a3d84b1bea5
Instruction ID: 61e52f20e36b4debd0cd5227bc03acbaae17495ef37d28cc87fb6d9ad86e296c
Opcode Fuzzy Hash: 410eb0f2e0c30fac5e10564bd1219a3bf4c9d9611939515d83151a3d84b1bea5
Instruction Fuzzy Hash: F1F0A0B0908304DBCB00DFAAE8C260DBBE5BF50258F44C56DE8958B389D378E984CB51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6090F435 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6090F408

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: strncmp
String ID:
API String ID: 1114863663-0
Opcode ID: 1afc9c598b98b8b39b028df1fae949840e722f103bb763c47b573b102ffad96d
Instruction ID: 2ddb87dd3feee9912d96061c657f0276797c4fa849e52ff3205fceef8d4f9f1d
Opcode Fuzzy Hash: 1afc9c598b98b8b39b028df1fae949840e722f103bb763c47b573b102ffad96d
Instruction Fuzzy Hash: C501E171A442049BDF04DE6DD4C069BBBFBAFA8258F50803DDC4683214E775E9018794

Uniqueness

Uniqueness Score: -1.00%

Function 609255D4 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 60925778 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9530f87787b8119f4c9cc68ae88dcf3bf39b5687c460dfc3dfef9c72e832448e
Instruction ID: 7d90fc06d4cce0e838b429dd10c1bf3c3a361cb752c215b3ba3cb2f1ab2ab036
Opcode Fuzzy Hash: 9530f87787b8119f4c9cc68ae88dcf3bf39b5687c460dfc3dfef9c72e832448e
Instruction Fuzzy Hash: 3D314CB1918304DBCB08DF19E49519ABBE6EB98324F10C51EEC994B38DD378C990CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6090EAE5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f117e8ba99c9bad4f54f5b3620d9974a49789c773f31f863af254112f0c5675
Instruction ID: effbd8e19046072ddbb4417e2dded5b27abdd8660d1f9db1793e45fd4963ee99
Opcode Fuzzy Hash: 1f117e8ba99c9bad4f54f5b3620d9974a49789c773f31f863af254112f0c5675
Instruction Fuzzy Hash: D21173302047458BD710EB2AC489B55FFEBBF65318F0984ADD9468B2A6F374E8C5C791

Uniqueness

Uniqueness Score: -1.00%

Function 6092570B Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
Instruction ID: d5dd20366bd30be5098f9e48471fbeb1ccf01997be5a2761bb4486817e6b3aba
Opcode Fuzzy Hash: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
Instruction Fuzzy Hash: 23F08171A10A28D7CB106F29EC8958EBBB9FF69254B055058ECC1A730CDB35D925C791

Uniqueness

Uniqueness Score: -1.00%

Function 609254B1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0

Uniqueness

Uniqueness Score: -1.00%

Function 6090C1D6 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 60925686 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 60925655 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1

Uniqueness

Uniqueness Score: -1.00%

Function 6090577D Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc903d30242b0235a49ca3dc9f8df4f0198bb3c17ee07b08e44db8f45d9d2100
Instruction ID: 8dcd3a280e311d85a08cff7bb149483fc74061697cd2af1d422aa8a6e56622f3
Opcode Fuzzy Hash: fc903d30242b0235a49ca3dc9f8df4f0198bb3c17ee07b08e44db8f45d9d2100
Instruction Fuzzy Hash: 3DE0E2287142159BDB08EE6AC6C181B77ABBFD9654760846CE9078F202E776E9029640

Uniqueness

Uniqueness Score: -1.00%

Function 609255FF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6092562A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1

Uniqueness

Uniqueness Score: -1.00%

Function 609256E5 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92

Uniqueness

Uniqueness Score: -1.00%

Function 6090576B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a733227118cb881a49c8c313e73996236a25ff6ef409992dae375156ab2579
Instruction ID: b9da89681c28018b616aefc3abdd9d2409dd53a1bfe33812f7039069606fa4db
Opcode Fuzzy Hash: 83a733227118cb881a49c8c313e73996236a25ff6ef409992dae375156ab2579
Instruction Fuzzy Hash: 6DB09214310A0F829B008B29A4819277BEEAB989897558064990A8A115FA71F88286C0

Uniqueness

Uniqueness Score: -1.00%

Function 6092A6C1 Relevance: 13.9, APIs: 6, Strings: 3, Instructions: 352
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E6092A6C1(signed int __eax, signed int* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				int _v56;
				char* _v60;
				void* _v68;
				char* _v72;
				int _t136;
				void* _t139;
				int _t143;
				intOrPtr _t144;
				int _t145;
				signed int _t148;
				int _t152;
				signed int _t154;
				void* _t157;
				signed int _t159;
				signed int _t160;
				signed int _t162;
				intOrPtr _t165;
				intOrPtr _t174;
				intOrPtr _t175;
				char* _t176;
				void* _t177;
				char* _t180;
				intOrPtr* _t181;
				signed int _t187;
				char* _t190;
				signed int _t192;
				signed int _t193;
				signed char _t195;
				int _t199;
				int _t200;
				intOrPtr _t203;
				int _t208;
				signed int _t210;
				int _t213;
				int _t214;
				char* _t215;
				void* _t224;
				void* _t225;
				void* _t227;
				void* _t228;
				void** _t230;
				void* _t248;

				_t248 = __fp0;
				_v44 = __eax;
				_t227 = __edx;
				_v52 = __ecx;
				_v32 =  *__ecx;
				_t136 = E60902023(__edx);
				_t199 = _t136;
				if((_v32 & 0x00000040) != 0 ||  *0x6096e014 != 0) {
					if(_t199 <= 4) {
						goto L85;
					}
					_v68 = 5;
					_v72 = "file:";
					 *_t230 = _t227;
					_v56 = _t199;
					L6096DBF8();
					_t199 = _v56;
					if(_t136 != 0) {
						goto L85;
					} else {
						_t187 = _t199 + 2;
						do {
							_t187 = _t187 + (0 |  *((char*)(_t227 + _t136)) == 0x00000026);
							_t136 = _t136 + 1;
						} while (_t136 != _t199);
						 *_t230 = _t187;
						_t177 = E60916FBA();
						_t139 = 7;
						if(_t177 == 0) {
							goto L93;
						}
						_v36 = _v32 | 0x00000040;
						if( *((char*)(_t227 + 5)) == 0x2f) {
							_t225 = 5;
							if( *((char*)(_t227 + 6)) != 0x2f) {
								L9:
								_v32 = 0;
								while(1) {
									L56:
									_t208 = 0;
									while(1) {
										L57:
										_t148 =  *((intOrPtr*)(_t227 + _t225));
										if(_t148 == 0 || _t148 == 0x23) {
											break;
										}
										_t225 = _t225 + 1;
										if(_t148 != 0x25) {
											L35:
											if(_t208 != 1) {
												L47:
												if(_t148 != 0x3f || _t208 != 0) {
													if(_t148 != 0x26 || _t208 != 2) {
														goto L55;
													} else {
														_t208 = 1;
														goto L54;
													}
												} else {
													_t208 = 1;
													L54:
													_t148 = 0;
													L55:
													_t192 = _v32;
													 *(_t177 + _t192) = _t148;
													_t187 = _t192 + 1;
													_v32 = _t187;
													continue;
												}
											}
											_t187 = _t187 & 0xffffff00 | _t148 == 0x00000026;
											if(_t148 == 0x3d || _t187 != 0) {
												if( *((char*)(_t177 + _v32 - 1)) != 0) {
													if(_t187 == 0) {
														_t208 = 2;
													} else {
														_t193 = _v32;
														 *((char*)(_t177 + _t193)) = 0;
														_v32 = _t193 + 1;
													}
													goto L54;
												}
												while(1) {
													_t165 =  *((intOrPtr*)(_t227 + _t225));
													if(_t165 == 0x23 || _t165 == 0) {
														goto L57;
													}
													if( *((char*)(_t227 + _t225 - 1)) != 0x26) {
														_t225 = _t225 + 1;
														continue;
													}
													goto L57;
												}
												continue;
											} else {
												goto L47;
											}
										}
										_t195 =  *((intOrPtr*)(_t227 + _t225));
										_v40 = _t195;
										_t187 = _t195 & 0x000000ff;
										if(( *(_t187 + 0x609742a0) & 0x00000008) == 0) {
											goto L35;
										}
										_t187 =  *(_t227 + _t225 + 1) & 0x000000ff;
										if(( *(_t187 + 0x609742a0) & 0x00000008) == 0) {
											goto L35;
										}
										_t36 = _t225 + 1; // 0x7
										_v48 = _t36;
										_v56 = _t208;
										_v40 = (E60902C56(_v40) & 0x000000ff) << 4;
										_t225 = _t225 + 2;
										_t187 = _v40 + (E60902C56( *((char*)(_t227 + _v48))) & 0x000000ff);
										_t148 = _t187;
										_t208 = _v56;
										if(_t187 != 0) {
											goto L55;
										}
										while(1) {
											_t174 =  *((intOrPtr*)(_t227 + _t225));
											if(_t174 == 0 || _t174 == 0x23) {
												goto L57;
											}
											if(_t208 != 0 || _t174 != 0x3f) {
												if(_t208 != 1 || _t174 != 0x26 && _t174 != 0x3d) {
													if(_t208 != 2 || _t174 != 0x26) {
														_t225 = _t225 + 1;
														continue;
													} else {
														goto L57;
													}
												} else {
													goto L57;
												}
											} else {
												goto L56;
											}
										}
									}
									if(_t208 == 1) {
										_t162 = _v32;
										 *((char*)(_t177 + _t162)) = 0;
										_v32 = _t162 + 1;
									}
									_t210 = _v32;
									 *((char*)(_t177 + _t210)) = 0;
									 *((char*)(_t177 + _t210 + 1)) = 0;
									_t69 = E60902023(_t177) + 1; // 0x1
									_t224 = _v44;
									_v32 = _t177;
									_t180 = _t177 + _t69;
									while( *_t180 != 0) {
										_t152 = E60902023(_t180);
										_t73 = _t152 + 1; // 0x2
										_t228 = _t180 + _t73;
										_v56 = _t152;
										_t154 = E60902023(_t228);
										_v40 = _t154;
										_t213 = _v56;
										if(_t213 != 3) {
											if(_t213 != 5) {
												if(_t213 != 4) {
													L82:
													_t112 = _v40 + 1; // 0x3
													_t180 = _t228 + _t112;
													continue;
												}
												_v68 = 4;
												_v72 = _t180;
												 *_t230 = "mode";
												L6096DBF8();
												if(_t154 != 0) {
													goto L82;
												}
												_v44 = _v36 & 0x00000087;
												_v48 = 0x87;
												_t190 = "access";
												_t181 = 0x6096e110;
												while(1) {
													L76:
													_t214 =  *_t181;
													if(_t214 == 0) {
														break;
													}
													_v56 = _t214;
													_v60 = _t190;
													_t157 = E60902023(_t214);
													_t215 = _v56;
													_t190 = _v60;
													if(_v40 != _t157) {
														L75:
														_t181 = _t181 + 8;
														continue;
													}
													_t159 = _v40;
													_v68 = _t159;
													_v72 = _t215;
													 *_t230 = _t228;
													L6096DBF8();
													_t190 = _v60;
													if(_t159 != 0) {
														goto L75;
													}
													_t95 = _t181 + 4; // 0x1
													_t160 =  *_t95;
													if(_t160 != 0) {
														if((_t160 & 0x0000007f) <= _v44) {
															_v36 = _v36 &  !_v48;
															_v36 = _v36 | _t160;
															goto L82;
														}
														_t177 = _v32;
														_v68 = _t228;
														_v72 = _t190;
														 *_t230 = "%s mode not allowed: %s";
														 *_a12 = E609296AA(_t248);
														_t145 = 3;
														goto L91;
													}
													break;
												}
												_t177 = _v32;
												_v68 = _t228;
												_v72 = _t190;
												 *_t230 = "no such %s mode: %s";
												 *_a12 = E609296AA(_t248);
												goto L90;
											}
											_v68 = 5;
											_v72 = _t180;
											 *_t230 = "cache";
											L6096DBF8();
											if(_t154 == 0) {
												_v48 = 0x60000;
												_t190 = "cache";
												_t181 = 0x6096e138;
												_v44 = 0x60000;
												goto L76;
											}
											goto L82;
										}
										_v68 = 3;
										_v72 = _t180;
										 *_t230 = "vfs";
										L6096DBF8();
										if(_t154 == 0) {
											_t224 = _t228;
										}
										goto L82;
									}
									_t177 = _v32;
									goto L87;
								}
							}
							_t225 = 7;
							while(1) {
								_t175 =  *((intOrPtr*)(_t227 + _t225));
								if(_t175 == 0x2f || _t175 == 0) {
									break;
								}
								_t225 = _t225 + 1;
							}
							if(_t225 == 7) {
								goto L9;
							}
							if(_t225 != 0x10) {
								L18:
								_v68 = _t227 + 7;
								_v72 = _t225 - 7;
								 *_t230 = "invalid uri authority: %.*s";
								_t144 = E609296AA(_t248);
								goto L89;
							}
							_t176 = _t227 + 7;
							_v68 = 9;
							_v72 = _t176;
							 *_t230 = "localhost";
							L6096DBF8();
							if(_t176 == 0) {
								goto L9;
							}
							goto L18;
						}
						_t225 = 5;
						goto L9;
					}
				} else {
					L85:
					_t114 = _t199 + 2; // 0x2
					 *_t230 = _t114;
					_v56 = _t199;
					_t177 = E60916FBA();
					_t139 = 7;
					_t200 = _v56;
					if(_t177 == 0) {
						L93:
						return _t139;
					}
					memcpy(_t177, _t227, _t200);
					_t230 =  &(_t230[3]);
					 *((char*)(_t177 + _t200)) = 0;
					 *((char*)(_t177 + _t200 + 1)) = 0;
					_v36 = _v32 & 0xffffffbf;
					_t224 = _v44;
					L87:
					 *_t230 = _t224;
					_t203 = E6092A62C();
					 *_a4 = _t203;
					_t143 = 0;
					if(_t203 != 0) {
						L92:
						 *_v52 = _v36;
						 *_a8 = _t177;
						return _t143;
					}
					_v72 = _t224;
					 *_t230 = "no such vfs: %s";
					_t144 = E609296AA(_t248);
					L89:
					 *_a12 = _t144;
					L90:
					_t145 = 1;
					L91:
					 *_t230 = _t177;
					_v56 = _t145;
					E60901C61();
					_t177 = 0;
					_t143 = _v56;
					goto L92;
				}
			}

0x6092a6c1
0x6092a6ca
0x6092a6cd
0x6092a6cf
0x6092a6d4
0x6092a6d9
0x6092a6de
0x6092a6e4
0x6092a6f6
0x00000000
0x00000000
0x6092a6fc
0x6092a704
0x6092a70c
0x6092a70f
0x6092a712
0x6092a719
0x6092a71c
0x00000000
0x6092a722
0x6092a722
0x6092a725
0x6092a72e
0x6092a730
0x6092a731
0x6092a735
0x6092a73d
0x6092a73f
0x6092a746
0x00000000
0x00000000
0x6092a752
0x6092a759
0x6092a76c
0x6092a775
0x6092a760
0x6092a760
0x6092a8f6
0x6092a8f6
0x6092a8f6
0x6092a8f8
0x6092a8f8
0x6092a8f8
0x6092a8fd
0x00000000
0x00000000
0x6092a7d1
0x6092a7d4
0x6092a883
0x6092a886
0x6092a8c7
0x6092a8c9
0x6092a8d1
0x00000000
0x6092a8d8
0x6092a8d8
0x00000000
0x6092a8d8
0x6092a8e3
0x6092a8e3
0x6092a8e8
0x6092a8e8
0x6092a8ea
0x6092a8ea
0x6092a8ed
0x6092a8f0
0x6092a8f1
0x00000000
0x6092a8f1
0x6092a8c9
0x6092a88a
0x6092a88f
0x6092a89d
0x6092a8b8
0x6092a8dc
0x6092a8ba
0x6092a8ba
0x6092a8bd
0x6092a8c2
0x6092a8c2
0x00000000
0x6092a8b8
0x6092a8a2
0x6092a8a2
0x6092a8a7
0x00000000
0x00000000
0x6092a8b2
0x6092a8a1
0x00000000
0x6092a8a1
0x00000000
0x6092a8b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6092a88f
0x6092a7da
0x6092a7dd
0x6092a7e0
0x6092a7ea
0x00000000
0x00000000
0x6092a7f0
0x6092a7fc
0x00000000
0x00000000
0x6092a802
0x6092a805
0x6092a80c
0x6092a81a
0x6092a81d
0x6092a832
0x6092a834
0x6092a838
0x6092a83b
0x00000000
0x00000000
0x6092a844
0x6092a844
0x6092a849
0x00000000
0x00000000
0x6092a859
0x6092a866
0x6092a87b
0x6092a843
0x00000000
0x6092a881
0x00000000
0x6092a881
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6092a859
0x6092a844
0x6092a908
0x6092a90a
0x6092a90d
0x6092a912
0x6092a912
0x6092a915
0x6092a918
0x6092a91c
0x6092a928
0x6092a92c
0x6092a92f
0x6092a932
0x6092aa9d
0x6092a93b
0x6092a942
0x6092a942
0x6092a948
0x6092a94b
0x6092a950
0x6092a953
0x6092a959
0x6092a983
0x6092a9ad
0x6092aa96
0x6092aa99
0x6092aa99
0x00000000
0x6092aa99
0x6092a9b3
0x6092a9bb
0x6092a9bf
0x6092a9c6
0x6092a9cd
0x00000000
0x00000000
0x6092a9dc
0x6092a9df
0x6092a9e6
0x6092a9eb
0x6092aa30
0x6092aa30
0x6092aa30
0x6092aa34
0x00000000
0x00000000
0x6092a9f4
0x6092a9f7
0x6092a9fa
0x6092aa02
0x6092aa05
0x6092aa08
0x6092aa2d
0x6092aa2d
0x00000000
0x6092aa2d
0x6092aa0a
0x6092aa0d
0x6092aa11
0x6092aa15
0x6092aa18
0x6092aa1f
0x6092aa22
0x00000000
0x00000000
0x6092aa24
0x6092aa24
0x6092aa29
0x6092aa5f
0x6092aa8c
0x6092aa8f
0x00000000
0x6092aa8f
0x6092aa61
0x6092aa64
0x6092aa68
0x6092aa6c
0x6092aa7b
0x6092aa7d
0x00000000
0x6092aa7d
0x00000000
0x6092aa2b
0x6092aa36
0x6092aa39
0x6092aa3d
0x6092aa41
0x6092aa50
0x00000000
0x6092aa50
0x6092a985
0x6092a98d
0x6092a991
0x6092a998
0x6092a99f
0x6092ab36
0x6092ab3d
0x6092ab42
0x6092ab47
0x00000000
0x6092ab47
0x00000000
0x6092a9a5
0x6092a95b
0x6092a963
0x6092a967
0x6092a96e
0x6092a975
0x6092aa94
0x6092aa94
0x00000000
0x6092a975
0x6092aaa6
0x00000000
0x6092aaa6
0x6092a8f6
0x6092a777
0x6092a77e
0x6092a77e
0x6092a783
0x00000000
0x00000000
0x6092a77d
0x6092a77d
0x6092a78c
0x00000000
0x00000000
0x6092a791
0x6092a7b2
0x6092a7b5
0x6092a7bc
0x6092a7c0
0x6092a7c7
0x00000000
0x6092a7c7
0x6092a793
0x6092a796
0x6092a79e
0x6092a7a2
0x6092a7a9
0x6092a7b0
0x00000000
0x00000000
0x00000000
0x6092a7b0
0x6092a75b
0x00000000
0x6092a75b
0x6092aaab
0x6092aaab
0x6092aaab
0x6092aaae
0x6092aab1
0x6092aab9
0x6092aabb
0x6092aac2
0x6092aac5
0x6092ab35
0x6092ab35
0x6092ab35
0x6092aacb
0x6092aacb
0x6092aacd
0x6092aad1
0x6092aadc
0x6092aadf
0x6092aae2
0x6092aae2
0x6092aaea
0x6092aaef
0x6092aaf1
0x6092aaf5
0x6092ab21
0x6092ab27
0x6092ab2c
0x00000000
0x6092ab2c
0x6092aaf7
0x6092aafb
0x6092ab02
0x6092ab07
0x6092ab0a
0x6092ab0c
0x6092ab0c
0x6092ab11
0x6092ab11
0x6092ab14
0x6092ab17
0x6092ab1c
0x6092ab1e
0x00000000
0x6092ab1e

APIs

memcmp.MSVCRT ref: 6092A712
memcmp.MSVCRT ref: 6092A7A9
memcmp.MSVCRT ref: 6092A96E
memcmp.MSVCRT ref: 6092A998
memcmp.MSVCRT ref: 6092A9C6
memcmp.MSVCRT ref: 6092AA18

Strings

cache, xrefs: 6092A991, 6092AB3D
@, xrefs: 6092A6E0
access, xrefs: 6092A9E6

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: memcmp
String ID: @$access$cache
API String ID: 1475443563-1361544076
Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6096D170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E6096D170(void* __eax, void* __ebx, int __ecx, void* __edx, intOrPtr __edi, void* __esi) {
				void* _v16;
				void* _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				char* _v60;
				int _v64;
				intOrPtr _v68;
				intOrPtr _v80;
				void* _v84;
				char** _v88;
				signed int _v148;
				void* _t55;
				long _t57;
				signed int _t59;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr _t68;
				signed char* _t70;
				intOrPtr _t74;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				int _t94;
				intOrPtr _t96;
				signed int _t112;
				void** _t120;
				intOrPtr _t121;
				signed int _t126;
				void* _t141;
				char _t145;
				char** _t150;
				void* _t152;
				intOrPtr* _t153;
				char** _t154;
				char** _t155;
				char** _t162;

				_t122 = __edi;
				_t106 = __edx;
				_t55 = __eax;
				_push(__edi);
				_push(__esi);
				_push(__ebx);
				_t153 = _t152 - 0x4c;
				_t85 = __eax;
				_t141 = __edx;
				if(__ecx != 0) {
					_v84 = 0x1c;
					_v88 =  &_v60;
					 *_t153 = __eax;
					_v64 = __ecx;
					_t57 = VirtualQuery(??, ??, ??);
					_t154 = _t153 - 0xc;
					_t94 = _v64;
					if(_t57 == 0) {
						_v84 = _t85;
						_v88 = 0x1c;
						 *_t154 = "  VirtualQuery failed for %d bytes at address %p";
						E6096D124(_t85, _t94, _t106, __edi, _t141);
						_t150 = _t154;
						_push(__edi);
						_push(_t141);
						_push(_t85);
						_t155 = _t154 - 0x2c;
						_t59 =  *0x6097a44c; // 0x1
						if(_t59 == 0) {
							 *0x6097a44c = 1;
							_t59 = 0;
							if(0x60979d24 <= 7) {
								goto L11;
							} else {
								_t87 = 0x60979d24;
								if(0x60979d24 <= 0xb) {
									L23:
									_t106 =  *_t87;
									if( *_t87 != 0) {
										goto L17;
									} else {
										_t32 = _t87 + 4; // 0x0
										_t59 =  *_t32;
										if(_t59 != 0) {
											goto L17;
										} else {
											goto L25;
										}
									}
								} else {
									_t122 =  *0x60979d24; // 0x0
									if(_t122 != 0) {
										L17:
										if(_t87 >= 0x60979d24) {
											goto L11;
										} else {
											do {
												_t30 = _t87 + 4; // 0x0
												_v40 =  *((intOrPtr*)( *_t30 + 0x60900000)) +  *_t87;
												_t63 = E6096D170( *_t30 + 0x60900000, _t87, 4,  &_v40,  &_v40, 0x60900000);
												_t87 = _t87 + 8;
											} while (_t87 < 0x60979d24);
											return _t63;
										}
									} else {
										_t141 =  *0x60979d28; // 0x0
										if(_t141 == 0) {
											_t94 =  *0x60979d2c; // 0x0
											if(_t94 != 0) {
												L25:
												_t33 = _t87 + 8; // 0x0
												_t59 =  *_t33;
												if(_t59 != 1) {
													_v148 = _t59;
													 *_t155 = "  Unknown pseudo relocation protocol version %d.\n";
													E6096D124(_t87, _t94, _t106, _t122, _t141);
													_push(_t150);
													_t65 =  *0x6096efa8; // 0x6096debc
													_t66 =  *_t65;
													while(_t66 != 0) {
														 *_t66();
														_t68 =  *0x6096efa8; // 0x6096debc
														_t53 = _t68 + 4; // 0x6096dec0
														 *0x6096efa8 = _t53;
														_t54 = _t68 + 4; // 0x0
														_t66 =  *_t54;
													}
													return _t66;
												} else {
													_t89 = _t87 + 0xc;
													if(_t89 < 0x60979d24) {
														do {
															_t34 = _t89 + 4; // 0x0
															_t70 = 0x60900000 +  *_t34;
															_t96 =  *_t89;
															_t35 = _t96 + 0x60900000; // 0x905a4d
															_t145 =  *_t35;
															_t36 = _t89 + 8; // 0x0
															_t112 =  *_t36 & 0x000000ff;
															if(_t112 == 0x10) {
																_t126 =  *0x60900000 & 0x0000ffff;
																if((_t126 & 0x00008000) != 0) {
																	_t122 = (_t126 | 0xffff0000) - _t96 - 0x60900000;
																	_v36 = _t145;
																	goto L43;
																} else {
																	goto L34;
																}
															} else {
																if(_t112 == 0x20) {
																	_v36 =  *0x60900000 - _t96 - 0x60900000 + _t145;
																	goto L39;
																} else {
																	if(_t112 != 8) {
																		_v36 = 0;
																		_v148 = _t112;
																		 *_t155 = "  Unknown pseudo relocation bit size %d.\n";
																		_t70 = E6096D124(_t89, _t96, _t112, _t122, _t145);
																	}
																	_t126 =  *_t70 & 0x000000ff;
																	if((_t126 & 0x00000080) == 0) {
																		L34:
																		_t122 = _t126 - _t96;
																		_v36 = _t126 - _t96 - 0x60900000 + _t145;
																		if(_t112 == 0x10) {
																			L43:
																			E6096D170(_t70, _t89, 2,  &_v36, _t122, _t145);
																		} else {
																			if(_t112 == 0x20) {
																				L39:
																				E6096D170(_t70, _t89, 4,  &_v36, _t122, _t145);
																			} else {
																				if(_t112 == 8) {
																					goto L37;
																				}
																			}
																		}
																	} else {
																		_t122 = (_t126 | 0xffffff00) - _t96 - 0x60900000;
																		_v36 = _t145;
																		L37:
																		E6096D170(_t70, _t89, 1,  &_v36, _t122, _t145);
																	}
																}
															}
															_t89 = _t89 + 0xc;
															_t59 = 0x60979d24;
														} while (0x60979d24 > _t89);
													}
													goto L11;
												}
											} else {
												_t87 = 0x60979d30;
												goto L23;
											}
										} else {
											goto L17;
										}
									}
								}
							}
						} else {
							L11:
							return _t59;
						}
					} else {
						_t74 = _v40;
						if(_t74 == 0x40 || _t74 == 4) {
							return memcpy(_t85, _t141, _t94);
						} else {
							_t120 =  &_v32;
							_v80 = _t120;
							_v84 = 0x40;
							_v88 = _v48;
							 *_t154 = _v60;
							_v68 = _t120;
							_v64 = _t94;
							VirtualProtect(??, ??, ??, ??);
							_t55 = memcpy(_t85, _t141, _v64);
							_t162 = _t154 - 0x10 + 0xc;
							_t121 = _v68;
							if(_t55 == 0x40 || _t55 == 4) {
								goto L1;
							} else {
								_v80 = _t121;
								_v84 = _v32;
								_v88 = _v48;
								 *_t162 = _v60;
								return VirtualProtect(??, ??, ??, ??);
							}
						}
					}
				} else {
					L1:
					return _t55;
				}
			}

0x6096d170
0x6096d170
0x6096d170
0x6096d173
0x6096d174
0x6096d175
0x6096d176
0x6096d179
0x6096d17b
0x6096d17f
0x6096d18c
0x6096d197
0x6096d19b
0x6096d19e
0x6096d1a1
0x6096d1a6
0x6096d1ab
0x6096d1ae
0x6096d23c
0x6096d240
0x6096d248
0x6096d24f
0x6096d255
0x6096d257
0x6096d258
0x6096d259
0x6096d25a
0x6096d25d
0x6096d264
0x6096d270
0x6096d27f
0x6096d287
0x00000000
0x6096d289
0x6096d289
0x6096d291
0x6096d2f4
0x6096d2f4
0x6096d2f8
0x00000000
0x6096d2fa
0x6096d2fa
0x6096d2fa
0x6096d2ff
0x00000000
0x00000000
0x00000000
0x00000000
0x6096d2ff
0x6096d293
0x6096d293
0x6096d29b
0x6096d2a8
0x6096d2ae
0x00000000
0x6096d2b0
0x6096d2b8
0x6096d2b8
0x6096d2c1
0x6096d2cb
0x6096d2d0
0x6096d2d3
0x6096d2e2
0x6096d2e2
0x6096d29d
0x6096d29d
0x6096d2a5
0x6096d2e4
0x6096d2ec
0x6096d301
0x6096d301
0x6096d301
0x6096d307
0x6096d40f
0x6096d413
0x6096d41a
0x6096d420
0x6096d426
0x6096d42b
0x6096d42f
0x6096d434
0x6096d436
0x6096d43b
0x6096d43e
0x6096d444
0x6096d444
0x6096d447
0x6096d44c
0x6096d30d
0x6096d30d
0x6096d316
0x6096d31c
0x6096d321
0x6096d321
0x6096d324
0x6096d326
0x6096d326
0x6096d32c
0x6096d32f
0x6096d338
0x6096d380
0x6096d389
0x6096d3f4
0x6096d3fd
0x00000000
0x00000000
0x00000000
0x00000000
0x6096d33a
0x6096d33d
0x6096d3c4
0x00000000
0x6096d33f
0x6096d342
0x6096d344
0x6096d34b
0x6096d34f
0x6096d356
0x6096d356
0x6096d35c
0x6096d365
0x6096d38b
0x6096d38b
0x6096d397
0x6096d39d
0x6096d400
0x6096d408
0x6096d39f
0x6096d3a2
0x6096d3c7
0x6096d3cf
0x6096d3a4
0x6096d3a7
0x00000000
0x00000000
0x6096d3a7
0x6096d3a2
0x6096d367
0x6096d36f
0x6096d378
0x6096d3a9
0x6096d3b1
0x6096d3b1
0x6096d365
0x6096d33d
0x6096d3d4
0x6096d3d7
0x6096d3dc
0x6096d3e4
0x00000000
0x6096d316
0x6096d2ee
0x6096d2ee
0x00000000
0x6096d2ee
0x00000000
0x00000000
0x00000000
0x6096d2a5
0x6096d29b
0x6096d291
0x6096d266
0x6096d266
0x6096d26d
0x6096d26d
0x6096d1b4
0x6096d1b4
0x6096d1ba
0x6096d23b
0x6096d1c1
0x6096d1c1
0x6096d1c4
0x6096d1c8
0x6096d1d3
0x6096d1da
0x6096d1dd
0x6096d1e0
0x6096d1e3
0x6096d1f3
0x6096d1f3
0x6096d1f8
0x6096d1fb
0x00000000
0x6096d206
0x6096d206
0x6096d20d
0x6096d214
0x6096d21b
0x6096d22d
0x6096d22d
0x6096d1fb
0x6096d1ba
0x6096d181
0x6096d181
0x6096d188
0x6096d188

APIs

VirtualQuery.KERNEL32 ref: 6096D1A1
VirtualProtect.KERNEL32 ref: 6096D1E3
VirtualProtect.KERNEL32 ref: 6096D21E

Strings

@, xrefs: 6096D1C8

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: Virtual$Protect$Query
String ID: @
API String ID: 3618607426-2766056989
Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52

Uniqueness

Uniqueness Score: -1.00%

Function 60901184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6090119B
GetProcAddress.KERNEL32 ref: 609011B0

Strings

_Jv_RegisterClasses, xrefs: 609011A5
libgcj-11.dll, xrefs: 60901194

Memory Dump Source

Source File: 00000001.00000002.514756519.0000000060901000.00000020.00001000.00020000.00000000.sdmp, Offset: 60900000, based on PE: true

Associated: 00000001.00000002.514737869.0000000060900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515035748.000000006096E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515046332.000000006096F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515085522.000000006097A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515100010.000000006097B000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515109998.000000006097D000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.515117909.0000000060980000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_60900000_CasPol.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: _Jv_RegisterClasses$libgcj-11.dll
API String ID: 1646373207-2713375476
Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TradingView Desktop.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\09644236449087905114903911

C:\ProgramData\31553338626880382755.exe

C:\ProgramData\36940701874687339868448405

C:\ProgramData\37246748894066899441523773

C:\ProgramData\37541604114145269914839961

C:\ProgramData\65386444350250873792918786

C:\ProgramData\92681918866753298444543158

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TradingView Desktop.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\TradingView[1].msix

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
TradingView Desktop.exe