Play interactive tour

Edit tour

Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Sample Name:	LI180_win-1.5.1.exe
Analysis ID:	358582
MD5:	77d64242fbd270b5363d383b51075783
SHA1:	4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256:	a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
Infos:
Most interesting Screenshot:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

May use the Tor software to hide its network traffic

Sample is not signed and drops a device driver

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to detect Joe Sandbox

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64

LI180_win-1.5.1.exe (PID: 6456 cmdline: 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' MD5: 77D64242FBD270B5363D383B51075783)

LI-180_Installer.exe (PID: 6652 cmdline: .\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k='' MD5: A94344CD648287F3BC40B538AF42190B)

x64DPInst.exe (PID: 5932 cmdline: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: BE3C79033FA8302002D9D3A6752F2263)

x86DPInst.exe (PID: 4488 cmdline: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F MD5: 30A0AFEE4AEA59772DB6434F1C0511AB)

msiexec.exe (PID: 6780 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BA9949B78EE4EB19368DAA67058A42BA MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

drvinst.exe (PID: 4428 cmdline: DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'c:\progra~2\li-180~1\driver' MD5: 46F5A16FA391AB6EA97C602B4D2E7819)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.234871327.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.LI-180_Installer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
1.0.LI-180_Installer.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Uses 32bit PE files

Show sources

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Creates license or readme file

Show sources

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: x64DPInst.exe, 0000000E.00000003.303322446.000000000058F000.00000004.00000001.sdmp, SIUSBXP.sys0.0.dr
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: x64DPInst.exe.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: SIUSBXP.sys.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: SIUSBXP.sys.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: SETF07E.tmp.14.dr
Source:	Binary string: DpInst.pdb source: x64DPInst.exe.0.dr
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp

Spreading:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0040C9F8 FindFirstFileW,FindClose,	1_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424B48 FindFirstFileW,GetLastError,	1_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	1_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424548 FindFirstFileW,FindClose,	1_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424764 FindFirstFileW,FindClose,	1_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00794720 FindFirstFileW,FindClose,	1_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Code function: 1_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

1_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking:

Source: Install Fonts EXE-PlugIn.dll.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: drvinst.exe, 00000010.00000003.308221075.0000026FF54F8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: drvinst.exe, 00000010.00000003.308221075.0000026FF54F8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsof8
Source: Install Fonts EXE-PlugIn.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: LI-180_Installer.exe, LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: mdd_0.ttf.0.dr	String found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: mdd_0.ttf.0.dr	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: LI180_win-1.5.1.exe	String found in binary or memory: http://www.installaware.com
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.installaware.com/
Source: LI180_win-1.5.1.exe	String found in binary or memory: http://www.installaware.comz
Source: LI-180_Installer.exe, 00000001.00000003.236989235.000000007F8D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.com
Source: LICORlang.ini.0.dr	String found in binary or memory: https://www.licor.com/

E-Banking Fraud:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\SETF04E.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF59D.tmp	Jump to dropped file

System Summary:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

File created: C:\Windows\Fonts\mdd_0.ttf

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF59D.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415060	0_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D0E1	0_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416135	0_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041A3D8	0_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415535	0_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D67F	0_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040F949	0_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415909	0_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CA77	0_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CB18	0_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CCB9	0_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415D15	0_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040EE50	0_2_0040EE50

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00417B6C appears 36 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00408BFB appears 39 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00416B21 appears 164 times

Source: LI180_win-1.5.1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: LI180_win-1.5.1.exe, 00000000.00000002.348802076.0000000002350000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs LI180_win-1.5.1.exe

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: sus24.evad.winEXE@9/119@0/0

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Code function: 1_2_004580E4 FindResourceW,LoadResource,SizeofResource,LockResource,

1_2_004580E4

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

File created: C:\Users\user\AppData\Local\III

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp

Jump to behavior

Source: Yara match	File source: 00000001.00000000.234871327.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: 1.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ;!@InstallEnd@!	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: BB	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Title	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Directory	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: RunProgram	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ExecuteFile	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: setup.exe	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T\	0_2_00413F63

Source: LI180_win-1.5.1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: LI-180_Installer.exe, 00000001.00000003.289541820.0000000000E49000.00000004.00000001.sdmp

Binary or memory string: INSERT INTO `Property` ( `Property` , `Value` ) VALUES ( 'P6DBFE203_1' , 'C:\Program Files (x86)\LI-180 Spectrometer\skin' );^

Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File read: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BA9949B78EE4EB19368DAA67058A42BA
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'c:\progra~2\li-180~1\driver'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File written: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Window found: window name: TButton

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LI180_win-1.5.1.exe

Static file information: File size 10630347 > 1048576

Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: x64DPInst.exe, 0000000E.00000003.303322446.000000000058F000.00000004.00000001.sdmp, SIUSBXP.sys0.0.dr
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: x64DPInst.exe.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: SIUSBXP.sys.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: SIUSBXP.sys.0.dr
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: SETF07E.tmp.14.dr
Source:	Binary string: DpInst.pdb source: x64DPInst.exe.0.dr
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0041C3CC

Source: 7z.dll.1.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: LI180_win-1.5.1.exe	Static PE information: real checksum: 0x4db7e should be:
Source: 7z759F.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0xe8565

Source: 7z759F.tmp.1.dr	Static PE information: section name: .sxdata
Source: 7z.dll.1.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416BF9 push ecx; ret	0_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00417BB1 push ecx; ret	0_2_00417BC4
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0076889C push 00768B24h; ret	1_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0076839C push 007686BAh; ret	1_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0045116C push ecx; mov dword ptr [esp], edx	1_2_00451171

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Show sources

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7z759F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\III\7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\IAW1FEA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\mia.lib	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib			Jump to dropped file

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\mia.lib			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

May use the Tor software to hide its network traffic

Show sources

Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp

Binary or memory string: torConnect

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\SysWOW64\msiexec.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IAW1FEA.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-16778
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-16870

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File operation: C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SiUSBXp.sys			Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File operation: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SiUSBXp.sys			Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0040C9F8 FindFirstFileW,FindClose,	1_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424B48 FindFirstFileW,GetLastError,	1_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	1_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424548 FindFirstFileW,FindClose,	1_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00424764 FindFirstFileW,FindClose,	1_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00794720 FindFirstFileW,FindClose,	1_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: 1_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	1_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe

Code function: 1_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

1_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: LI180_win-1.5.1.exe	Binary or memory string: vMCi0
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

API call chain: ExitProcess graph end node

graph_0-16871

Anti Debugging:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041B20D

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

0_2_0041C3CC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B945 SetUnhandledExceptionFilter,	0_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00416B12

HIPS / PFW / Operating System Protection Evasion:

Source: LI-180_Installer.exe	Binary or memory string: Shell_TrayWnd
Source: LI-180_Installer.exe	Binary or memory string: Progman
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: ProgmanU
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndU

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0040DA29 cpuid

0_2_0040DA29

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: GetLocaleInfoA,	0_2_004204E7
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	1_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_0040BFD8

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SiUSBXp.cat VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041C0BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C0BC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter3	Windows Service1	Windows Service1	Masquerading41	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API2	DLL Side-Loading1	Process Injection2	Virtualization/Sandbox Evasion1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Multi-hop Proxy1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection2	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Proxy1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Process Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	File and Directory Discovery5	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery44	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	0%	Metadefender	Browse
C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	5%	ReversingLabs
C:\Users\user\AppData\Local\III\7z.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\III\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7z759F.tmp	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\7z759F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.installaware.comz	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/http://ascendercorp.com/eula10.html	0%	Virustotal		Browse
http://www.ascendercorp.com/http://ascendercorp.com/eula10.html	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis	0%	Avira URL Cloud	safe
http://www.installaware.com	0%	Avira URL Cloud	safe
http://www.installaware.com/	0%	Avira URL Cloud	safe
http://crl.microsof8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.installaware.comz	LI180_win-1.5.1.exe	false	Avira URL Cloud: safe	unknown
http://www.licor.com	LI-180_Installer.exe, 00000001.00000003.236989235.000000007F8D0000.00000004.00000001.sdmp	false		high
https://www.licor.com/	LICORlang.ini.0.dr	false		high
http://www.ascendercorp.com/http://ascendercorp.com/eula10.html	mdd_0.ttf.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis	mdd_0.ttf.0.dr	false	Avira URL Cloud: safe	unknown
http://www.installaware.com	LI180_win-1.5.1.exe	false	Avira URL Cloud: safe	unknown
http://www.installaware.com/	LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsof8	drvinst.exe, 00000010.00000003.308221075.0000026FF54F8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/iso/19770/-2/2008/schema.xsd	LI-180_Installer.exe, LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358582
Start date:	25.02.2021
Start time:	21:42:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LI180_win-1.5.1.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus24.evad.winEXE@9/119@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.5% (good quality ratio 98.1%) Quality average: 82.9% Quality standard deviation: 23.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\III\7z.dll	sampplr.exe	Get hash	malicious	Browse
	gagepack12.0_setup.msi	Get hash	malicious	Browse
	mbam-setup-1.80.2.1012.exe	Get hash	malicious	Browse
	mbam-setup-1.80.2.1012.msi	Get hash	malicious	Browse
	iNa0oXzqgX.exe	Get hash	malicious	Browse
	http://dl.verypdf.net/pdf2txtocrcmd.zip	Get hash	malicious	Browse
C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	gagepack12.0_setup.msi	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\7z759F.tmp	sampplr.exe	Get hash	malicious	Browse
	gagepack12.0_setup.msi	Get hash	malicious	Browse
	mbam-setup-1.80.2.1012.exe	Get hash	malicious	Browse
	mbam-setup-1.80.2.1012.msi	Get hash	malicious	Browse
	iNa0oXzqgX.exe	Get hash	malicious	Browse
	http://dl.verypdf.net/pdf2txtocrcmd.zip	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	308
Entropy (8bit):	5.370925489784776
Encrypted:	false
SSDEEP:	6:SxMRSYSD/VQT1zNGo953RgeWOe0i23fcxnTzAz7jM41wy:SxMRSYSDST1zNGuWeW+Zkxf8MXy
MD5:	D8B7E7A6EB46BBCD101DD4434559C36A
SHA1:	0397CA69CE5584671DFA9B8EA59CA5417898BA1D
SHA-256:	DC87D4DB87FA9CAD553B79C258330EF7267D08AE42B71E0E5DB7F51A5C0DAC45
SHA-512:	810295D272D763C67D7D861C3195F466808CBDB0A98AD6505C34EB44D9FF9D68A53FCBE1F7B5639E57A9BE120DF3C3616A68D5F1CD63053BCBFB47BA8E22B261
Malicious:	false
Reputation:	low
Preview:	MYAH-PREDEF-COMPONENT..LI-COR Spectrum..$..TRUE..TRUE..$..$..$..$..MYAH-PREDEF-COMPONENT..30105611..LI-COR SPECTRUM..0..$..C:\Program Files (x86)\\LI-180 Spectrometer..TRUE..LI-180 Spectrometer..C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\..MYAH64WOW..Win32..OVERRIDECACHE....NATIVE_ENGINE..FALSE..

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6156254
Entropy (8bit):	6.3901059849449515
Encrypted:	false
SSDEEP:	98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
MD5:	A94344CD648287F3BC40B538AF42190B
SHA1:	97A112188EAA93633C88BB7087D021BB565DD232
SHA-256:	1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
SHA-512:	A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, Author: Joe Security
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...\|.....C.......B.............@....bss....h\|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.lnk Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	UTF-8 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:g:g
MD5:	ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA1:	57218C316B6921E2CD61027A2387EDC31A2D9471
SHA-256:	F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
SHA-512:	37C783B80B1D458B89E712C2DFE2777050EFF0AEFC9F6D8BEEDEE77807D9AEB2E27D14815CF4F0229B1D36C186BB5F2B5EF55E632B108CC41E9FB964C39B42A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.msi Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	0
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.23248504194283
Encrypted:	false
SSDEEP:	12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
MD5:	2B7F717CA3147788D37977F204C309F3
SHA1:	801DADC3079409E409B3C16AE1366278AECDD6C6
SHA-256:	828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
SHA-512:	A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.par Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5692
Entropy (8bit):	5.375016615077708
Encrypted:	false
SSDEEP:	96:d4Gc4OgAWoN0jmb4jSj11dVH10MjmgKHkjIuNGUbeeF:d4Gc49hbmb4jS517H10MjmgKHkjIuNGc
MD5:	6385FE03B9CB4906EC2BCA40E5E2BCCE
SHA1:	A52BCC4EA59D0C44778A5FB4EE87840A2E08C0A4
SHA-256:	654D5C94139339110198BC817B91599C200000CAF00E16840A415F8675A3C464
SHA-512:	B80E984CC1EF417EF52BF169A77A8DF87067DB4888F46CF811B2BC3FF52E2D10E2ED65C33AA73F16E3B7EDDF6A37A74073E5B078B522A4C67975E45B3F24C99B
Malicious:	false
Reputation:	low
Preview:	.A4BEB53A4..FALSE..AD35647E..FALSE..A9702C767..FALSE..A194AAD59..FALSE..AEA1BA5D5..FALSE..ADC702C7E..FALSE..AB7ED429E..FALSE..A453607F8..FALSE..AC3C84A4C..FALSE..A353AD105..FALSE..A2E5DCE8F..FALSE..AA3F0088A..FALSE..A51845961..FALSE..A55E6A65E..FALSE..A67ACD331..FALSE..A36706E48..FALSE..A3575565E..FALSE..AF4ED2515..FALSE..AECC34BEC..FALSE..A587D056C..FALSE..AE5444EFD..FALSE..A9847A14B..FALSE..AD532E401..FALSE..AC9AB7ACB..FALSE..A8C4586D2..FALSE..AE379E83C..FALSE..AAD9FE403..FALSE..A44DB77AB..FALSE..AFC8C594..FALSE..AD83B2FF9..FALSE..A774E815E..FALSE..ADAA0442..FALSE..A655FCA3B..FALSE..A1EA7FD63..FALSE..A609B42C1..FALSE..A409F08AF..FALSE..AF28C57DF..FALSE..A7021623..FALSE..A6B339451..FALSE..A6B481F13..FALSE..AD2758F69..FALSE..A655BFA89..FALSE..A383E736B..FALSE..A6C0AF2E8..FALSE..A7493ECCE..FALSE..A6DBFE203..FALSE..A6E896EEB..FALSE..A76F0EEEC..FALSE..AB4E1930A..FALSE..A7DB172CA..FALSE..A4BEB53A4..TRUE..P4BEB53A4_1..C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LI-180 Spectromete

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.res Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	3902968
Entropy (8bit):	6.223067831964042
Encrypted:	false
SSDEEP:	49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
MD5:	EDA618F20514ECF18BB76A912EFDCA5C
SHA1:	4C67E979C888877340DEAE91FAB10A47D34CC62F
SHA-256:	35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
SHA-512:	30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
Malicious:	false
Reputation:	low
Preview:	7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\instance.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	101
Entropy (8bit):	4.63121992917389
Encrypted:	false
SSDEEP:	3:OiVIWHEqggwYAjSo6IYjhgnnkCsx2u7Ks4v:O6rHEqgEn7Ikhgnnk58
MD5:	41FF25A90398D37064A78587CE16B8F0
SHA1:	146AA66CC7E179191D1450B69E3531EC8719C146
SHA-256:	4E7A57B217C44047CA43E756785EAA73F1416F1CE405DD9E8FB2E31FAEDFB615
SHA-512:	7AB7B7307D8712FE612AA3B0EAFE5DC062C0A970B4F24DCC43949DA9A8CBEC4ACCD1C878C3E0FD07BD9DD3B58281EAA29253965E290818CA6709A15834657893
Malicious:	false
Reputation:	low
Preview:	{4963F2A4-325D-4774-8D8D-86D68B3EE27C}..{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}..LI-180 Spectrometer..

C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1335758
Entropy (8bit):	6.607116387652834
Encrypted:	false
SSDEEP:	24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
MD5:	2957FB70B1A610B54D98CC4FB2F8DCEC
SHA1:	68319EBF22A4B7D3B52B2E1198CF61535D024E24
SHA-256:	30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
SHA-512:	873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: gagepack12.0_setup.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\III\7z.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	914432
Entropy (8bit):	6.481500443477186
Encrypted:	false
SSDEEP:	24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
MD5:	04AD4B80880B32C94BE8D0886482C774
SHA1:	344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
SHA-256:	A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
SHA-512:	3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sampplr.exe, Detection: malicious, Browse Filename: gagepack12.0_setup.msi, Detection: malicious, Browse Filename: mbam-setup-1.80.2.1012.exe, Detection: malicious, Browse Filename: mbam-setup-1.80.2.1012.msi, Detection: malicious, Browse Filename: iNa0oXzqgX.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......\|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7z759F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	914432
Entropy (8bit):	6.481500443477186
Encrypted:	false
SSDEEP:	24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
MD5:	04AD4B80880B32C94BE8D0886482C774
SHA1:	344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
SHA-256:	A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
SHA-512:	3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sampplr.exe, Detection: malicious, Browse Filename: gagepack12.0_setup.msi, Detection: malicious, Browse Filename: mbam-setup-1.80.2.1012.exe, Detection: malicious, Browse Filename: mbam-setup-1.80.2.1012.msi, Detection: malicious, Browse Filename: iNa0oXzqgX.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......\|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6156254
Entropy (8bit):	6.3901059849449515
Encrypted:	false
SSDEEP:	98304:IBCWJvXmK0COmVbcEkT/THDXPaV0L8l4AWn1eyeHszH2OsP4PqyK13icjqsNTUja:IIWJfmK7cEkT/TuV0hZseHiFII
MD5:	A94344CD648287F3BC40B538AF42190B
SHA1:	97A112188EAA93633C88BB7087D021BB565DD232
SHA-256:	1AFB50E204A6511B43D62B8ACF150E256921DF3B2A98046C2F7071377BB30FC7
SHA-512:	A291392F131E37E08D1B6DD67E38D9318CB0C5F4C6B4F6F6EE847FE7E589160B763A3E578F0535A9ADFC016723CFC22F661029D3B2F05C2CD8E495D669C3AF07
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...T..R..................B..F........B.......C...@...........................d..................@............................E.nV...`K.......................................................F.......................E.......E.4....................text...4YB......ZB................. ..`.itext..p....pB......^B............. ..`.data...\|.....C.......B.............@....bss....h\|....D.......C..................idata..nV....E..X....C.............@....didata.4.....E......@D.............@....tls....P.....F......JD..................rdata........F......JD.............@..@.reloc...1... F......LD.............@..B.rsrc........`K......LD.............@..@..............b.......`.............@..@........................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.msi Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	0
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.23248504194283
Encrypted:	false
SSDEEP:	12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
MD5:	2B7F717CA3147788D37977F204C309F3
SHA1:	801DADC3079409E409B3C16AE1366278AECDD6C6
SHA-256:	828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
SHA-512:	A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.res Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	7-zip archive data, version 0.3
Category:	dropped
Size (bytes):	3902968
Entropy (8bit):	6.223067831964042
Encrypted:	false
SSDEEP:	49152:5XHXAgwX91XhXWXbXRXVXgXLwXmJXFPId4xSSS/mlfQYSvpcbuMNXCSpA+xUS5ad:5CASSvWHv5e
MD5:	EDA618F20514ECF18BB76A912EFDCA5C
SHA1:	4C67E979C888877340DEAE91FAB10A47D34CC62F
SHA-256:	35D753D12BAA6A54A74BCCF75D6F5803709E60239E1B7CBD8562D683020A3D4B
SHA-512:	30CE9317979416E40024C2CE5B6F3EF2B454118F9371F5C86948B659B98D8128D07902D3B524C389D6621B0027427DCACEEBBAF1D223A3A63D9818122FC3E952
Malicious:	false
Preview:	7z..'.....W...;.............[......TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-180_Installer.msi Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	0
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.23248504194283
Encrypted:	false
SSDEEP:	12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
MD5:	2B7F717CA3147788D37977F204C309F3
SHA1:	801DADC3079409E409B3C16AE1366278AECDD6C6
SHA-256:	828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
SHA-512:	A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76728
Entropy (8bit):	6.254581045679638
Encrypted:	false
SSDEEP:	1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
MD5:	980ABD131E4B45DC8ED554D3EE0C2044
SHA1:	B6041667248E9AD0CED547B33C16BF1D8A495661
SHA-256:	0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
SHA-512:	0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1305600
Entropy (8bit):	6.66768345397406
Encrypted:	false
SSDEEP:	24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
MD5:	511629FCCFB6C536A8F6FCBF4AA06401
SHA1:	6931DE3FB845AF6CD30348108A98767268EF6200
SHA-256:	65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
SHA-512:	D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1050104
Entropy (8bit):	5.617498652730841
Encrypted:	false
SSDEEP:	12288:uIId79EaUTvwieMozMEcOigSpuPMaLium:xIdqaWw1MsbTScP0
MD5:	BE3C79033FA8302002D9D3A6752F2263
SHA1:	A01147731F2E500282ECA5ECE149BCC5423B59D6
SHA-256:	181BF85D3B5900FF8ABED34BC415AFC37FC322D9D7702E14D144F96A908F5CAB
SHA-512:	77097F220CC6D22112B314D3E42B6EEDB9CCD72BEB655B34656326C2C63FB9209977DDAC20E9C53C4EC7CCC8EA6910F400F050F4B0CB98C9F42F89617965AAEA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g9I.#X'.#X'.#X'.* ..!X'.* ..7X'.* ..<X'.#X&.Y'.* ..fX'.* ...X'...Y."X'.* .."X'.* .."X'.Rich#X'.................PE..d......J..........".......................................................................@.......... ......................................H...@.......pY...0..\m.......%...........................................................................................text............................... ..`.data... ...........................@....pdata..\m...0...n..................@..@.rsrc....`.......Z...v..............@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	921992
Entropy (8bit):	5.698587665358091
Encrypted:	false
SSDEEP:	6144:EZtaKSpwmx5ATm/LC3fwf3OoU9xkYSr/mdBTRhKWIjsRP/1HHm/hHAM8i6r+LyIU:EZxSpwmxvL/f3vCN1PMaLi6rAyIQjF
MD5:	30A0AFEE4AEA59772DB6434F1C0511AB
SHA1:	5D5C2D9B7736E018D2B36963E834D1AA0E32AF09
SHA-256:	D84149976BC94A21B21AA0BC99FCBDEE9D1AD4F3387D8B62B90F805AC300BA05
SHA-512:	5E8A85E2D028AD351BE255AE2C39BB518A10A4A467FD656E2472286FEE504EED87AFE7D4A728D7F8BC4261245C1DB8577DEEEE2388F39EB7EE48298E37949F53
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p..o4..<4..<4..<=.`<"..<=.v<...<=.f<)..<4..<@..<=.q<o..<=.a<5..<=.d<5..<Rich4..<................PE..L......J................. ..........j........0...............................0......p.....@...... ..............................,....p..lY......................XC...................................=..@...............L............................text............ .................. ..`.data...`>...0.......$..............@....rsrc....`...p...Z...<..............@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\1EA7FD63\B65B8ED4\box_feature.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x581, frames 3
Category:	dropped
Size (bytes):	155551
Entropy (8bit):	6.411518614321463
Encrypted:	false
SSDEEP:	768:n/Tstz8ofLN4p+QaOZV4sprBPMCCWn1YyNKlz6J6J6aX6g+6J6JP696J6JsoK3:n/TY8ofZ4MQbesp9Djn1IlzbX8v3
MD5:	BAE95521060E3A852BB0753BB15DE01A
SHA1:	EE52EA3E495D25CF5D0795DDCC2D9AF710EC381B
SHA-256:	983617EEF70FB3AD4BA79E652D15C7254D2CDA3D8C963F9B97AF9E850CCD1631
SHA-512:	AB25284B9A81600F5850CAD8E7E1A9C18D150072DBBC53A3CE1F26A7EFA95980D786EF69E23BB5787F06DEBD0A4D26EE9368713994EED601774FA315CB39DB47
Malicious:	false
Preview:	......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........i.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.277092, Fri Feb 23 2007 14:17:08 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/". xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xap:CreatorTool>Illustrator</xap:CreatorTool>. <xap:CreateDate>2015-12-17T17:11:43+08:00</xap:CreateDate>. <xap:ModifyDate>2015-12-17T09:11:49Z</xap:ModifyDate>. <xa

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.444427923348303
Encrypted:	false
SSDEEP:	384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
MD5:	971FA2980AB94A90B6A9A8385267E653
SHA1:	FC739185177A85ED04B71C6A8D5FDFB72D919306
SHA-256:	25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
SHA-512:	6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3431048
Entropy (8bit):	6.400282478958549
Encrypted:	false
SSDEEP:	98304:ApT2oBS2w3Hp1SSx1Q2z1m6h9f8O30TjrZhdaNEzScif30g6vRpJuz1eyg9q44Ua:AxkQr0JnkTjrZh4jSJYZAqn+IgFyPne8
MD5:	B24DF87B183ACE8FA4ED9D7504DDE689
SHA1:	8C0439BAEE1E2E868A40D0FB524C535E8EDC9EAA
SHA-256:	2B67C9E6F17A6E1DD56CB7F4F0D0A987475272355F758704B3CF1EB7A3E83BDA
SHA-512:	E22ECBCBECE3F3594E8C66CDB17253E29A602512DFA20D80B5BECA4CF930DF83026374BBFFAB113C6A5F8CF83A1C60FE3188E14B87C1468C961FB6B693842197
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7..V...V...V....7..V....'..V.. *..V.. ..]V..u...V...V...U.. ..W.. ...V.. )..V..Rich.V..........................PE..L......M......................!......C............@...........................4.....T.4...@.....................................h........q...........N4......P2.....................................N..@............................................text............................... ..`.rdata...Y.......Z..................@..@.data...,........^..................@....rsrc....q.......r...<..............@..@.reloc......P2.......1.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\3575565E\3EF45B9E\ANSI_2008.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	880
Entropy (8bit):	4.024090783286004
Encrypted:	false
SSDEEP:	12:cykZUsywNgUhlC9SB1SzsQz3+WS+ineL85LAYr3DVJB4Rhby:cHWLSgU2HzOyieQTDVz6y
MD5:	9A927231F267D229F8F1A82145D7B6B5
SHA1:	3CCA3B1C9A43FD3D3E67C501BD0FC76BEA279C12
SHA-256:	2692C10AC8F820DC79F297CF5375B5ECE84C04F9940ABC7575DBAA419E04F3E4
SHA-512:	E8DBB142E0D1DC047307BBE0604383AF5ABC5B62A2DA0B13F07D59544324FFC745684A2E772E6CF9F1C8FF74B2E6AFD080879EA2DAD262D9EE887346143DD968
Malicious:	false
Preview:	ENERGY STAR ANSI C78.377-2008.......E10.......0.4813.0.4319..0.4562.0.426..0.4373.0.3893..0.4593.0.3944..E20.......0.4562.0.426..0.4299.0.4165..0.4147.0.3814..0.4373.0.3893..E30.......0.4299.0.4165..0.3996.0.4015..0.3889.0.369..0.4147.0.3814..E40.......0.4006.0.4044..0.3736.0.3874..0.367.0.3578..0.3898.0.3716..E50.......0.3736.0.3874..0.3548.0.3736..0.3512.0.3465..0.367.0.3578..E60.......0.3551.0.376..0.3376.0.3616..0.3366.0.3369..0.3515.0.3487..E70.......0.3376.0.3616..0.3207.0.3462..0.3222.0.3243..0.3366.0.3369..E80.......0.3205.0.3481..0.3028.0.3304..0.3068.0.3113..0.3221.0.3261.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\36706E48\3EF45B9E\ANSI.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	3.811029766434935
Encrypted:	false
SSDEEP:	24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
MD5:	30638861125319A8EB54E0F75F953AD5
SHA1:	8091B23543DE04CA3769A9C913C0AFAFD3191BC3
SHA-256:	F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
SHA-512:	3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
Malicious:	false
Preview:	ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\383E736B\B65B8ED4\square.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 36x36, frames 3
Category:	dropped
Size (bytes):	811
Entropy (8bit):	6.8734786141017254
Encrypted:	false
SSDEEP:	24:cwbGo0XxDuLHeOWXG4OZ7DAJuLHenX3wwObZF0E9Et:cUfuERAmjk
MD5:	6A90C8F2391DF1AE3A0D4EF59B144E6C
SHA1:	4C751BECA130B036BC5607290444B50104CE262E
SHA-256:	CDE14B0A2A6B19A94EA227306823CCB1AE3C6E12939EAC2204C27F74C28D09DA
SHA-512:	DB46E0B830C1753E7BA7D24AC341E96CBED8E98A96C2F309A1A0A82BE445ADADCB2D03B0D4CE5D194C313E68A9D21CB858EE2E93CBB233239190B1F811AB7581
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................$.$.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..(...(..=..~...6......E.E.............:(..h...(........D..........~...&....................................O.........g.........c...t..?.{..u?.................0Asz..L...Nv ..(....

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\409F08AF\B65B8ED4\box_information.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 1396x416, frames 3
Category:	dropped
Size (bytes):	22296
Entropy (8bit):	6.223707808164865
Encrypted:	false
SSDEEP:	96:cAoE6DTpFWFWFWFWFWFWFWFWFWFWF18Z+Z+Z+Z+Z+Z+Z+Z+Z+Z+ZKgngngngnw93:FopYkkkkkkkkkkIQQQQwGfo
MD5:	AAB4F09BBF6A3AE3E9A95E32958BA66A
SHA1:	9D20AC06988DF7B9872B7CFBC39D8BC90CFB7532
SHA-256:	1549FF975A60DBE53F63D8B977FA43AC1059E96AC2FFA0E0EF311726898ECE70
SHA-512:	D4FF44288413D19BC487133B8E9CEADC8223B64836EB69C6994FCEF28D23FD43E6AA9B6E62F2634AE41CD1471904E28FCFEA0710C6D254B17E1361A8DC8CACC7
Malicious:	false
Preview:	......JFIF.............C....................................................................C.........................................................................t.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....o...x..v....'....?..s....p..p;Wu...............~....D.9..o?.S-zu.y..3G.o..?.z....Q.................P.....4\|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4\|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4\|6...s..'...........\.....9^.E.y..3G.o..?.z....Q.................P.....4\|6...s..'...........\.....9^.E.y..3G.o.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\44DB77AB\7AF51026\LICOR.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:23], baseline, precision 8, 424x389, frames 3
Category:	dropped
Size (bytes):	55788
Entropy (8bit):	7.406277105755755
Encrypted:	false
SSDEEP:	768:wjlNHlM3wYyUD6bOu8/Psvvm13GZ7I8fZgnpM89UUWnuY:p3wYDQO5/Ev+1WDfZ9893oV
MD5:	4A482C8F0C46BD5D8C3D6739AD1BC7C8
SHA1:	E543A7289D861A0F9ADD6B33ED1D837AC89FCBA6
SHA-256:	FB2BFC19FBA5DA463FACE6D76EFED53CB1A2F307D3E9C5BED8E7D11B8BBFE2D1
SHA-512:	7F910843D036135070DA2F14524F628C2CE3EFE9A1AEB0DAD1DB63578D1A55C7ED25E573E1A15568A253FDF51D0339423A127703DDAF2EFAC55D2B0E701696DE
Malicious:	false
Preview:	......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:23..................................................................................&.(.................................Q.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	data
Category:	dropped
Size (bytes):	8981
Entropy (8bit):	6.952810377972559
Encrypted:	false
SSDEEP:	192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
MD5:	FC43EB094C0074FCD29ADC9A742371D9
SHA1:	21EA184EB636E45550BD6A18CDAF08AE19DDD776
SHA-256:	993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
SHA-512:	6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
Malicious:	false
Preview:	0.#....H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	6.017219183396955
Encrypted:	false
SSDEEP:	384:Hb8p/BVUEZg4exDJKDYh3jOB2raIc15FdIq+m:mcdY0h8GaIudB
MD5:	812318F3E7BD682E1C22F0B707F66E82
SHA1:	AA17A293AEC2BF1239779A8D439F84B2602D76AD
SHA-256:	9B4C47FAA4BD6F22E75CF8430BAC37E48108C35B6737850E583EFDC37C4D8A81
SHA-512:	961BF96B873E269AD566B33243DF872D989AAB6EB51E29CC984D26BCCC331DDB60B45B301C2FD13D9F5E10BC26CAEFBD948D305D35EBAA22515453A3CD57CFD5
Malicious:	false
Preview:	MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................>...z...z...z...z...J...#.......]#..{...]#..}...]#..{...]#..{...]#..{...Richz...........PE..L....?L.............................8.......-...............................D......................................1......D8..<....=..0....................A..4...P................................................-...............................text...L........................... ..hpage....x........................... ..hinit.........-.......-.............. ..h.rdata.......-.......-..........

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14592
Entropy (8bit):	6.033771703962439
Encrypted:	false
SSDEEP:	192:+Dj6z0KomA4LWbM09xLu+YMJpJ7CBMS8iCtSRGb2T+OuT+evhuj4tmkG:+Dj6zHAqW2XwFCjRjyHyevdm/
MD5:	599F3715602F4CB09AD0FDC606E3B9D9
SHA1:	659F9A1CF662260F3FB197E6FE3592922014E831
SHA-256:	589FEA41EF48ACD9F0FC54AB25A430E5627D17E8EC3C950F3C5CB71C348E9B8D
SHA-512:	56E55D7FD6330E2BBE60BD79D7502E22CEDC9F448982C54E9C924BD57B3C0741E634883435BA4621DB80852D7F47A081FA4FA4302217BFB4BF87558F7EC233BB
Malicious:	false
Preview:	MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.........................................................................................................................................................................................................................................................................................................................................................................................................T.Q.:.Q.:.Q.:.v.G.R.:.v.A.S.:.Q.;.}.:...).V.:.v.W.T.:.v.T.T.:.v.F.P.:.v.B.P.:.RichQ.:.........PE..L...}.?L.................+...................+...............................9.......Y......................................D...d....3..8....................7.......+...............................+..@............+...............................text............................... ..hpage....~........................... ..hinit.............................. ..h.rdata.. ....+.......+..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\587D056C\9426740A\CHK_20131028_165820.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	Microsoft Excel 2007+
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	6.701734712242596
Encrypted:	false
SSDEEP:	192:8RuQ59v4QSpEeUWb2CAvib49uOHbYJy8Wn:O5l4QSpNJb2CAve49xHbr8A
MD5:	BFC68AF73FFA1AA121D292B61E6EEE17
SHA1:	A45A0D6C4CC9571BC9DB1E5984EB42BA467A61C1
SHA-256:	857F749226E477CD880AD1EFC5CFE90F819CA7187E3E229C341FC892F516BB62
SHA-512:	1CA0F915594FBD9359A301852DB87FC62C29D7C27513A35BBD314106BA3DC58331D60DAC875F29ECCC642CF34C9D4BD5E2D79122D7B278E1FCB4251F879741C3
Malicious:	false
Preview:	PK..........!.q.9+p...........[Content_Types].xml ...(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MN.0...H.!..%n...j..?K......c[....g...P.T...DQ4..f..\|[.d....9.g#...Ni.....Cz....*a......\|v~6}.y...-...p...J`.<X.S.P.H.a..+..>....t6..i.5.l.D..V.,D..."..5<....qFz,.m.k..."Rr...k.BKPN.+.....Z..j.qg..[.. ....2Y+.w..B.ML.D.....q.}...i.K...]?.w.Vo.NM...UB.}.%..-...i..@.\.J=IB.....i...1"o^......A..AG....c.....,E.....R'?._...r.M...?.....;6.7..........PK..........!..U0#....L......._rels/.rels ...(..............................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\609B42C1\B65B8ED4\box_feature_ppf.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2152x498, frames 3
Category:	dropped
Size (bytes):	139076
Entropy (8bit):	6.441878302402045
Encrypted:	false
SSDEEP:	768:nFJstzSYvn58tludWBaUVvef9YyzH+HRXPKX+HRgH+HlgPKw+HRgH+RPKUPn:nFJYNv2luEBaWmf9H45I4e4lOj4eKdn
MD5:	13BC7A5820F748A41E20452055D323A5
SHA1:	CA4D14E7B696A27A8D607AB390C056AAD8D47A45
SHA-256:	1C16416D81D5078A524B0DCBAFFD9A74A6DFB01E694A27B9C43EA1DAAC3AA03A
SHA-512:	2E60EC4AD6A9B9B6204BFE9046555FABF683C95CDF81168F15DB06FEC1B2782250C5FBA17B4B2269F2D6776609D3AD372E9658CB1BE3E6AB16BF8BCA0F768C68
Malicious:	false
Preview:	......JFIF.....,.,.....,Photoshop 3.0.8BIM.........,.......,........\|.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">20141009-2</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/">. <xmp:CreatorTool>Adobe Illustrator CS5.1</xmp:CreatorTool>. <xmp:CreateDate>2016-05-03T14:13:19+08:00</xmp:CreateDate>. <xmp:ModifyDate>2016-05-03T06:13:23Z</xmp:ModifyDate>.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\655BFA89\B65B8ED4\LI-COR-logo.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=12, height=684, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3447], baseline, precision 8, 800x158, frames 3
Category:	dropped
Size (bytes):	87232
Entropy (8bit):	7.76374401337514
Encrypted:	false
SSDEEP:	1536:bYczYcIalM6o5JJtLgDjnRG1fvAHDlwivG/wIqZ:bLpzoX4jnRG1fIhwiv4qZ
MD5:	76FB5E4E25D73167940320BD69523801
SHA1:	6EA73FD9F333AED01255690D5704FC031AD14D96
SHA-256:	A4C401598FA51A19AD762520C3D217B8C4D0A7626B169C6A60B2126A7E53FE9E
SHA-512:	9CD93A5CE8429490D47E50FA86DC2C18D167AA1AF9716AAB079D627A6DD1AD35EE388DABC25EA27C3C2B768F82FF17FDDBF10B24A140C252F67DC19325212D6F
Malicious:	false
Preview:	......Exif..MM.*...............w.......................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:05:24 13:40:11.............0221....................... ...........................................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d................................................................................................................................................. ...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..U.,elu.81...{....s.~.Z......0tLg{.......k......9o...z..#.b...X.e.(...x.....l.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\655FCA3B\B65B8ED4\box_basic.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 646x416, frames 3
Category:	dropped
Size (bytes):	9428
Entropy (8bit):	5.6390537195983566
Encrypted:	false
SSDEEP:	192:c6yVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVMVUrVUrVUrVUrVUrVUl:hyVVVVVVVVVVVVVVVVVVVVVVVVVVVVVK
MD5:	D6BF0E1638C32635B4B0E330DD4DA28E
SHA1:	92B2747EB2E1DD1907697B4B40AA139448F4A653
SHA-256:	5950D7AA6792FCDE26529D5C213954C33441C783C4DEEE2283AAA4998AC6EFE0
SHA-512:	5140109E879C83EE9F7BD0D014D5004823155EB0E080DCED2FF10355C2A03E513318FCC83A610BDC55EAB00554CD0ADB6B1A909C50121809EC2A7116BF08EF40
Malicious:	false
Preview:	......JFIF.....,.,.....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......a...?e.....^....u......J..3e........8..z.............{...?G..O.L.........5..._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%...^...........'..B_.U.....{...._..?...%.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\67ACD331\98FBEBF9\Reference Spectrum.xlsx Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	Microsoft Excel 2007+
Category:	modified
Size (bytes):	34235
Entropy (8bit):	7.799348435900692
Encrypted:	false
SSDEEP:	768:VXOQ5UiKo1zFbU9ZnApNIBZiQLmNI2e6vWRJFu3D7:VXiiKo1zFbU9ZA/IHi0mGz6vW/FaD7
MD5:	C06B8A0334EF85F888F3DBC85669C3FF
SHA1:	CAE0D2805B7452816D5CAC7C7A6B621EAC5E3F7C
SHA-256:	E04ECF261F03F9168CD85B6FA025AC57917CD44B713B1A8D530B20C446C1211F
SHA-512:	70F83D59F1496B16CA45C60A7E1C24A0FA526E1424FE6CBA0FAA4DC43033BA5B7B52C9C015F3EBF0475B9624C41C3A2FEF43CAA1BF76A4AF66ED0B2D0E7C22E6
Malicious:	false
Preview:	PK..........!...4v...........[Content_Types].xml ...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.n.0..W.?D.V..CUU..].-...L<!..my....IRP.h$.......%...."..21J."..{m.......H....z........f.......f.$.ORb^B.0...?)\|...e\..Z.....d.......b2~.Bm,%.;..Y.'.......krE,Tn..C2.Ear.>.T..b..4..T.4D.q.Dl....?.t4......f.;+..@{......F...io.{S..mA..g.`.2k?.Ly....&`.Cwv.\|..^z..vu..J.w.}..\.Y..%.......A..CB$....qs.k.MmQ6..-<....+......._.........G.\|.....g6 ...........PK..........!..U0#....L......._rels/.rels ...(......................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6B339451\B65B8ED4\chart_criw.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 674x635, frames 3
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	6.875985710971225
Encrypted:	false
SSDEEP:	768:TToaGXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgXgJ8bXm:TsaGQQQQQQQQQQQQQQQQQmb2
MD5:	D1A53D4B64F05A2871B04470C035F9D9
SHA1:	BF0CD7A2DC6707C59D3038CC40A3F34F8629A240
SHA-256:	FC9B2EFF24902D0408371AB727507F7C53F805038D340792D00D906E88E4AED5
SHA-512:	5A9DFFB0AC796903E6E04B388C253F8234A2E86FDDA2FD5ACE230C6D3405DEF0F54C726DF81A2C862750F60BF497F35DE503EA0D4E430015674B15BC29DE8C4F
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(......m/....h...4.._6.1.v.#u...>e.......'.._.......U....o...?.?u...h...[.a..B..O.....Z(..........._.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..!~.....?...R...{g.\.A/.[d......8 pF(.y.7.:.<..J..}..mq<.n.].<J.p$.d....J....$.._.......G.o.%.....5...J............_.v..e....,.........U..<...o...?.?u...h...[.a..B..O.....Z(..........._.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6B481F13\B65B8ED4\cie1931.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:14:42], baseline, precision 8, 1600x1600, frames 3
Category:	dropped
Size (bytes):	350390
Entropy (8bit):	7.157320861579299
Encrypted:	false
SSDEEP:	3072:u3OzT+4vPqniUMWkPnMgZAWt9B2yxQ5FKIEaya4VsvSPcHNIjykqDY7oyZ5J1:jvPqiUMWkPMcBa5Fzn4kMcHNoHEyZ5X
MD5:	38DFEBA72CD538D1256B67D2BF8FAE0C
SHA1:	F8711D63148468FD8D712599342C504A0D1D3B72
SHA-256:	FCFB2D1F9E427F3F1B8ED33B377D0493A0B9F0C7B5172C13DAABABD1F0086B9C
SHA-512:	EB9151D05FE8FA3D3001581C276A802CAE768CD34A0F77FBFED9D44872BC41BA1D9C18625C2FBA24D625447B4769356F45E375927C3619BFA11E3A5F31109E81
Malicious:	false
Preview:	.....GExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:14:42..........................@...........@...........................................&.(.........................................H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	269766
Entropy (8bit):	4.17943553746763
Encrypted:	false
SSDEEP:	3072:uukCl9EIczUzZz+zrJZzU7ugHJ2L30fNy7IrwnN5ME+siFGV9q88YFUn8fS5cP/1:vXF8tV
MD5:	6B5601074757D38741CE5675B76388CB
SHA1:	A10E15E42235C7910BA7241A5415E6426943D947
SHA-256:	BD4B17BFFC964B105918140E2B15AF0C29292ACBFFB06E568E1269361B99F9DB
SHA-512:	311E71E2570A5C39BF7C85573F11DDB449518413679BDC1219BF4D36239E7142053EC3D7B96A5359C1B25BD20744F3C6D0F24E94981EC297671100B57BA7EAFE
Malicious:	false
Preview:	..[.C.H.T.].....B.A.S.I.C._.S.E.T.U.P.=.._...j..yr._<P-..[....B.I.N._.S.E.T.U.P.=.B.I.N.yr._<P-..[....B.i.n.E.d.t...C.a.p.t.i.o.n.=..}/.hV....b.t.n.C.o.n.n.e.c.t...C.a.p.t.i.o.n.=.#..}....b.t.n.C.o.n.n.e.c.t...H.i.n.t.=.....b.t.n.D.a.r.k...C.a.p.t.i.o.n.=..f!hck....b.t.n.S.e.t.t.i.n.g...C.a.p.t.i.o.n.=....\|.T-..[....b.t.n.D.a.r.k...H.i.n.t.=.....b.t.n.D.i.s.c.o.n.n.e.c.t...C.a.p.t.i.o.n.=..e.}....b.t.n.D.i.s.c.o.n.n.e.c.t...H.i.n.t.=.....c.b.B.i.n.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.h.k.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.C.o.u.n.t...H.i.n.t.=..}..!kxe....c.b.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.E.x.p.T.i.m.e...H.i.n.t.=..fIQBf......c.b.L.o.g.I.n.t.e.r.v.a.l...H.i.n.t.=..}...v....Bf......c.b.L.o.g.I.t.i.m.e.C.o.u.n.t...H.i.n.t.=..k.fIQBf...}..!kxe....c.b.L.o.g.I.t.i.m.e.E.n.d...H.i.n.t.=.P}_g.v.fIQBf..<P....c.b.L.o.g.I.t.i.m.e.G.a.p...H.i.n.t.=..fIQBf.....<P....c.b.L.o.g.I.t.i.m.e.S.t.a.r.t...H.i.n.t.=.w..Y.v.fIQBf..<P....c.b.L.o.g.t.m.H.M.a.x.V.a.l.u.e...H.i.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6DBFE203\342BBCE8\Cold.asz Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	data
Category:	dropped
Size (bytes):	32243
Entropy (8bit):	7.983643036707625
Encrypted:	false
SSDEEP:	768:FwZk43Try4rswSIWlZDbkP3PTVVzN7DlKe8pGY7eKIfi:FwK+yMswSbfDb07DzxlEqVi
MD5:	AC1C8E08E905B7F2050F55295A054FF1
SHA1:	76C174B7C484DE9691DE8F60E790222D1D5362D9
SHA-256:	332EA0360575D993483B891C19DA9115342C8B207722C072E64F6D960BDA27E2
SHA-512:	2F56A66363FB558760BB8BFC370EB5F6E3ECD3037FD6BA9763903BC0F1C420421FC55CA160EBA97A2772A49949BC649FBE66BA010C5BD456ED23DA88007052C9
Malicious:	false
Preview:	ASzf........Options.dat.7..x..Z..6.._`.y..gR0..dkm!.d..&i..../..^..;<.Dy..:....E.#rf8..8._........w.}.......k.^d.Y...Czj.&+.Cz\.....x...7.....w........fM..R......n~.......n..6Mql.g0....=.Uk..DPB...k7e...^..v\...$...f..6e}....+........j.=....E.H0.$D.I...D.kI.q$...>......<..D.jL.P....].~..@..&..Y...p...h.<;.m..CR8.1.c..yy.=1.{....iYv.#..80.....\|.../!...J>&.2"E<U.{TM.-..'$Z.HR.!....h..&3.F....V.".?...vv..;0.....#...I...8..M.6Uc.T.b.7K..d5(...Br...h7m}\..1..&~....l.o...?.k.........-..XL......?....L.Z..GP ...+.'.\|..4i..7y.....v.o.v.3.P..k.g..Bx\..9h-.tA.3..g.6m.V...=0..(..U..>3.\|..m.1&.1m.WU./`d..6.].`_0.....>.....~...#....Q4..`.k..]................S.N....a>./.i.z.V.&...J...Ph.'.o.h.........I..@.-fP..........!..S.3..[......c.gYA..+e,=(.E..Vc{.".m~...x.Ql.._4BJI0.FD"9...9sXhSW.....*/g...:<...+b:k3K.....E.&p o.....,......z...{..H...L<G6....A..........L$[6.k..uM..z... .-YE.g.IM.......N:X..S.....}..@...^Q.9ct..q......".o....Q.3cX...V...L

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\7021623\B65B8ED4\chart_cie1976w.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
Category:	dropped
Size (bytes):	49281
Entropy (8bit):	7.677803253072959
Encrypted:	false
SSDEEP:	1536:HOz9vOQugFYu+r15YmntUPmng1hlWzqivgb50oVSLs6h9OTT+0:uz3FwxOPmg1GCSooLs6hM+0
MD5:	4AE6C98119702AD8DBE19815759A9AD5
SHA1:	DD6246D6C6A2606AAB9725156B6F3C6554670D60
SHA-256:	948DC9829F0D27B461B7410CC20E42E8299FD9DC7CF29AD4C269133873A06810
SHA-512:	2CD288A1E3FD13D44DD2C1F3B8D9ADEC9EC43231E71882CEBDF8D101DC1199018B20227E88B4B73310C019F26786D991CCB230E5D46340A913C5D0FB271B4DCB
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\7493ECCE\C0705257\CIEO.CFG Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25871
Entropy (8bit):	3.628876107565113
Encrypted:	false
SSDEEP:	768:tAqlIjLdNeBa/QlhO4erymyb2U2nCGqsjIogBLFenLwfl:tAqlI1NeBaolhOLrymyz2nCGqAgBLFeE
MD5:	2ED1B9435809772B68294D38B962DE19
SHA1:	ECE1D3D025626D350683E7070382F235FC9FE09B
SHA-256:	67F5DF4714FB4E1D09FC592DDD4AC6B6FAE220B25F5CEEF7B1B538AA653FF465
SHA-512:	175FD4219059AEFBC9EDF83359AEE72FC90E8A60048A6A11EBBE15B8F62F9981899D2827D791600998B4D67CC6C2703B4FAF82B520BA5411AE9247C44401BADC
Malicious:	false
Preview:	401,380,780..0.17411.0.00496.0.25686571.0.016464427.0.25686571.0.010976284..0.17409.0.00496.0.256832415.0.016464184.0.256832415.0.010976123..0.17407.0.00497.0.256787756.0.016496404.0.256787756.0.010997603..0.17406.0.00498.0.256759747.0.016528743.0.256759747.0.011019162..0.17404.0.00498.0.256726457.0.016528499.0.256726457.0.011018999..0.17401.0.00498.0.256676525.0.016528133.0.256676525.0.011018755..0.17397.0.00497.0.256621308.0.016495188.0.256621308.0.010996792..0.17393.0.00494.0.256588798.0.016397312.0.256588798.0.010931541..0.17389.0.00493.0.256533573.0.016364361.0.256533573.0.010909574..0.17384.0.00492.0.256461702.0.016331288.0.256461702.0.010887525..0.1738.0.00492.0.256395126.0.016330806.0.256395126.0.010887204..0.17376.0.00492.0.256328554.0.016330324.0.256328554.0.010886883..0.1737.0.00494.0.256206027.0.016394531.0.256206027.0.010929687..0.17366.0.00494.0.256139471.0.016394047.0.256139471.0.010929365..0.17361.0.00494.0.256056282.0.016393443.0.256056282.0.010928962..0.17356.0.00492.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\774E815E\526B362B\LICOR-about.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 145x435, frames 3
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	7.841242072236601
Encrypted:	false
SSDEEP:	192:A+rZ8DyGZb+SvEEnb81eH1lJzjrFW/tUBHWTYrwwJpU8jDI0VRcYgVNJv2OsZEFs:rWyZbU8ATJk/2RDPfXfj7gYOej9
MD5:	AEB44B1C85804C8574E0E56037233558
SHA1:	1F115B2CCFF90DCD80DE33501BB2341827A65DAA
SHA-256:	0D91511EC270698D449798FEAF766B1A3820CB659BC2E37C10B52F39D7046B17
SHA-512:	347B732569F61C725355394724224063F759A430E71523F8C24CA19C041E67AC9402B6FE50C1056000CF9E36F94B7BC20D7F1891E67D2F002BD44AA0626DEF3F
Malicious:	false
Preview:	......JFIF.............C....................................................................C......................................................................................................................@............................!.1."AQa.2.B..#Wu.$5q.....478RS....................................C........................!..1AQa."q...2....#Br....3S.R....6b.45T..............?....R.... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... .... %G>....)......q.O........=....~..;'..hww...5I.<.M.......\CemC.l....\.i$......rk.Nt...y.#d49v1i..Cd2....1..C......F...\ou^......6.?...}gm{}V.4.4..I'.y#}.6Ew..&5.eL.kZ4..:.)...8...z..K....z.F...,..V....5e.=k..C....].h.R.C.H.....0.....B....y.%.g.)......BY

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\8C4586D2\7AF51026\cie1976.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:30:04], baseline, precision 8, 1600x1600, frames 3
Category:	dropped
Size (bytes):	304735
Entropy (8bit):	6.764574393450863
Encrypted:	false
SSDEEP:	3072:U9qqfJ6k0lWHQD3N5i85cLpl6Dziokg5ZVpLe+BUMx8Ni07c/FXr25:eq+elWHQD9Cz6Dz13ty+Bhmc90
MD5:	0C86034B78AC08E8EBF4751066FF4508
SHA1:	9E2CF625C636D92524BBD3787C326CA0A411150B
SHA-256:	B5426827E53E27D35BA83DE51C5367BA595AB1B22C2411E3B0DCBA31C6896886
SHA-512:	C25574138EE7544958DA6FC1BEE3BC0C5495547CF04DE9AC39827E2340B58593897F5F2BEEB62F5A932FC95086AD833A92D9DDA52D83758BC86AC007ED00C29E
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:30:04............................@...........@...........................................&.(.................................r.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI$...I%)$.IJI$.R.I$...I%)$.IJI

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\9847A14B\B6D77E4E\ESPD_LI-180-000.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7336
Entropy (8bit):	4.207813795706626
Encrypted:	false
SSDEEP:	192:caWYFcBd/EL8XoWGUoN8y/kc6L4eexSZod/D0FiMwX6:ckICL81LoN8IOeoYD08MZ
MD5:	75F5F0228EF83924EDAF8B5AA0DE93F9
SHA1:	A34DEB51928DDA684CEB73B267831E5D2832A591
SHA-256:	EE507AACFCA46227BE426667327F5F65432AB3EAE545619B7B05583EB95AEFA8
SHA-512:	0949B79F2FF3A24CC3F2F807017FBF09F3393AC11BB46B52F5310609F0F4B31F7DB972E451CD404119806B2F376C9476C5E5BD26EA60A75030A0BC00E2A70BAD
Malicious:	false
Preview:	Model Name.LI-180..Serial Number.C16M0094..Time.2018/06/07_18:36:47..Memo...LUX.551.286071777344..fc.51.234764..CCT.5279..Duv.0.002312..I-Time.810..x.0.337865..y.0.350262..u'.0.207044..v'.0.482941..x10.0.344416..y10.0.343235..u'10.0.214256..v'10.0.480423..deltax.0.000138..deltay.0.004687..deltau'.-0.001705..deltav'.0.002342..LambdaP.449..LambdaPValue.14.203784..LambdaD.564..X.531.774719..Y.551.286072..Z.490.864868..S/P.1.821943..Purity.0.064435..Pct Flicker.0.000000..CRI.72.959000..R1.71.421402..R2.76.906075..R3.79.229408..R4.73.710800..R5.71.450272..R6.67.357368..R7.81.994560..R8.61.602081..R9.-16.864355..R10.43.786861..R11.69.502899..R12.42.744762..R13.71.495804..R14.88.912788..R15.66.517227..CQS.71.641174..GAI.81.695618..TLCI.50.887054..Rf.70.698936..Rg.94.557259..PPFD.7.529354..PFD-UV.0.006745..PFD-B.1.763472..PFD-G.3.702757..PFD-R.2.114594..PFD-FR.0.278020..PFD.7.806673..IRR.1.697261..380nm.0.099609..381nm.0.099624..382nm.0.100046..383nm.0.101189..384nm.0.101241..385nm.0.095187..3

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.5838184446755195
Encrypted:	false
SSDEEP:	192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
MD5:	CEDF7CFFCCD03451FD22DBAAC2E3DE8E
SHA1:	3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
SHA-256:	A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
SHA-512:	BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\AD9FE403\7AF51026\GAI.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:11:20 16:36:56], baseline, precision 8, 394x472, frames 3
Category:	dropped
Size (bytes):	36337
Entropy (8bit):	6.764811903181098
Encrypted:	false
SSDEEP:	384:gKibD1sWGibD1LnE3rvkPYNg707osesesesla:gKvWGAE3rvkPYy9sesesesla
MD5:	F6A740B37593A25B3303F21BB5C79123
SHA1:	E84EEBD8AD1C57D3EA08C6A838816FFC041971B4
SHA-256:	5D44CEB519861E072FCDEAEE1D3530FA59D573AA5C80BFE06C39BA83AEE7CEBC
SHA-512:	8B7F40BBED567DBC12F273B384B3C6D0F0F27CECFFE8FB6F8E59E27C91A21865AE972E722D1473660857A10048D26E3D9E4D79417E67245ACC86508DF4C1CA7E
Malicious:	false
Preview:	......JFIF.....d.d.....oExif..MM.*.............................b...........j.(...........1.........r.2...........i................B@..'...B@..'.Adobe Photoshop CS3 Windows.2013:11:20 16:36:56....................................................................................&.(.................................9.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$......RHq._2....y......?..I%.)\|.V{..\...9......I/.K.R..............RI\|._2....W...G....

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\B7ED429E\E1510A13\setup.ini Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	639
Entropy (8bit):	5.225501775126988
Encrypted:	false
SSDEEP:	12:o4W7yQSuA5Q0ZAFXYFP3oZjAjwMphMpYNS75qyR910OUGyy:o4sSuASFFuPYZj2py2N0syR9apGyy
MD5:	80DF0F8F1C0B01912035B8EDBEE3FCA4
SHA1:	A375BB2019091745C5A65CFD6CCC13F3459395FC
SHA-256:	2DCEAA5F2B3661B8BBFC8C3EB4C8AA9464D1A113C53375A0B23618CA32F98EAB
SHA-512:	7C4FFBB64965074667987D88E740046DB9BD17916A6D6019EBBCAAD441A7AB07E88A29E9FB5BDF07C6F58AE19120935EBCD650D0F9B03DC3E969911181749002
Malicious:	false
Preview:	[Driver Type]..USBXpress....[Driver Version]..3.3....[Product Name]..Silicon Laboratories USBXpress Device....[Company Name]..Silicon Laboratories....[VID]..10C4....[PID]..EA61....[Relative Install]..Relative To Program Files....[Install Directory]..Silabs\MCU\USBXpress\....[Install Subdirectories]..x86..x64....[Install Quiet Mode]..Off....[Uninstall Quiet Mode]..Off....[Copy Driver Files]..No....[Remove Copied Files On Uninstall]..Yes....[XP_2K_2K3_VISTA INF Files]..SiUSBXp.inf....[XP_2K_2K3_VISTA Driver Files]...\x64\SiUSBXp.sys...\x64\SiLib.sys...\x86\SiUSBXp.sys...\x86\SiLib.sys....[XP_2K_2K3_VISTA Catalog Files]..siusbxp.cat..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\C3C84A4C\E1510A13\SiUSBXp.inf Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	5.224754517663399
Encrypted:	false
SSDEEP:	48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
MD5:	BC384072A8A9F073B51EF98ACF303D5B
SHA1:	30235521EB314146B1FD71B67F3CE7D920E2668D
SHA-256:	0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
SHA-512:	7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
Malicious:	false
Preview:	; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\C9AB7ACB\7AF51026\cie1931.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2013:08:09 15:39:41], baseline, precision 8, 1600x1600, frames 3
Category:	dropped
Size (bytes):	336534
Entropy (8bit):	7.115911162455732
Encrypted:	false
SSDEEP:	6144:GI2tAK++2lUccb5UeseFVYp9WabwF+3bbveA:GI26Kl2lURb5UeseFIWabw83bbGA
MD5:	A4EC7C5FA49097EA26788ECF321A50D0
SHA1:	087058EFA3499B861E24C32A6EB5B86C86470935
SHA-256:	CA503EF7FDD964353860C55ED9924F9F02434D07B2A075E8E477CAFBAEF195F1
SHA-512:	91D99DF6CB4F2DF763C6F9CA59DE45AF3647142F371BFCE672519523285EF94F57403617EC37806F3E131E682925AC8AC12B2C381306C2E5BF5491FA98DD0260
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2013:08:09 15:39:41............................@...........@...........................................&.(.........................................H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%?...RI;..`....x.v..MjVIoQ.p.a...a..Z........#...8.5.~m.sO...?.d..t~1...\...8

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D2758F69\B65B8ED4\cie1976.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:05:23 17:15:12], baseline, precision 8, 1600x1600, frames 3
Category:	dropped
Size (bytes):	313463
Entropy (8bit):	6.814020649307973
Encrypted:	false
SSDEEP:	3072:xzqzFaS2L8hls4H5oU4+6h/qeGVra2FA6nZqWTs9MRS:xzqzFp7ZoA11a2F/n1T3S
MD5:	E6F16A7651B2C498F5506220CD24B3F7
SHA1:	A1463B7A75A1309135F086CD026A334439EE624D
SHA-256:	BC3CD3B0F623353B0067F670DA41E5639E2BF722954A67D3737E7CBBF39F6291
SHA-512:	F66867FA36BA8BB34690FECACEB9FFB07E966B61D0994C19B5E1A1D637C7D3393E5B313C3F48FC03743E0E0F7BF998B9C3E51203F8160EA2C08CF87F425BC3AA
Malicious:	false
Preview:	.....WExif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS5.1 Windows.2018:05:23 17:15:12..........................@...........@...........................................&.(.................................!.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.I%)$.IJI$.R.I$...I%)$.IJI$.R.I$...I%)$.IO...T.LH.I..RR.(..&..'...

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	20469760
Entropy (8bit):	6.646788174507154
Encrypted:	false
SSDEEP:	196608:r4Z+O+3MQUGqcJ8g+QwA9Nst9zmJemKD:r4xJGOA/Ooe7D
MD5:	4CB8BE08741CF33831104499F1240830
SHA1:	ACE76BA4ECCA1A4CEA87CFA539F60E969258DBA9
SHA-256:	26A4B2A211FF8078C7E232A1AE4290A92BD0DF171E5416CBC97BC3B4C3379681
SHA-512:	37FEF919B225EBB1E78E36A91C3A2D1530B47F65B8226B07BB9A86AEFD1B0F7889EC05CB731EBE2AFD2B346456B3FE5AC7AC95682B788366F3C5977E2B1A4D26
Malicious:	false
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, Author: Joe Security
Preview:	MZP.....................@......Pjr......................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L......`....................p......d2............@...........................:.................. ...................0..`....p...J... ....q..................@/..b...........................`...................................e...................text............................. ..`.data....p.......j.................@....tls.........P.......>..............@....rdata.......`.......@..............@..P.idata...P...p...L...B..............@..@.didata..p.......f..................@...

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D532E401\20073942\mdd_0.ttf Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
Category:	dropped
Size (bytes):	3189464
Entropy (8bit):	5.995760690515092
Encrypted:	false
SSDEEP:	49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
MD5:	134EA9D05DB33ADF680B8440F715CCF9
SHA1:	3122FD8759ACB7562A98F6349EF0E2E46A018895
SHA-256:	70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
SHA-512:	C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
Malicious:	false
Preview:	...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....\|....gasp.....0......glyf4..>...$..head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name..^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).\|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......\|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D83B2FF9\7AF51026\tm30image.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:12:30 17:35:06], baseline, precision 8, 800x800, frames 3
Category:	dropped
Size (bytes):	94892
Entropy (8bit):	7.270988868597474
Encrypted:	false
SSDEEP:	1536:s8c3FL8w+sqCi2MhzmZRRgFwHXbGZC17CFIQTUH4dlqUtIeKFwWIQI5uDKRID:s8MF1hinpmZRR0WXqZC17CFV4YdcTeKX
MD5:	628BA21B5C6B2759EAE8A66A6BE2C6C3
SHA1:	349D8736B69DCBB1A0C58736B5006E19737D2144
SHA-256:	871AF5869E6B0D8AAD4EE8B45AA02B4349FE0BFD35B0B6960DC7C177E33DB05F
SHA-512:	70FDE4CB2C719F10B6B407FDB5453B2D7CD672F3FE3F8185CC86B988FC94A2680E8161E382DAF2C99F04ECA0654A6E1DB38FF0D41A672928FEC508E50649CBD7
Malicious:	false
Preview:	......JFIF.....H.H......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop CS3 Windows.2015:12:30 17:35:06............................ ........... ...........................................&.(.................................z.......H.......H..........JFIF.....H.H......Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?... C..X.-.."....8Y.0....5..H.j.T. K..3j#T....e.9..Br.,.D.'".....x.r..\..8Y...nEr...f..!...NK../.........M...aD)..Y.6..A..K

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DAA0442\526B362B\LICOR-start.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 28x28, segment length 16, baseline, precision 8, 600x360, frames 3
Category:	dropped
Size (bytes):	20110
Entropy (8bit):	7.456114321529859
Encrypted:	false
SSDEEP:	384:NJ22ogJO6LBHPVzp7/C5Xy2bbd4632YQdkA4lliVhU:kgJO61NN0Xykbd4IQ2A4lliVhU
MD5:	DB5050170386F50D5268871E82F8CF49
SHA1:	269AD18CEC7382CE70192A9E9805324EE50889A9
SHA-256:	C3242691970CAA16C3508D08309EEAEB38310AF944EB05CC51FD32ED31F9D14B
SHA-512:	70C31CF3ECD273AB431F7A92BA7D44AC57ADF9B49B8C2A10C2A8180A26ADB6CE8BE156E2412336B1FC434C46381BB95BF1A98D682B26275A3F2433CE83AADBB6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................h.X.............................................Y............................!1..AQa.."2368Vqrsu........7BWtv......#5b..$R..&C.DSTcw.....................................E.........................!1.AQq....234Ra......"STr..6...#Bb5...$C..............?..L....................................................................................................................................................................................................................................................................................................................................................................................$.&,...kz..."..g.Y..$y~..t..-4....t.rE..E3l...E.S5Dq@9.u..[...9A.d.7tk...O.....v................Q.E.o3...c....x..*.q...u./...>....].m.U...x..l.s..m.t..2i.<q.g.O...Q.u.nH.i.XD...-.g..m...7.....j})...

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.9593050226304385
Encrypted:	false
SSDEEP:	1536:EFrG2x+yr66sN/Cnj3sxacCtmkAdheNcief1n9JNABxojxiM:E1G26wjNtkT9JaBijU
MD5:	8D32BE58B5F5BD7317628BF6BE577DB7
SHA1:	C43BCE281CDB08C4B36D7C15B2817C901B75A9EE
SHA-256:	4CB634E37C2622AFBCDDF706868F4E992DB59B7BBB6F99820EC636307F833C32
SHA-512:	DB27E8DD5361424D98C4894B8D9163CE88A51F31F343C8474CCEB30C353EEBFBAD92F2A252B299E7E52B203CB69388E875CFE5680BBA36D7ACB807F955D0EC77
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I+..(E..(E..(E...8..(E...(.(E.?'...(E..(D.(E...+..(E...?..(E...9..(E...=..(E.Rich.(E.................PE..L......M...........!.................n.......................................p.....................................0.......l...d....@.......................P..P...................................8...@...............H............................text...E........................... ..`.rdata...7.......@..................@..@.data...$.... ....... ..............@....rsrc........@.......0..............@..@.reloc.......P... ...@..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\E379E83C\7AF51026\CRI2.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=12, height=945, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=945], baseline, precision 8, 800x800, frames 3
Category:	dropped
Size (bytes):	317756
Entropy (8bit):	7.8934485714815565
Encrypted:	false
SSDEEP:	6144:mbVolEvG4/Rkez+lh6MLh/kRG2x2yiQpWMJGzxBYDH:GolEv6ez+SY2vpgYDH
MD5:	F41266D03391E18B49F781EC376AE02E
SHA1:	776BD803EDA70C5463F595B670A17F1CBEC3045E
SHA-256:	D6F4C7DF131CEB1357BF951E2AF27349A583D53500A9CA0D60BDF2F0202DE8D6
SHA-512:	0D6D6D0B0F01AFE5585E7011F19ABE85305418819C8F319CF13E0CC1591C9A462E8388C5C3F9EEC4D8190C080BA69E075784047A9E9C1CF7CE96AAD22135FFA4
Malicious:	false
Preview:	......Exif..MM.*.......................................................................................................(...........1...........2..........i............. .........`..'....`..'.Adobe Photoshop CS5.1 Windows.2018:08:14 11:26:55.............0221....................... ........... ...............................n...........v.(.....................~...................H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$.IJI$.R.IX.....C....ql............l..i)......-f.G.[k....@.jn.l

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\E5444EFD\CD0E66BD\LI-180_Log_Example.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3750
Entropy (8bit):	4.008741802403102
Encrypted:	false
SSDEEP:	48:+8OFBBLkDlmXEhePfniR+sZ5URhyfahrXp7zfBSLnJ+PnshS6CI+zRI7yjShRhxd:l0Rvni6RbpXfCnISCdnwX/JU9kwbC6He
MD5:	6B725689715D05FF07DDD4446546AE98
SHA1:	E6393831097644DA12EE0CEEFE2C4E3FFD60CD7E
SHA-256:	6BFED87E667BACB00FB1BD98AC564E4A43A120679BE91378C485FEDD5D91A7FE
SHA-512:	9C3A3D4632B9E0076F61966252480068B3343F709F5A923E84D70DEA2BAE21DD9500F4B6146B048F7092333BFDCE9B78EF4D79AB49BD8359FC5D572A6CFC80C5
Malicious:	false
Preview:	Model Name.Serial Number.Time.Memo.LUX.fc.CCT.Duv.I-Time.x.y.u'.v'.x10.y10.u'10.v'10.deltax.deltay.deltau'.deltav'.LambdaP.LambdaPValue.LambdaD.X.Y.Z.S/P.Purity.CRI.R1.R2.R3.R4.R5.R6.R7.R8.R9.R10.R11.R12.R13.R14.R15.CQS.GAI.TLCI.Rf.Rg.PPFD.PFD-UV.PFD-B.PFD-G.PFD-R.PFD-FR.PFD.Pct Flicker.IRR...LI-180.C16M0094.2018/06/07_18:38:57..543.148682.50.478500.5279.000000.0.002312.810.000000.0.337866.0.350264.0.207044.0.482942.0.344412.0.343248.0.214248.0.480429.0.000139.0.004689.-0.001705.0.002343.449.000000.13.986156.564.000000.523.924194.543.148682.483.612244.1.822421.0.064443.72.989456.71.441299.76.929138.79.267715.73.732475.71.476006.67.393066.82.017883.61.658089.-16.677534.43.856194.69.527214.42.825092.71.514412.88.933922.66.551353.71.674065.81.703079.50.969234.70.737282.94.565559.7.421987.0.007622.1.738674.3.647980.2.086047.0.279896.7.702174.0.000000.1.674243...LI-180.C16M0094.2018/06/07_18:39:02..569.244202.52.903736.5288.000000.0.002364.780.000000.0.337633.0.350170.0.206922.0.482862.0.34

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\ECC34BEC\3EF45B9E\ANSI_Ellipse.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	3.811029766434935
Encrypted:	false
SSDEEP:	24:cXRbzjOJi/CG1wwHPINYdBvmCQI9MSDVG:eRfCJi/CGVSY7x39P4
MD5:	30638861125319A8EB54E0F75F953AD5
SHA1:	8091B23543DE04CA3769A9C913C0AFAFD3191BC3
SHA-256:	F6DFE926CECB9139750FC181961260E75817587C353BC525A7E018A2A571DCB1
SHA-512:	3175EAFF7FF111EEBDE48459CDCEDBDD7927F3B0FFEE0B29B53A932F51007F19927E8448B4D31F31D0D95312273511C752E7DD0BC7634EFE212C578EC84DC3ED
Malicious:	false
Preview:	ENERGY STAR ANSI C78.377.......E10.......0.4813.0.4319......0.4562.0.426......0.4373.0.3893......0.4593.0.3944......E20.......0.4562.0.426......0.4299.0.4165......0.4147.0.3814......0.4373.0.3893......E30.......0.4299.0.4165......0.3996.0.4015......0.3889.0.369......0.4147.0.3814......E40.......0.4006.0.4044......0.3736.0.3874......0.367.0.3578......0.3898.0.3716......E50.......0.3736.0.3874......0.3548.0.3736......0.3512.0.3465......0.367.0.3578......E60.......0.3551.0.376......0.3376.0.3616......0.3366.0.3369......0.3515.0.3487......E70.......0.3376.0.3616......0.3207.0.3462......0.3222.0.3243......0.3366.0.3369......E80.......0.3205.0.3481......0.3028.0.3304......0.3068.0.3113......0.3221.0.3261.............CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.463.0.42.0.00258.0.00137.57.17..3000.0.44.0.403.0.00278.0.00136.53.1..3500.0.409.0.394.0.00317.0.00139.52.58..4000.0.38.0.38.0.00313.0.00134.54..5000.0.346.0.359.0.00274.0.00118.59.37..6500.0.313.0.337.0.00223.0.00095.58.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\F28C57DF\B65B8ED4\chart_cie1931w.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPCM), density 1152x1152, segment length 16, baseline, precision 8, 663x654, frames 3
Category:	dropped
Size (bytes):	52016
Entropy (8bit):	7.671803743250698
Encrypted:	false
SSDEEP:	1536:HQeswjrRRDzYtzY04Q1lIeSqDye7R6CvZJz+75:wbwjrRRDzY1Yjq7SQ7RjvZJzW5
MD5:	5A5A18D04A1E20512F32E8C21F286E4A
SHA1:	5193582C703AFCB9FFFB84C46B6837BBE9026BE0
SHA-256:	827E3E67CD174BBA9A30FB11F0E0419DA0384B84CCD2050E6246701B505FAEF9
SHA-512:	DB5B18AA3358736EED43F9EE3F3284AB15DFA22606FFBB7CD278036BAD380F91F8FFD1F07AC2CB6D7AE4C879E7369716A61E3EED85AEBF09B742811172107434
Malicious:	false
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..S..(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..4....j..i.)....gkxf..#,v+..@.&.....]{V...x........k.j.]8...9.3..p1]/.#..?.o.......h....%.........k.h........C.....X..G.#..?.o.......k.h..*...w.........c......`........,o.U..<......7.......4.

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\F4ED2515\3EF45B9E\ANSI_2011.xls Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	881
Entropy (8bit):	4.0063232350310995
Encrypted:	false
SSDEEP:	24:cGIV0UVuKaZuTAQaQubrOcHge3vQTDVz6y:eVzVudZuTOQublB/W1z
MD5:	ADDCFE247A6E035209CCCBD99F699EA1
SHA1:	764AD762AE4E1A063F57C2C8E2D18AB0DC5141EA
SHA-256:	505C3D93C19A8C64D5131AB94E1CBD77BDA4EF1A1B7187D731510C2CB5DFD3A6
SHA-512:	9A77CF8974BA731D8436C9E1F4B0B1D8990B8733BE86A26566808AD134B1B0E6EB4A599CF7AE7037BCD8878906548310F7686A024DD88DB7E507CB983DB97C55
Malicious:	false
Preview:	ENERGY STAR ANSI C78.377-2011.......E10.......0.4811.0.4315..0.4561.0.4259..0.4373.0.3892..0.4591.0.3941..E20.......0.4561.0.4259..0.4302.0.4171..0.4149.0.382..0.4373.0.3892..E30.......0.4302.0.41713..0.4003.0.4034..0.3895.0.3708..0.4149.0.382..E40.......0.4003.0.4034..0.3737.0.3879..0.3671.0.3583..0.3895.0.3708..E50.......0.3736.0.3879..0.355.0.3752..0.3514.0.348..0.3671.0.3582..E60.......0.355.0.3752..0.3375.0.3619..0.3366.0.3372..0.3514.0.348..E70.......0.3375.0.36169..0.3205.0.3475..0.3221.0.3255..0.3366.0.3372..E80.......0.3205.0.3475..0.3027.0.331..0.3067.0.3118..0.3221.0.3255.........CCT.Point(cx).Point(cy).a.b.Ellipse Rotation Angle..2700.0.459.0.412.0.0027.0.0014.53.7..3000.0.44.0.403.0.00278.0.00136.53.22..3500.0.411.0.393.0.00309.0.00138.54..4000.0.38.0.38.0.00313.0.00134.53.72..5000.0.346.0.359.0.00274.0.00118.59.62..6500.0.313.0.337.0.00223.0.00095.58.57..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\FC8C594\7AF51026\LICORC.jpg Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS5.1 Windows, datetime=2018:08:07 16:10:55], baseline, precision 8, 424x389, frames 3
Category:	dropped
Size (bytes):	65664
Entropy (8bit):	7.563574997001168
Encrypted:	false
SSDEEP:	1536:J3UYDQO5/EOYE+HZYS+up2wvGon6fR93oV:mk5JU5YS+uN+9s
MD5:	A57E8C6BB8787217316ACE238BDFF43A
SHA1:	03C311EF7213EF6219391E1DEE6BEE781C32B97C
SHA-256:	C339438B62D436692A6363693799D818CEE49F043EDE20C7E06DF1E4947855EB
SHA-512:	48CDF60EABA0BC8AF560E3B4E75481EE0EDCA7FCB763B63FD3298883676AA2E92936E537891DC48ED5230AD75AB48EEF3AD9395A40EF889FE74A03BEA42F271D
Malicious:	false
Preview:	......Exif..MM.*.............................b...........j.(...........1.........r.2...........i.................z..'....z..'.Adobe Photoshop CS5.1 Windows.2018:08:07 16:10:55..................................................................................&.(.................................L.......H.......H..........Adobe_CM......Adobe.d......................................................................................................................................................"................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..RI$...I%)$...L..%......>.JN..s,?E.....De......$..J.s].>F.Y.S..ZI....IIRI$...I%)$.IJI$.R.I$......RI$...I%"........).w+..y..U7..s.%(p.(...i.?...Nl.~p....)..h..

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1340928
Entropy (8bit):	6.677299856016359
Encrypted:	false
SSDEEP:	24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
MD5:	57C34F9689A69BE0C1CD7F6FF3FDA546
SHA1:	54F0D3CB9693D8937AA93301AC66D25CDEA9B628
SHA-256:	2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
SHA-512:	01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................\|............... .....Q.........................0....................................... ..O.......\|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..\|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................

C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\mia.lib Download File
Process:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1335758
Entropy (8bit):	6.607116387652834
Encrypted:	false
SSDEEP:	24576:kKLeEbW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ5e:jLeEbasY6DwOBfrnvV7UeWtPe
MD5:	2957FB70B1A610B54D98CC4FB2F8DCEC
SHA1:	68319EBF22A4B7D3B52B2E1198CF61535D024E24
SHA-256:	30B0CD1B04F0B39251614DB60C5F9AD7E98E4201B46CDF4C850942A14F03ECD0
SHA-512:	873CCADABA7A9A639328B42360166BCC427C7298FF743829C3BE92F0FBD9EF8D000F64B799765EB80D42F8BFC5196BF1083752D33840359909E9DA740B15C489
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ad.. ... ... ....g.. ....q.. ... ... ...X... ...X... ...X... ...X... ...r... ...X... ..Rich. ..........PE..L.....8R...........!................3=.......................................P.......g....@.................................<...d................................,...................................................................................text...-........................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...............................@..@.reloc...J.......L..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IAW1FEA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	MS-DOS executable, NE for MS Windows 3.x
Category:	modified
Size (bytes):	1409
Entropy (8bit):	2.1115216556009377
Encrypted:	false
SSDEEP:	6:HRMU/KehW3pFZZdCPqxdHHEpKwJ5zCQu2Tj6lsylDdHHEBBFdHHEr:SeoFMPqxd2t3zJWld0di
MD5:	7277AB8197859325E576F54AAC1A874C
SHA1:	380786163FC9DCC8E9E24811146C11A5AF85BAC8
SHA-256:	DF37B99C49E061C068DA989057DC8F175398A43C2003359F9A69E171EE6ADA96
SHA-512:	9DEF3549647B745D6A957E41CC8ABD574EFAE0C7C63D434249969E83510A6551F23F4D8087CCEFCCB0422492B8BA1206A10D683086ABE433840F23F1B11063FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This is a TrueType font, not a program....$.Kiesa.NE................................@.@.t...................................H...P.,............@...P..........FONTDIR.mdd_0......mdd_0.ttf......FONTRES:Droid Sans Fallback..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lang.loc Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	161742
Entropy (8bit):	4.663134233193565
Encrypted:	false
SSDEEP:	3072:VklAVePDH8KN74yCpNadsnh6j4g9hmzqJqqtn:C
MD5:	04B0ED6BC3D34D2A67F2C81A66C9E57F
SHA1:	7B3B7FBBA050195C4B170670CEB3F70EF4CEC901
SHA-256:	D11AC6568E18FEA4BEADE649AE12F79A4D7B0572BDA22C5732242E35078ED42F
SHA-512:	CCA5304934E00A435E4FCE5FB6C5C6A3E3D855F48111F3CFB3DED00F6249B9F919C3F052900FE2AFEEF0A3C9D6DDD768BA26369334F149562EAA288F4049CF5F
Malicious:	false
Preview:	Please install the common controls update from Microsoft before attempting to install this product...Setup resource not found..Setup resource decompression failure..Setup database not found..Runtime error in install: ..bytes..KB..MB..Attempting to get value of undefined variable ..Attempting to set value of undefined variable ..Copying: ..Unable to copy installation data to local folders..Downloading Web Media: ..Unable to download installation data from the web..Extracting Web Media: ..Unable to extract installation data downloaded from the web..Please locate your original setup sources to continue operation..Original setup sources required to complete operation, sources not found..General setup failure..Runtime error in setup script:..% complete..bytes received..InstallAware Wizard..InstallAware is preparing the InstallAware Wizard which will install this application. Please wait...Retry Download?..Downloading of installation data from the web has failed. Would you like to try again?

C:\Users\user\AppData\Local\Temp\mia.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	62942
Entropy (8bit):	5.50721751851534
Encrypted:	false
SSDEEP:	1536:P/PsPRMaGVrW4N9sCMO8qsusKK+2yKmeivC6SSqKa6Pqiiqzq:PHkGVy4DsCMO8qsusKK+2yKmeivC6SSu
MD5:	6ADFD0B8EF2EFEDC490D196722D6CED5
SHA1:	330FBEA87954910F2807B4DD686E011D2A5700D4
SHA-256:	E5AB09A6DA49A874E46E890F075E47825BC6A60A3B1122186F8088A5039E05AE
SHA-512:	AB7458BFBE2968279AA43443E4121F09E2D9F75498FF56EFF912FE6DE2B352D1B87EA3ED69EA777422AE260C6C2DF46EE73F4068A64BC0518EBB7117C4F7DEDB
Malicious:	false
Preview:	.Comment..Comment..Code Folding Region..Code Folding Region..Comment..Code Folding Region..Comment..Code Folding Region..Comment..Set Variable..Set Variable..Comment..If..Set Variable..Set Variable..End..Comment..Code Folding Region..Comment..Code Folding Region..Comment..If..Display Dialog..If..Terminate Install..End..Display Dialog..Comment..If..Set Variable..Set Variable..(Un)Install MSI Setup..If..MessageBox..Terminate Install..End..If..MessageBox..If..Reboot and Resume..Else..Terminate Install..End..End..Set Variable..End..Comment..Hide Dialog..End..Code Folding Region..Comment..Code Folding Region..Comment..Code Folding Region..Comment..Define Component..Comment..Comment..Get System Settings..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..If..Set Variable..End..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..Get Folder Location..Code Folding Region..Comment..Code Folding Region..If..GoTo Label..Else..Comme

C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76728
Entropy (8bit):	6.254581045679638
Encrypted:	false
SSDEEP:	1536:edjdN2c6vBVoJFLVbRv4e1R42TtHT/tNzxU:edNmVGFp9B1TtHT/tNzu
MD5:	980ABD131E4B45DC8ED554D3EE0C2044
SHA1:	B6041667248E9AD0CED547B33C16BF1D8A495661
SHA-256:	0D75323B0EEFE651374099234B718DA70FE3C160D62BD73B49579CB07C4DDE4B
SHA-512:	0429B94DD0871CB8EDB02DDDDEF2E5D21D22B09D96DCB1CF937E35B2D085742CEBDF121591902FD0A686078F9F241C5551892D1BBFC15E2B094D39BEBA159C5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.yW...........!...2.....h...............................................`......O$.............................. ...x............@.......................P......................................................."...............................code...'........ .................. ..`.text...l....0.......$.............. ..`.rdata..............................@..@.data....R.......N..................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mia1\LI-180_Installer.msi Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	0
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.23248504194283
Encrypted:	false
SSDEEP:	12288:FNL40BKXsbzlDSJjQ8guBoN2KA2wKc7wMz7:FNL4GW5BqPA2fc7wMz7
MD5:	2B7F717CA3147788D37977F204C309F3
SHA1:	801DADC3079409E409B3C16AE1366278AECDD6C6
SHA-256:	828EA236DD2C65385C158D31D7395A3BFEF4BB2D2F45033CEF21EB67F227D15D
SHA-512:	A758244D2C8E165540775DDD744CA76A8854A5927D361053AFF12D173E5D63B72E30882F9C6E4C93032FA6A3BCC426435C35AF6123C3C63240075F2A8312DFFB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\mia1\componentstree.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	33309
Entropy (8bit):	3.3772470427001995
Encrypted:	false
SSDEEP:	768:pJHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfTE:phXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dt
MD5:	F1BA2D0A20CF4290FCDB45B3CF54840C
SHA1:	EC808EBC2563D3D00866BDE0AFF4059C3C995C03
SHA-256:	F27A9B4D468632780547E3FC26A59993B3108A18CB096852A302577BFA4C6F2F
SHA-512:	C4073CE6F58447B858901389D52BD479C888370CD6328499B516B9C919A728C4099F00DFA19005AC65BC986A79FF2A9A0E4CAAE9BCC0A5E3A72747696B4BC126
Malicious:	false
Preview:	...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..

C:\Users\user\AppData\Local\Temp\mia1\componentstree.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\destination.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	33184
Entropy (8bit):	3.358519824453405
Encrypted:	false
SSDEEP:	768:BxHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfh:BpXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Ds
MD5:	C92448DB4098F4A3095C0BF94500D2D6
SHA1:	D5F0AAA3C7E55B085D0D57C13499E07AF30354CF
SHA-256:	799B7F02BA036F90052545DA51D2807A0CB65B657C36FB26113BDE086E40D929
SHA-512:	830244E76DBD3CE333A540FB54470F99FC295FCF00CF2D2586FA28094B1A2EB0A5B98EAFBD82A78AD37635E5424FA84C428630B5D42E322E885A846CF0EEE5EE
Malicious:	false
Preview:	...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.\|.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\destination.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\finish.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	161230
Entropy (8bit):	1.999222422314916
Encrypted:	false
SSDEEP:	192:tty+Dfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CWNux1LAwpk:tbbI/T4+
MD5:	F45B64FF519D1538DCC250AA3149AC4D
SHA1:	CF1B58E06FAA1D7F7239C648E64CF4DE1A1CFDF2
SHA-256:	15958250C4F342B9ABF75E7DAA1AA5BBD8366BA6D57B23E0A690FD0F2F703F72
SHA-512:	ED61591FBE14B7A3ED798EFAA4D577BB0AD620AF0996DEA9E96A4A31E024C17F80B561133B97D08B1E41CF286F9B04214C0FF565D6A1DD59A9763E516B0D2410
Malicious:	false
Preview:	...TFRMDESIGN.0..u..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.DoubleBuffered..Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...GlassFrame.Bottom./.OldCreateOrder..Position..poDesigned.Touch.ParentTabletOptions..Touch.TabletOptions..toPressAndHold.toPenTapFeedback.toPenBarrelFeedback.toFlicks.toFlickFallbackKeys..PixelsPerInch.`.TextHeight....TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP.tP).sR..{W..}Y.vU2.\|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...\|...r...z...q...w...\|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..\|

C:\Users\user\AppData\Local\Temp\mia1\finish.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1938
Entropy (8bit):	5.044225786332962
Encrypted:	false
SSDEEP:	24:vuikSi+nfi0ZiFuEai/pZSruicvSi+pipUivuNsIi/pEaiDatfi/pTvSgREii/p5:v5ExAGVPbu1ZRMfkf3faWYxWqQch
MD5:	A5066097B928A2A87318FF5D74084344
SHA1:	7041B5D87E79ED362121DC5E29751960D6D8B1FA
SHA-256:	418DA2B3B60D642FAB7C40E6366DC8CA53C8E4BFD761083EB3E2425682BBD0E4
SHA-512:	DC8FC4841217FC503DD94060E1D151552022CDDCB115BE5F4317FF3C8686AACA2A6931A08EB5005B00D3DDA848D90236A2ADE1E4B98BCD4F6C01B6552F70BF63
Malicious:	false
Preview:	.IF (checkSuccess.Caption = COMPLETE) THEN textComplete.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN textReboot.Visible := True;..IF (checkSuccess.Caption = CANCEL) THEN textCancelled.Visible := True;..IF (checkSuccess.Caption = ERROR) THEN textError.Visible := True;..IF (checkSuccess.Caption = COMPLETE) THEN RunNow.Visible := True;..IF (checkRemove.Caption = TRUE) THEN textRemove.Visible := True;..IF (checkSuccess.Caption = REBOOT) THEN RebootNow.Visible := True;..IF (checkSuccess.Caption <> COMPLETE) THEN textComplete.Visible := False;..IF (checkSuccess.Caption <> REBOOT) THEN textReboot.Visible := False;..IF (checkSuccess.Caption <> CANCEL) THEN textCancelled.Visible := False;..IF (checkSuccess.Caption <> ERROR) THEN textError.Visible := False;..IF (checkSuccess.Caption <> COMPLETE) THEN RunNow.Visible := False;..IF (checkRemove.Caption <> TRUE) THEN textRemove.Visible := False;..IF (checkRemove.Caption = TRUE) THEN textComplete.Visible :=

C:\Users\user\AppData\Local\Temp\mia1\icon.ico Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	MS Windows icon resource - 6 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 128x128, 32 bits/pixel
Category:	dropped
Size (bytes):	102009
Entropy (8bit):	1.439058677460756
Encrypted:	false
SSDEEP:	96:8fWSNWlsTzOmH4xjpREoc6klrV1X7sAtkqN2Afw+80KsbLootu+43pKdBKKirUEI:zlC6Fx9REoc6UrV1LsAtkqzoB+45Kd0C
MD5:	8669CAD499B2FDD623A2219DA0EDF9E2
SHA1:	1D41EC18DD60166CD34DE34FED5B19E778F99590
SHA-256:	E47079863E0FAC451B02DDA76171729FF8EAD992281E003ACE30BA73237575A8
SHA-512:	0F3720C1C46EEE10018A627B7CBD36C1630A8A9B1A97C5BBDE93CF38038BA265A200D0867338E14DED554D7565DB29FC16C45698476022CEE4F660DE6F061DEC
Malicious:	false
Preview:	............ .....f......... .(...q...@@.... .(B......00.... ..%...S.. .... .....iy........ .h........PNG........IHDR.............\r.f....IDATx...].me....Q.b...e...E.!.!..>...#.y.)v...*..Y.........g.,.uS....]..V.f.dIZ..b...}.s..........y.3...3....kM..................................p.=.'.....rte...>q.[:&._.......#.........9....q-.\|0.isn.Y.g......I..........0.`.X.9b.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a.....@a...vl...1.....O..1...=.]a.O.Q;/..=..$.(L.X.wg.\...........e.t.U .@a.....9.J..d.v~.]..1....T.\|^...7........y^>.{..L...$.E.Z.o.....h+....ED.t...S_.yyM.n...g.....?...[....$.(L..i.7G...jI`......1.......yi+.F.......zc...y^n.}(.D...$..2.......N..^.. ""..{z......md=..?.......y........I.....rtk....b[!..._.$0.g....qmWK.7..#.$0.......k.9.[..].g.f....s.>......l.x8.....}.I.P...}.z.......6..0.)""..{{....Z.o......G....$.(L....'

C:\Users\user\AppData\Local\Temp\mia1\installaware.png Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	7.871063017224323
Encrypted:	false
SSDEEP:	24:X93kpZjQLmEcxtIwWXPAGpKpkZcks41xdrqUaBdJbYfxpJgx7YWg/uLwdCnq:N3Yj8mEcxywiPrpKpNMdr07SxgSt
MD5:	B7225A16DAF9DE1D514AEFE567FDF2F5
SHA1:	D6A00C526C425FCD5EF49B0C87814F2CF476CB59
SHA-256:	0E2DEFC9B470D3F9BD184D254493EFAD94EA0273C1FE17FC8FC651D47B01734E
SHA-512:	31412603AE87F2B9C9DAD2D0BA64868105586D1778846DE5F1C14667C4292DE36FC193B54670BDF130019B0B42AB59EEF2C2D8672226BA755181FEA894BD9246
Malicious:	false
Preview:	.PNG........IHDR... ... .....szz.....IDATx.W.L.W...!..dl.'.@.10.a.....2.T'.....SD..-PK@t.....:53.... :#F.......\|"...L....6 m)Lw........9...K.+.b...z.x........=...J.V....n3[.B..v[m..../....o0.L....Q...&...$~?%%?PG..S<..]...$.Z......O.3".k....m]..2S9..4,.k+.xf..k.F...V..4[Ec'K.2.2..PK.....H$..H.....kA...M..>.zs.....^...K"...j..:..Hu.T..Q.....N...y'.+9.dR.{..Xn....w.f...R.KQB.]z........6>..,.......q.%........;.,......U{.i....Z.....)._I..7..J.q..d)...CM....;...,R~.B.S...E...p[-O........].F...%..A.%....{.%....]Q..>.-..f..C..i.Q..+5.......A'~.....J...M.mtN..0..r.>.@K.....D...<...CI^#.-.P.}?R..M.-.7..GS...Z^9s..<6.....>......<..g.~.9....{]Ju..}`..Z(..ikw^.,)X..g...\|G.LQ9A^...9pe....7d.......SE.Q..../nx.}_..F...$..I..K...o4.^ ..e.X.Q.H......&........Q..............\n....J......./...7.....E.9.....$...K..!...c.`.=.Jd.nq.n.W.Q...Q.#s.w._.d....u...Q].-U.N.J..&.O..=......a+.k.....%.$..(.....@`...lx.......tDC..=.{...^"...@.....\{;#.^...G.q./AA.

C:\Users\user\AppData\Local\Temp\mia1\license.rtf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	Rich Text Format data, version 1, unknown character set
Category:	dropped
Size (bytes):	8029
Entropy (8bit):	5.0787285797616715
Encrypted:	false
SSDEEP:	192:6RMfWBgsh5jrcRUjFZ6Adb+3eGl83ykMfUaFW7W9nK7dLf0gurZ+2:Yush5jICj6AdRGAD4W7W9K710N02
MD5:	6017828D717690DD90F7AB6BBEA202F2
SHA1:	C24165A9B87075A6E71E95E58E2EEEB9C932811F
SHA-256:	29B4BFB1AA7BD6B23CD4CC14E23AA8A3E5D9A3C6AAB66E93BBD419B23115728B
SHA-512:	F7605379EC384DB19928C9BFA5168DBE45C718E2E885CAA8A5A412BB5CBCA49091481FC7D29018A44A41A54093A3524A168E16FD4471291A327152AD7F4A13E6
Malicious:	false
Preview:	{\rtf1\fbidis\ansi\ansicpg950\deff0\deflang1033\deflangfe1028{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\fnil\fcharset136 Tahoma;}}..\viewkind4\uc1\pard\ltrpar\lang1028\f0\fs16 END USER LICENSE AGREEMENT \par..\par..\par..\lang1033 This copy of LI-180 Spectrometer("the Software Product") and accompanying documentation is licensed and not sold. This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. LI-COR, Inc. or its subsidiaries, affiliates, and suppliers (collectively "LI-COR") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement"). \par..\par..Acceptance \par..\par..YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT BY SELECTING THE "ACCEPT" OPTION AND DOWNLOADING THE

C:\Users\user\AppData\Local\Temp\mia1\licensecheck.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	32515
Entropy (8bit):	3.2392237095249325
Encrypted:	false
SSDEEP:	768:j2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfE:juXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5D1
MD5:	9A87495839CA4357F293308C86139F03
SHA1:	0529F4612D004BAA1FE8806F6EAD5E78B3E76E55
SHA-256:	C623B82A8BE3EAD16900164C09AFEE00215DC1749A6DE8D4F381CF983A3F5CEB
SHA-512:	75F64D527924764598066D157C406FD18A00FA59EAB8D418724EF7E87B8B718EF57595118284710A08B17D7C287723AAF5F06383F877ADF77EFF7F7573AD665E
Malicious:	false
Preview:	...TFRMDESIGN.0..~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..

C:\Users\user\AppData\Local\Temp\mia1\licensecheck.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.896842553280578
Encrypted:	false
SSDEEP:	6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
MD5:	D312F2FDC09193A04578D688A2CA292D
SHA1:	54BD3AA4CC72E68FC613A4227CADA7AD702D795E
SHA-256:	DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
SHA-512:	A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
Malicious:	false
Preview:	IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1305600
Entropy (8bit):	6.66768345397406
Encrypted:	false
SSDEEP:	24576:yIAaJZ7NOcdUT4OELlCRmLrxB4Swz+hLnNlAj4HdH:HcWgYfxSSwz4A6
MD5:	511629FCCFB6C536A8F6FCBF4AA06401
SHA1:	6931DE3FB845AF6CD30348108A98767268EF6200
SHA-256:	65AD010679A748A7174ABE1C314E0F1AE78E7BE69DEC22F0357536F21399C68C
SHA-512:	D51248F81789E8E2DEFB7B59E551B3FF705C8D8BB098AC66E7A4C7C9AF48855544BA44D6256F02052B6D525753A645E7EA601F421A5918446A231775F89E081C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................h......\..............Q....................................................................O....P...5...P...T..........................................................................Y..H.......^....................text....k.......l.................. ..`.itext.. ............p.............. ..`.data....L.......N..................@....bss....PS...............................idata...5...P...6..................@....didata.^...........................@....edata..O...........................@..@.rdata..............................@..@.reloc.............................@..B.rsrc....T...P...T..................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1340928
Entropy (8bit):	6.677299856016359
Encrypted:	false
SSDEEP:	24576:89mKmMTfYBbuMNX9PnKMHxXgrptvZzDMbxBqSwY1raig5CUd1t:89mn1buMNX9yChIGbxUSwr57d1t
MD5:	57C34F9689A69BE0C1CD7F6FF3FDA546
SHA1:	54F0D3CB9693D8937AA93301AC66D25CDEA9B628
SHA-256:	2C2095721E9E7B3CA68D08D5F3D6E0528B8BCED9A45CEA638CF4B8212E9B139E
SHA-512:	01C95F082FD71DAD1BC686F37B7CA06724936B2E02294147EEBE384910809ADC8D802D89016CFA423C1181D531CE6C8D0AF4C95F633D8AE8D6AAD3B10C842F4D
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......R.....................\|............... .....Q.........................0....................................... ..O.......\|9.......Z...................@...............0..................................................^....................text...\........................... ..`.itext..x........................... ..`.data....L... ...L..................@....bss.....S...p.......F...................idata..\|9.......:...F..............@....didata.^...........................@....edata..O.... ......................@..@.rdata.......0......................@..@.reloc.......@......................@..B.rsrc....Z.......Z..................@..@.............0.......v..............@..@........................................................

C:\Users\user\AppData\Local\Temp\mia1\maintenance.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	160624
Entropy (8bit):	1.9662006432706152
Encrypted:	false
SSDEEP:	192:tdMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4Cwtq69wWnUgK:tfI/kwAgK
MD5:	B3C9C9EE0C9C2DCB15CF24D5DF20F4F3
SHA1:	3B1660EB617CB2751D9CCC79B8C025BD5A7B153B
SHA-256:	23D6D6041B3025A8B1817B5FC455067B534AD91DCB19A1D09509A3AE55065CED
SHA-512:	93C5B855AF462D9772754CB46307F5890735F7476D8ECF0F9CF213BC3A32EB4E19E3C48842A68F9D1DD29EAF2A8A2EE4712E917AB05BC121C18BFA77E3250811
Malicious:	false
Preview:	...TFRMDESIGN.0.\s..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP.tP).sR..{W..}Y.vU2.\|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...\|...r...z...q...w...\|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..\|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8.....................................

C:\Users\user\AppData\Local\Temp\mia1\maintenance.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\prereq.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	32639
Entropy (8bit):	3.2633511856005843
Encrypted:	false
SSDEEP:	768:scHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfi:scXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
MD5:	3B989C7730DF816A13A88B722A25B021
SHA1:	882F64912D28ED7C1EE1D59333E934CC73E1C50A
SHA-256:	9E7054257B4D608BC16547468B0E6D4AA06B0A0CF467CF76CD7ED169979E0B2C
SHA-512:	36E42A53E3F4956DD87DCBF6E36B43E9210B8A5195684228CCF7C465ECB7105505EAFF01F705B8B4D48631E21C02B443AB871D84415A1597FC4B52B22D18689F
Malicious:	false
Preview:	...TFRMDESIGN.0.k...TPF0.TfrmDesign.frmDesign.Left....Top.{.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\prereq.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	744
Entropy (8bit):	4.963019277603885
Encrypted:	false
SSDEEP:	12:qITMDIb6UIJTc6S6juINIkU3lkimkU3MIkT:qIMIb6UIJA6SsuINI53ldm53MIk
MD5:	172D6845744A1EC7DC233E9335C5A47C
SHA1:	F0E3CB9C55F0F0961EF496D3EBF532943FB155E1
SHA-256:	7AEF8EF0D965D2AEDDDF2FBC2B99BA2A3E5E96517BCD38ADB1A3315456D16E6F
SHA-512:	639D0D336EA949B877E12A0DB026FC3D085F3DD2B25A7C5CDCC8850CCD998FCA4364BB18D167454AEDB763793E9D251E08A1A3A06A46117FF0B5B2AE22E06643
Malicious:	false
Preview:	IF (checkWINST.Caption <> TRUE) THEN WINST.Visible := True;..IF (checkJS.Caption <> TRUE) THEN JS.Visible := True;..IF (checkDotNET.Caption <> TRUE) THEN dotNET.Visible := True;..IF (checkWINST.Caption = TRUE) THEN WINST.Visible := False;..IF (checkDotNET.Caption = TRUE) THEN dotNET.Visible := False;..IF (checkJS.Caption = TRUE) THEN JS.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\progress.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	43482
Entropy (8bit):	4.168440625869399
Encrypted:	false
SSDEEP:	768:3JHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfR:3hXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Da
MD5:	5C0175D2688D0942C2616E689B52C5F9
SHA1:	200FE3D32B6A593538F61E3D1AA2A860BC40A2EA
SHA-256:	00FD246E8C2E5C79A0753C5BFD0D37A21C1CC0B272312C127E0775DB94669392
SHA-512:	02440C85404465F8FD590BF6AA5FA4FF315A34B39A9B958C73B294AC139B6C6D9BAAC0CD26A769E62480C547A71F98ECB70D6BBDCA4390F4347DBBC80E780AB8
Malicious:	false
Preview:	...TFRMDESIGN.0....TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..

C:\Users\user\AppData\Local\Temp\mia1\progress.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	666
Entropy (8bit):	4.809149901341814
Encrypted:	false
SSDEEP:	6:a3jF2duukAiRcjjuukTDoRcjF2duukTDQTjjuukA6uN82du+wg4RBN82dukU3ekd:csIrqar1sIroarIINIkU3lkimkU3MIkT
MD5:	03D007FB3FC47A2F8CA6EB2C13881052
SHA1:	3212C3FB7FAA97630F849AD7EBA205D90EAC7EE3
SHA-256:	692786FB6BF3363DFDD0CDA8013986F4F63FD9209DA6BD1299CC8CF06275DF89
SHA-512:	A2193DFBB22D9F8EFB3CFFD8F2E4021A3213667F13F218EF1AA9B1DD2BF3044AF1E71CFB19497762A386B6CFB841C4C642C739A52471556ED7C3877907D6EA9E
Malicious:	false
Preview:	IF (TestRemove.Caption <> TRUE) THEN CaptionInstall.Visible := True;..IF (TestRemove.Caption = TRUE) THEN CaptionUninstall.Visible := True;..IF (TestRemove.Caption <> TRUE) THEN CaptionUninstall.Visible := False;..IF (TestRemove.Caption = TRUE) THEN CaptionInstall.Visible := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\progressprereq.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	43116
Entropy (8bit):	4.127536230542945
Encrypted:	false
SSDEEP:	768:yUHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibf/D:y0XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dm
MD5:	AF75C73B31B45D4797A326367B1A696A
SHA1:	B2795FAA612F4BFAEDF79EF0DDC6CC7E43FB5801
SHA-256:	F5BD968E1580C2B47D800867A237D4F90CD7465E38219836E7792094354CBBD2
SHA-512:	9073543CBF566EB031E6EF257A670BD59535B568F2D5C480A4D9DF9470586234226EB232F8A18D64322477502FB3AFB14B2422827647B69CFD8AFB2CFD75E490
Malicious:	false
Preview:	...TFRMDESIGN.0.X...TPF0.TfrmDesign.frmDesign.Left....Top.w.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\progressprereq.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\readme.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	32365
Entropy (8bit):	3.210637703795355
Encrypted:	false
SSDEEP:	768:F2HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfMR:FuXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dn
MD5:	8DB37E945737A642476551E6EA537ED5
SHA1:	2579ECFFD229F167398337358778E032AAAE3E3D
SHA-256:	4221122F990055367BE3AF2CCD9A8A6A28E4E8A8889B74BD543C70E96FF63527
SHA-512:	461CD4C6F01A82AC1C6D97968AF1B3CCD6E5D5D8C76C5CDD92822869335C379E8DD07A562DF787232D173588D9DCBC1E3071A5E5BE873D02DE6744BEE599AA92
Malicious:	false
Preview:	...TFRMDESIGN.0.Y~..TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z..

C:\Users\user\AppData\Local\Temp\mia1\readme.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.896842553280578
Encrypted:	false
SSDEEP:	6:aHi6GKuMtrk86i6euMtrkeuN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+J:0IMtgfjMtgxINIkU3lkimkU3MIkT
MD5:	D312F2FDC09193A04578D688A2CA292D
SHA1:	54BD3AA4CC72E68FC613A4227CADA7AD702D795E
SHA-256:	DB1C3A93A00A46C77F3E8D19C5DA4D42C54CE58C9EB71B586E512ABEE2D46967
SHA-512:	A71514B0F31010F7BF23954BCE707A277CA765BC14DDED7D7870615528A7751E4B26E72BB826781BC4F57C2A7C75FCFB92C4BA781AAD58372CF6CECE39832D19
Malicious:	false
Preview:	IF (LicenseCheck.Checked = True) THEN Next.Enabled := True;..IF (LicenseCheck.Checked = False) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\registration.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	32609
Entropy (8bit):	3.2576929890359447
Encrypted:	false
SSDEEP:	768:ewVHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5Dmoibfg:ewdXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5v
MD5:	357DC1A87B637A95C2255C15ABDB9765
SHA1:	B41DBE26DB3C8F489E32096535E7DF8AF5F7859C
SHA-256:	005829185AC1A56337D40D515C7E8DA84B06A8E7B7487477DE521861248645D0
SHA-512:	ABBBD816EDDE10AF7612ACCF8858434BD9C17443B92CD7E3966F44B2F624822EE123EAD2DA7F1EF686D76D13FE7C4923F1E3460E0681CB9C239462638D14F677
Malicious:	false
Preview:	...TFRMDESIGN.0.M...TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label5.Left.(.Top.H.Width.8.Height...Caption..&User Name:.FocusControl..Name...TLabel.Label6.Left.(.Top.x.Width.A.Height...Caption..&Organization:.FocusControl..Company...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a......................................................

C:\Users\user\AppData\Local\Temp\mia1\registration.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	576
Entropy (8bit):	4.8398488933566055
Encrypted:	false
SSDEEP:	12:+GYMtg+YMtgdmMtgpMtgxINIkU3lkimkU3MIkT:+ffFmB5INI53ldm53MIk
MD5:	FF697C2FFA89894EC61F9ADF6839926E
SHA1:	25CA863E1866D72D2AB76F76B15A7705F2C0CD12
SHA-256:	C8FDC1180440954E7773ABFA450D153194FA675B8B2764F0300C00A73C989BAC
SHA-512:	A67389FBA944DEA454F7D4559911F745ADE10A8B3B5ED57A6741546AA4EF77FC47017BC7711A586A19EDFA3825517D78BA46A841B0AB7291B6145EA9B0E63A76
Malicious:	false
Preview:	IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\registrationwithserial.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	33341
Entropy (8bit):	3.3842477874818355
Encrypted:	false
SSDEEP:	768:JdHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfM4:JFXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dk
MD5:	8616C794648FD69FAC8F0F88EDB22E4E
SHA1:	DDDFECF6EA3719E9CEF5C406FD4D525AF7D74A61
SHA-256:	7E5099588AC9EB46983021CFDFCDDDBEFEBFE4CBD8388A531EDAD35FC3DA842D
SHA-512:	B1288B55785B0CA40F331AE92460F213A1C8D77037D5ABA6BBBD74882024ABDC8985E10899F4476CFF64D83F424957B11FD0B759B537E2216DB4E146B1CD09ED
Malicious:	false
Preview:	...TFRMDESIGN.0.)...TPF0.TfrmDesign.frmDesign.Left....Top.v.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\registrationwithserial.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	4.80637071596533
Encrypted:	false
SSDEEP:	12:+GYMtg+YMtgPt0YMtgPrYMtgP0ZYMtgPpDYMtgPuYMtgdmMtgpMtg6tkMtg63Mtz:+ff7kkKSHFmBBApVeN5INI53ldm53MIk
MD5:	E30F9BD0EB3C6A3372F67E0F8886E28C
SHA1:	B390AAEDCE02E0A1A031506EE73C313221367BBF
SHA-256:	905BBFEDE6E19926541295E4599A14169CDC21392388DAE0EE1974A5C827D608
SHA-512:	CBDCA01D6A8E060307DA35E6F5F5F52D691F0245E285548454B391543680817783CB443046263BEF5BC3B7A774C503771403FC5B76069F02ADD8A72972CE67F8
Malicious:	false
Preview:	IF (Name.Text <> ) THEN Next.Enabled := True;..IF (Company.Text <> ) THEN Next.Enabled := True;..IF (Serial1.Text <> ) THEN Next.Enabled := True;..IF (Serial2.Text <> ) THEN Next.Enabled := True;..IF (Serial3.Text <> ) THEN Next.Enabled := True;..IF (Serial4.Text <> ) THEN Next.Enabled := True;..IF (Serial5.Text <> ) THEN Next.Enabled := True;..IF (Name.Text = ) THEN Next.Enabled := False;..IF (Company.Text = ) THEN Next.Enabled := False;..IF (Serial1.Text = ) THEN Next.Enabled := False;..IF (Serial2.Text = ) THEN Next.Enabled := False;..IF (Serial3.Text = ) THEN Next.Enabled := False;..IF (Serial4.Text = ) THEN Next.Enabled := False;..IF (Serial5.Text = ) THEN Next.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THE

C:\Users\user\AppData\Local\Temp\mia1\setuptype.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	33637
Entropy (8bit):	3.431633511700928
Encrypted:	false
SSDEEP:	768:+YHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfQd:+YXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Dp
MD5:	0ED309FE577738BE9F9EC6E6D4630658
SHA1:	3D22B4956C8DA2C4E91D99C590E165710915AEC3
SHA-256:	D65D017C4E6F112F1959F6BBC50FDFF35348596BE68183A5570257A199EAC1A6
SHA-512:	10E4E1D32E0A47196D18EAFA4FFF03C7F7D36F3AF37E1A0A3DCDE04ADEB3BBF2B3CE51A76D8236CE60AF63D813469BB20E28E997F10BB7986E39DF97B851BFC7
Malicious:	false
Preview:	...TFRMDESIGN.0.Q...TPF0.TfrmDesign.frmDesign.Left....Top....HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TLabel.Label4.Left.(.Top.H.Width.I..Height.!.AutoSize..Caption..Please select a setup type..WordWrap....TBevel.Bevel2.Left...Top.:.Width....Height...Shape..bsTopLine...TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP*.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................)..

C:\Users\user\AppData\Local\Temp\mia1\setuptype.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\startinstallation.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	160094
Entropy (8bit):	1.9356018985653418
Encrypted:	false
SSDEEP:	192:BrMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4C/DE+n5mW+y:BNI/SjJ
MD5:	72FB03688EB1DC0BFB2EC47EFC219136
SHA1:	4C05F9B7F93B9CAEFDFBDE71AEFA33662E30284B
SHA-256:	CFEBA603367D7CE269E6806BEF49E135370CB4AE80EA575442DCE0833FDB991A
SHA-512:	6FA85A87C2BB0ADC4F699557D5C56A7D714E3852B1531E8AE3516195BB4FED29E6278966192F6A5068D166938760F42E44F355AF0735B3291D1DEC01357E52C1
Malicious:	false
Preview:	...TFRMDESIGN.0.Jq..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP.tP).sR..{W..}Y.vU2.\|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...\|...r...z...q...w...\|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..\|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................

C:\Users\user\AppData\Local\Temp\mia1\startinstallation.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\startmenu.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	33346
Entropy (8bit):	3.385772495039534
Encrypted:	false
SSDEEP:	768:27HXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibftPV:27XQ1NmO7ZDrkqzM+KGk1ccHq7kJT5Di
MD5:	79A6D4AC0D44492941DBF1BCF729FCE0
SHA1:	B9A4351BA665D5F190FDCEAAC2F278214E402628
SHA-256:	ED50635652C5E71DD4EE1FBEB5B64E312235D3215C519E2DA2966FF44C61745B
SHA-512:	D0B8A675193F05FFB8A71624E67A0FB63BE6433C73798B675486F6D86181DDE52E1910E51A27E7A61932A0360E2236BE3493196497D9B7C198A8B8CE5F6C2808
Malicious:	false
Preview:	...TFRMDESIGN.0.....TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\startmenu.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	602
Entropy (8bit):	4.858794405298382
Encrypted:	false
SSDEEP:	12:jOYMtgQeMtg1dsdrHEUxIsdrHExINIkU3lkimkU3MIkT:jXoe3GI1INI53ldm53MIk
MD5:	5622CBE0342EA56DBEDDB3F036450AE9
SHA1:	97D52E9CE2FE1BA92BA141BCC66D2ECC6EC93978
SHA-256:	19878CE6F272ECDBE413786244A8476214F99445EBB85F307E92B07F2A4C8869
SHA-512:	C1E7CB7493635D368FBB7DA741353C82CB389488E1D8C32CB769FADACE21BC27416E59D2A9525A8DAC1D69195679CE91120496E7A74BF44377E91D97267B231F
Malicious:	false
Preview:	IF (MenuGroup.Text <> ) THEN Next.Enabled := True;..IF (MenuGroup.Text = ) THEN Next.Enabled := False;..IF (ISNT.Caption = TRUE) THEN AllUsers.Enabled := True;..IF (ISNT.Caption <> TRUE) THEN AllUsers.Enabled := False;..IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\welcome.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	160013
Entropy (8bit):	1.9309569759113825
Encrypted:	false
SSDEEP:	192:1vMMfzvu9vJSm3IZ8Zgspkk4B9heXItzNGzOiOWEpap5PKo6Mmp4CBH1qwWn5meN:1pI/V9d
MD5:	90F5FF6EDDCCA361D3D359958A97D5A4
SHA1:	85AF264588C053310154318DAB63F754584206D9
SHA-256:	8A9CE30F887652B86334075B2E42E5B76F48075928CE56C53C4D23E375DD546F
SHA-512:	D8A03D9E20292330E3736F178D1B6315CE88B3C623A89C527C5EA33999FD4395A1D98DC95F7632CE0AAD4D9853EA98F36CD641E36E5AA118FECE247ED24E5D43
Malicious:	false
Preview:	...TFRMDESIGN.0..p..TPF0.TfrmDesign.frmDesign.Left....Top.~.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.:..Picture.Data..i...TBitmap~i..BM~i......6...(.......:...........He..................V-..a8..`9..b=..nD..yJ..zL...S..d@..gC..jE..jF..mH..rL..tK..sM..zQ..kG .mI .lI%.rN$.tO&.pN).{R#.{U .{S$.rP.tP).sR..{W..}Y.vU2.\|Z2.yY6.}[5.zZ8.}^;..X...V...[...`...f...a...f...l...o...z...\|...r...z...q...w...\|...\#..X'..]$..Y)..[,.._/..^4..e'..h#..i%..l+..t...d2..b4..f6..e:..g=..h?..j<..l<..q<..~)..\|1..}8..eD..kF..oJ..mA..sC..rD..uH..xM..xS..}V..zJ.................../...3...4...?...<...1...6...8......................................

C:\Users\user\AppData\Local\Temp\mia1\welcome.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\mia1\wizard.dfm Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	data
Category:	dropped
Size (bytes):	32251
Entropy (8bit):	3.1896653509607855
Encrypted:	false
SSDEEP:	768:arHXQ1NmO7ZDrkqzM+KGlm1ccHq7kBTT5DmoibfH:arXQ1NmO7ZDrkqzM+KGk1ccHq7kJT5DI
MD5:	8AA68DEE4B3D18226980261469A560ED
SHA1:	E359A76C34D1F906690054A871C85DFA3A1C88A4
SHA-256:	D2267023E1F38FA5E44AFDF55B6DD485E25F2F1A8EC82C9E93EB8F137F0FBA2F
SHA-512:	6FC30F309A79C6A5661E6673B94258B0C1A240ED9934CB3D6A65C76CAAEDA032001A8F4C79416C76D9F278A0ADDFF595D04B1D60A0924363CEBB97311659CF6C
Malicious:	false
Preview:	...TFRMDESIGN.0..}..TPF0.TfrmDesign.frmDesign.Left....Top.z.HelpType..htKeyword.HelpKeyword..passingvariables.BorderIcons..biSystemMenu.biMinimize..BorderStyle..bsSingle.Caption..$TITLE$.ClientHeight.h..ClientWidth....Color..clBtnFace.Font.Charset..DEFAULT_CHARSET.Font.Color..clWindowText.Font.Height...Font.Name..Tahoma.Font.Style...OldCreateOrder..Position..poDesigned.PixelsPerInch.`.TextHeight...GlassFrame.Bottom./..TImage.Image1.Left...Top...Width....Height.;.Picture.Data.~w...TBitmaprw..BMrw......6...(.......;...........<s..................V-..^4..^6.._8..g;..a9..oB..xI..iB..gB..rK..nJ#.qN(.rP.wT(.sQ,.uT/.wV2.}[1.zY6.~\5.\|\9..P...W...^..._...e...c...i...l...s...{...y...z...\|.......Z!.._2..i<..dB..jJ..mM..sF..zO..}O..sU..uW..uX..z^..}P..}a..........................................................).....!..!..$..&..(....-..<..1..4..7..;...Z...j...l...m...v...y...~...~..A..F..F..M..I..M..P..Q..T..[..]..X..m..d..w...}..r..a..n..m...Z...

C:\Users\user\AppData\Local\Temp\mia1\wizard.dfm.miaf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	374
Entropy (8bit):	4.773773154848379
Encrypted:	false
SSDEEP:	6:aiN82du+wg4RBN82dukU3ekRBN+ukYRBN+u+wgAuN+ukU3ecuN82dukT:7INIkU3lkimkU3MIkT
MD5:	8101E0CC3186C05F85B2CD484D26AE9D
SHA1:	B3CF33E0784E3A6F3B3FEB2B2501E0BDA5932EFA
SHA-256:	A0E750466327E92E2DCC96D72A19A7738A65AB765262DF4801E6677528F14D6C
SHA-512:	DF3692D29CDF0434806A0BCF034AFE6869B0BF5C0BE24F18637D373374C1E1803AC5B6D1F671CCD6E89B313E26F85657EA487A2EBAEAE0B99359A66F21DF910B
Malicious:	false
Preview:	IF (Glass.Caption <> TRUE) THEN Separator.Visible := True;..IF (Glass.Caption <> TRUE) THEN InstallAware.Visible := True;..IF (Glass.Caption = TRUE) THEN Install.Visible := True;..IF (Glass.Caption = TRUE) THEN Separator.Visible := False;..IF (Glass.Caption = TRUE) THEN InstallAware.Visible := False;..IF (Glass.Caption <> TRUE) THEN Install.Visible := False;..

C:\Users\user\AppData\Local\Temp\{4963F2A4-325D-4774-8D8D-86D68B3EE27C} Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10122
Entropy (8bit):	5.451143075478546
Encrypted:	false
SSDEEP:	192:wMaurMX8XTN9lMcjk4SUjwSf40tfIicl6LxFfAjXhYCXAFCrnZHdepS7:qUzJcoLxFfZFYrnZHdMS7
MD5:	D2DA0547489663F77D287DCC65645845
SHA1:	BCE3119FCA7CD9F19F1CE2CD9D2EBEFA0D122619
SHA-256:	458763BCC816243256390BDB5CD39157004E305347484D5881CFA5D0FC9B273F
SHA-512:	786DA2EA6B70B1FA480BBBA3379501A95480EB2047D10DF6093383078092D2B0F081B8FACD1430B770F923CE2F3E1E0327865513C4B34A024159AE5DA21503FB
Malicious:	false
Preview:	SourceDir..C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\..$ex..MEDIAPACKAGEPATH..\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\..$ex..A4BEB53A4..FALSE..$ex..AD35647E..FALSE..$ex..A9702C767..FALSE..$ex..A194AAD59..FALSE..$ex..AEA1BA5D5..FALSE..$ex..ADC702C7E..FALSE..$ex..AB7ED429E..FALSE..$ex..A453607F8..FALSE..$ex..AC3C84A4C..FALSE..$ex..A353AD105..FALSE..$ex..A2E5DCE8F..FALSE..$ex..AA3F0088A..FALSE..$ex..A51845961..FALSE..$ex..A55E6A65E..FALSE..$ex..A67ACD331..FALSE..$ex..A36706E48..FALSE..$ex..A3575565E..FALSE..$ex..AF4ED2515..FALSE..$ex..AECC34BEC..FALSE..$ex..A587D056C..FALSE..$ex..AE5444EFD..FALSE..$ex..A9847A14B..FALSE..$ex..AD532E401..FALSE..$ex..AC9AB7ACB..FALSE..$ex..A8C4586D2..FALSE..$ex..AE379E83C..FALSE..$ex..AAD9FE403..FALSE..$ex..A44DB77AB..FALSE..$ex..AFC8C594..FALSE..$ex..AD83B2FF9..FALSE..$ex..A774E815E..FALSE..$ex..ADAA0442..FALSE..$ex..A655FCA3B..FALSE..$ex..A1EA7FD63..FALSE..$ex..A609B42C1..FALSE..$ex..A409F08AF..FALSE..$ex..AF28C57DF..FALSE..$ex..A7021623

C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\SETF04E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
File Type:	data
Category:	dropped
Size (bytes):	8981
Entropy (8bit):	6.952810377972559
Encrypted:	false
SSDEEP:	192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
MD5:	FC43EB094C0074FCD29ADC9A742371D9
SHA1:	21EA184EB636E45550BD6A18CDAF08AE19DDD776
SHA-256:	993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
SHA-512:	6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
Malicious:	false
Preview:	0.#....H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.

C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\SETF04F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	5.224754517663399
Encrypted:	false
SSDEEP:	48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
MD5:	BC384072A8A9F073B51EF98ACF303D5B
SHA1:	30235521EB314146B1FD71B67F3CE7D920E2668D
SHA-256:	0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
SHA-512:	7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
Malicious:	false
Preview:	; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]

C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.444427923348303
Encrypted:	false
SSDEEP:	384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
MD5:	971FA2980AB94A90B6A9A8385267E653
SHA1:	FC739185177A85ED04B71C6A8D5FDFB72D919306
SHA-256:	25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
SHA-512:	6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................

C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.5838184446755195
Encrypted:	false
SSDEEP:	192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
MD5:	CEDF7CFFCCD03451FD22DBAAC2E3DE8E
SHA1:	3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
SHA-256:	A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
SHA-512:	BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................

C:\Windows\DPINST.LOG Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
File Type:	data
Category:	modified
Size (bytes):	1814
Entropy (8bit):	3.6839389317699904
Encrypted:	false
SSDEEP:	24:fNdlLVkQpFLuuYKz4gY6bA07uEuYKzWZ/lZz8W/LL7N:fPlZBXuuDz4gY697ZuDzWTd8WTLB
MD5:	B2570008B6D01E29B3F8CF2D0DFC1698
SHA1:	8FB0AA7E321313BFC4F05BC6D8F3517B25CE6732
SHA-256:	B32E17073179686B322A69C2C594183DEC3322B35220755C06A5736406BE549B
SHA-512:	44951F8A22DA7A2C71AB68A0C5427B6ECE285535E33572884BA2C696FDA8EBE0899CF0951D89612658097C2B6EE1A564B0B1070037D9468E39750584FC47540E
Malicious:	false
Preview:	I.N.F.O.:. . . .............................................I.N.F.O.:. . . .0.2./.2.5./.2.0.2.1. .2.1.:.4.3.:.4.7.....I.N.F.O.:. . . .P.r.o.d.u.c.t. .V.e.r.s.i.o.n. .2...1...0...0.......I.N.F.O.:. . . .V.e.r.s.i.o.n.:. .6...2...9.2.0.0. .....I.N.F.O.:. . . .P.l.a.t.f.o.r.m. .I.D.:. .2. .(.N.T.).....I.N.F.O.:. . . .S.e.r.v.i.c.e. .P.a.c.k.:. .0...0.....I.N.F.O.:. . . .S.u.i.t.e.:. .0.x.0.1.0.0.,. .P.r.o.d.u.c.t. .T.y.p.e.:. .1.....I.N.F.O.:. . . .A.r.c.h.i.t.e.c.t.u.r.e.:. .X.8.6.......I.N.F.O.:. . . .I.n.t.e.r.a.c.t.i.v.e. .W.i.n.d.o.w.s. .S.t.a.t.i.o.n.....I.N.F.O.:. . . .C.o.m.m.a.n.d. .L.i.n.e.:. .'.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.7.z.S.5.C.9.9...t.m.p.\.d.a.t.a.\.L.I.-.C.O.R.~.1.\.m.D.I.F.x.I.D.E...d.l.l.\.x.8.6.D.P.I.n.s.t...e.x.e. ./.S.W. ./.S.E. ./.E.L. ./.P.A.T.H. .C.:.\.P.R.O.G.R.A.~.2.\.\.L.I.-.1.8.0.~.1.\.D.r.i.v.e.r.\. ./.D. ./.S.A. ./.L.M. ./.F.'.....I.N.F.O.:. . . .D.P.I.n.s.t. .i.s. .n.o.t.

C:\Windows\Fonts\mdd_0.ttf Download File
Process:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
File Type:	TrueType Font data, 15 tables, 1st "OS/2", name offset 0x30a0dc
Category:	dropped
Size (bytes):	3189464
Entropy (8bit):	5.995760690515092
Encrypted:	false
SSDEEP:	49152:aKGJGTV0L61KRCn7GvLkNrxCQ4Skrrlh67iPFfR:XGJGR0L3k7AhrrltR
MD5:	134EA9D05DB33ADF680B8440F715CCF9
SHA1:	3122FD8759ACB7562A98F6349EF0E2E46A018895
SHA-256:	70F760EE31BB569EC53E33B44A699643898DC8C65B3034E370953AFD1E63964D
SHA-512:	C512C3F68EB90C5A6D78D2F00559A42CE492131F0CC6B18A5483B57E906793EFAFD25785F0836483214333AA9E77960DD6C6F32FC8292178644FC9E4D2B91A9B
Malicious:	false
Preview:	...........pOS/2...4...x...`cmap.:.....\..r cvt ............fpgm.!Y....\|....gasp.....0......glyf4..>...$..head.h.........6hhea...m...4...$hmtx............kern>.B..0......loca(..h........maxp.......X... name..^.0......post.....0..... prep...)...................._.<.................."m................................+.................................'........./.............................$.......z...>................).\|.........1ASC.@.............D............... .....K.........C...E...g...................:...M...M...........@...R...E...`...........................................E...E...............m...........................~...........W...E.......~...........................................................N...`...N.......i.....1.........w...........T...........B...B.......B.......................f...t...W.......{...........}...q...[.....=.[.......E.......\|.....&.U...R.......n.......U...U.....1.....E...5...U...Z...............m...................................................B..

C:\Windows\INF\oem3.inf Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	5.224754517663399
Encrypted:	false
SSDEEP:	48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
MD5:	BC384072A8A9F073B51EF98ACF303D5B
SHA1:	30235521EB314146B1FD71B67F3CE7D920E2668D
SHA-256:	0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
SHA-512:	7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
Malicious:	false
Preview:	; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]

C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF59D.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	8981
Entropy (8bit):	6.952810377972559
Encrypted:	false
SSDEEP:	192:6IKsjkeBneIyCNECwnVhjeyveCtAW5LfsxhQ8tsU:1KskI/w/jpvjAGLa3t/
MD5:	FC43EB094C0074FCD29ADC9A742371D9
SHA1:	21EA184EB636E45550BD6A18CDAF08AE19DDD776
SHA-256:	993B957EB5EAC489092B25A51473CE9B4BC49835673999BC4A95440318194D8A
SHA-512:	6A1ACB42C8A6A18E956431F62A89E3BFCC3484683C2934358ACA50D3FCB42D7FD244625C39D78B4983050BE26B9C5114AB53E41DB429B56BC336D33A2B4B3380
Malicious:	false
Preview:	0.#....H........#.0."....1.0...+......0.....+.....7......0...0...+.....7.......D9.NN..........110131175223Z0...+.....7.....0...0....R1.8.A.8.0.D.E.0.C.F.D.5.2.1.0.E.9.A.3.2.5.C.7.2.B.1.2.4.0.B.4.4.2.F.B.4.F.4.2.2...1..c0:..+.....7...1,0...F.i.l.e........s.i.u.s.b.x.p...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..............!..2\r.$.D/.."0....R3.0.2.3.5.5.2.1.E.B.3.1.4.1.4.6.B.1.F.D.7.1.B.6.7.F.3.C.E.7.D.9.2.0.E.2.6.6.8.D...1..[0:..+.....7...1,0*...F.i.l.e........s.i.u.s.b.x.p...i.n.f...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........0#U!.1AF..q..<.. .f.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.

C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF5CD.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	5.224754517663399
Encrypted:	false
SSDEEP:	48:5/dOSWX4TQDblD63zIp6MpSyj6PCCuQ4fx+q:5/du/l+sVSyjVbQ4x+q
MD5:	BC384072A8A9F073B51EF98ACF303D5B
SHA1:	30235521EB314146B1FD71B67F3CE7D920E2668D
SHA-256:	0F042E4397AAE2383340DC6D5E224DE88ED28C8F7AC1E0C0E03C1BB7E58A0D80
SHA-512:	7A9044D6072852A4685775DAF2E3F1AEAB9A5797D85CF577E4E3F0446EFA53EFB226D96E428BE979467A666D6AAEB005AF021797A994312E610BC3873868C3F8
Malicious:	false
Preview:	; Silabs USBXpress Driver..; Copyright (c) 2010, Silicon Laboratories......[Version]..Signature=$WINDOWS NT$..Class=USB..ClassGUID={36fc9e60-c465-11cf-8056-444553540000}..Provider=%MFGNAME%..DriverVer=07/14/2010,3.3..CatalogFile=SiUSBXp.cat....[Manufacturer]..%MFGNAME%=DeviceList, NTamd64....[DestinationDirs]..DefaultDestDir=10..;System32\Drivers..DriverCopyFiles=10..,System32\Drivers....[SourceDisksNames.x86]..1=%INSTDISK%,,,....[SourceDisksFiles.x86]..SiUSBXp.sys=1,\x86..SiLib.sys=1,\x86....[SourceDisksNames.amd64]..1=%INSTDISK%,,,....[SourceDisksFiles.amd64]..SiUSBXp.sys=1,\x64..SiLib.sys=1,\x64....[DeviceList]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[DeviceList.NTamd64]..%DESCRIPTION%=DriverInstall,USB\VID_10C4&PID_EA61....[ControlFlags]..ExcludeFromSelect=*....;------------------------------------------------------------------------------..; Windows 2000 Sections..;------------------------------------------------------------------------------......[DriverInstall.NT]

C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	5.444427923348303
Encrypted:	false
SSDEEP:	384:8JZ8/zig4KI5XHhdq4Jrd6T0ZUi/WP0m1g5TkgCGDZaV55K6Z0MFVIZnJ96FkU6X:vBM53ZJrdJUi/WP31d/Gdo5KgLcnJkzg
MD5:	971FA2980AB94A90B6A9A8385267E653
SHA1:	FC739185177A85ED04B71C6A8D5FDFB72D919306
SHA-256:	25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
SHA-512:	6D905EC5FCEE1F8ED2870AF0714A6C630DE3E8D8611406486ADDA08ECFC1873BD57932ED73F42EF93E4F49D40FCED13CA5C1C99795E8C0CECBBE6B56327E1337
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uc.uc.uc.ub.uc.....uc.....uc....uc....uc.....uc....uc....uc....uc....uc.Rich.uc.................PE..d....?L.........."......B..........d................................................-..........................................................(.......0.......................8...@q...............................................p..@............................text....".......$.................. ..hpage.........@.......(.............. ..hinit.........`.......>.............. ..h.rdata.......p.......@..............@..H.data................D..............@....pdata...............H..............@..H.edata...............L..............@..@INIT....b............T.............. ....rsrc...0............Z..............@..B.reloc...............^..............@..B........................................................................................

C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.5838184446755195
Encrypted:	false
SSDEEP:	192:2fW3/zOHLiVaL/qqPhh0m1ooaJOz6CXPaxEL+GIn0alGalILp/JSUJj6jLfJv19U:2fW3LOHLdLCI0m1Xz3fW01alInS1LFv
MD5:	CEDF7CFFCCD03451FD22DBAAC2E3DE8E
SHA1:	3FD8383608DB769A1E2C8E0C1302C315DCA8B37E
SHA-256:	A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
SHA-512:	BBA0BF8C75E5A1B1AFC72F5B5A33CACA721DBB4589DE7B3430398AE147E2E2CF18A15932DF62D32423B1093453B55B48B9E99FB7549135E3CF33976229C47376
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#d..g..g..g..n}w.e..g..B......b......e..n}g.d..n}q.f......f..n}n.b..n}p.f..n}u.f..Richg..........PE..d...A.?L.........."......:..........d...........................................................................................................P.......8...........................@a...............................................`..@............................text............................... ..hpage.........0...................... ..hinit....U....P.......6.............. ..h.rdata.......`.......8..............@..H.data...0....p.......>..............@....pdata...............@..............@..HINIT.................B.............. ....rsrc...8............H..............@..B................................................................................................................................................................................

C:\Windows\System32\catroot2\dberr.txt Download File
Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	76
Entropy (8bit):	4.912097994066326
Encrypted:	false
SSDEEP:	3:WfmI2KPVXGbQB3G3RgkyEA:YB9Sc/ky1
MD5:	868B245F9181DE4083F74CF2DF6416B3
SHA1:	83824E7FFBA608D607D65252821AFED104A720AE
SHA-256:	882B90E48123834BC85E3D658FB904FE2FCE6E05FD6066CA95C36B89BC8ACCA1
SHA-512:	2E91B988AE52C1DA14CE775DA9D8B67D9E6746D4B1E6C8C9BD258AB81FCAB10249DDB197EFCE8FC3E5F799B6CF4EDAF28AE8D057B84DA7E807731FD041C76296
Malicious:	false
Preview:	CatalogDB: 9:43:40 PM 2/25/2021: DONE Adding Catalog File (47ms): oem3.cat..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.977568734954625
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LI180_win-1.5.1.exe
File size:	10630347
MD5:	77d64242fbd270b5363d383b51075783
SHA1:	4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256:	a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
SHA512:	245442075f013f57171a1ca3ecc78c4660d9664ccb08512eabf86fe7baad4be60aaf48d05ca05fed67fd7b90feee930a4e55686ab678497b77b047f29c884449
SSDEEP:	196608:u+VXiW5e/8+X7MCatgKFp1ibzHYOaIyU/9tY3UZ8O7dBlf+QxnyU2GHlWVuP+qDC:u+VSW5e/J7MNtCbzDagFtYkZ82dTf3ne
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................)......./.........&.....?.......8.......(.......-.....Rich....................PE..L.....wR...................

File Icon


Icon Hash:	309270f8b296cc00

Static PE Info

General
Entrypoint:	0x4181dd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x527716D3 [Mon Nov 4 03:38:59 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d7ce6dd95e3ebd47f39cf25197cd96e8

Entrypoint Preview

Instruction
call 00007F5974A4E19Fh
jmp 00007F5974A4A13Dh
push 0000000Ch
push 0042A4F8h
call 00007F5974A49C3Eh
push 0000000Eh
call 00007F5974A4BF72h
pop ecx
and dword ptr [ebp-04h], 00000000h
mov esi, dword ptr [ebp+08h]
mov ecx, dword ptr [esi+04h]
test ecx, ecx
je 00007F5974A4A2F1h
mov eax, dword ptr [004306C4h]
mov edx, 004306C0h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F5974A4A2D3h
cmp dword ptr [eax], ecx
jne 00007F5974A4A2EEh
mov ecx, dword ptr [eax+04h]
mov dword ptr [edx+04h], ecx
push eax
call 00007F5974A49579h
pop ecx
push dword ptr [esi+04h]
call 00007F5974A49570h
pop ecx
and dword ptr [esi+04h], 00000000h
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F5974A4A2CFh
call 00007F5974A49C2Dh
ret
mov edx, eax
jmp 00007F5974A4A287h
push 0000000Eh
call 00007F5974A4BE3Dh
pop ecx
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edx, dword ptr [esp+04h]
mov ecx, dword ptr [esp+08h]
test edx, 00000003h
jne 00007F5974A4A2FEh
mov eax, dword ptr [edx]
cmp al, byte ptr [ecx]
jne 00007F5974A4A2F0h
or al, al
je 00007F5974A4A2E8h
cmp ah, byte ptr [ecx+01h]
jne 00007F5974A4A2E7h
or ah, ah
je 00007F5974A4A2DFh
shr eax, 10h
cmp al, byte ptr [ecx+02h]
jne 00007F5974A4A2DBh
or al, al
je 00007F5974A4A2D3h
cmp ah, byte ptr [ecx+03h]
jne 00007F5974A4A2D2h
add ecx, 04h
add edx, 04h
or ah, ah
jne 00007F5974A4A294h
mov edi, edi
xor eax, eax
ret
nop

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a984	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x2dc34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x25e30	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x216d2	0x21800	False	0.58252681903	data	6.61792755392	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x8606	0x8800	False	0.339470358456	data	4.67908358324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c000	0x8304	0x2400	False	0.259006076389	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.16997777591	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x2dc34	0x2de00	False	0.0475668426431	data	2.66146906961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x35ce4	0x90b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x365f0	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x46e18	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x4b040	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x4d5e8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x4e690	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x4eaf8	0x1d8	data
RT_DIALOG	0x4ecd0	0x1be	data
RT_STRING	0x4ee90	0x48c	data	Arabic	Saudi Arabia
RT_STRING	0x4f31c	0x48c	data	Catalan	Spain
RT_STRING	0x4f7a8	0x48c	data	Chinese	Taiwan
RT_STRING	0x4fc34	0x48c	data	Czech	Czech Republic
RT_STRING	0x500c0	0x48c	data	Danish	Denmark
RT_STRING	0x5054c	0x48c	data	German	Germany
RT_STRING	0x509d8	0x48c	data	Greek	Greece
RT_STRING	0x50e64	0x48c	data	English	United States
RT_STRING	0x512f0	0x48c	data	Finnish	Finland
RT_STRING	0x5177c	0x48c	data	French	France
RT_STRING	0x51c08	0x48c	data	Hebrew	Israel
RT_STRING	0x52094	0x48c	data	Hungarian	Hungary
RT_STRING	0x52520	0x48c	data	Italian	Italy
RT_STRING	0x529ac	0x48c	data	Japanese	Japan
RT_STRING	0x52e38	0x48c	data	Korean	North Korea
RT_STRING	0x52e38	0x48c	data	Korean	South Korea
RT_STRING	0x532c4	0x48c	data	Dutch	Netherlands
RT_STRING	0x53750	0x48c	data	Norwegian	Norway
RT_STRING	0x53bdc	0x48c	data	Polish	Poland
RT_STRING	0x54068	0x48c	data	Portuguese	Brazil
RT_STRING	0x544f4	0x48c	data	Romanian	Romania
RT_STRING	0x54980	0x48c	data	Russian	Russia
RT_STRING	0x54e0c	0x48c	data	Croatian	Croatia
RT_STRING	0x55298	0x48c	data	Slovak	Slovakia
RT_STRING	0x55724	0x48c	data	Swedish	Sweden
RT_STRING	0x55bb0	0x48c	data	Thai	Thailand
RT_STRING	0x5603c	0x48c	data	Turkish	Turkey
RT_STRING	0x564c8	0x48c	data	Slovenian	Slovenia
RT_STRING	0x56954	0x48c	data	Estonian	Estonia
RT_STRING	0x56de0	0x48c	data	Latvian	Lativa
RT_STRING	0x5726c	0x48c	data	Lithuanian	Lithuania
RT_STRING	0x576f8	0x48c	data	Vietnamese	Vietnam
RT_STRING	0x57b84	0x48c	data	Basque	France
RT_STRING	0x57b84	0x48c	data	Basque	Spain
RT_STRING	0x58010	0x48c	data	Chinese	China
RT_STRING	0x5849c	0x48c	data	Portuguese	Portugal
RT_STRING	0x58928	0x48c	data
RT_STRING	0x58db4	0x2f2	data	Arabic	Saudi Arabia
RT_STRING	0x590a8	0x2f2	data	Catalan	Spain
RT_STRING	0x5939c	0x2f2	data	Chinese	Taiwan
RT_STRING	0x59690	0x2f2	data	Czech	Czech Republic
RT_STRING	0x59984	0x2f2	data	Danish	Denmark
RT_STRING	0x59c78	0x2f2	data	German	Germany
RT_STRING	0x59f6c	0x2f2	data	Greek	Greece
RT_STRING	0x5a260	0x2f2	data	English	United States
RT_STRING	0x5a554	0x2f2	data	Finnish	Finland
RT_STRING	0x5a848	0x2f2	data	French	France
RT_STRING	0x5ab3c	0x2f2	data	Hebrew	Israel
RT_STRING	0x5ae30	0x2f2	data	Hungarian	Hungary
RT_STRING	0x5b124	0x2f2	data	Italian	Italy
RT_STRING	0x5b418	0x2f2	data	Japanese	Japan
RT_STRING	0x5b70c	0x2f2	data	Korean	North Korea
RT_STRING	0x5b70c	0x2f2	data	Korean	South Korea
RT_STRING	0x5ba00	0x2f2	data	Dutch	Netherlands
RT_STRING	0x5bcf4	0x2f2	data	Norwegian	Norway
RT_STRING	0x5bfe8	0x2f2	data	Polish	Poland
RT_STRING	0x5c2dc	0x2f2	data	Portuguese	Brazil
RT_STRING	0x5c5d0	0x2f2	data	Romanian	Romania
RT_STRING	0x5c8c4	0x2f2	data	Russian	Russia
RT_STRING	0x5cbb8	0x2f2	data	Croatian	Croatia
RT_STRING	0x5ceac	0x2f2	data	Slovak	Slovakia
RT_STRING	0x5d1a0	0x2f2	data	Swedish	Sweden
RT_STRING	0x5d494	0x2f2	data	Thai	Thailand
RT_STRING	0x5d788	0x2f2	data	Turkish	Turkey
RT_STRING	0x5da7c	0x2f2	data	Slovenian	Slovenia
RT_STRING	0x5dd70	0x2f2	data	Estonian	Estonia
RT_STRING	0x5e064	0x2f2	data	Latvian	Lativa
RT_STRING	0x5e358	0x2f2	data	Lithuanian	Lithuania
RT_STRING	0x5e64c	0x2f2	data	Vietnamese	Vietnam
RT_STRING	0x5e940	0x2f2	data	Basque	France
RT_STRING	0x5e940	0x2f2	data	Basque	Spain
RT_STRING	0x5ec34	0x2f2	data	Chinese	China
RT_STRING	0x5ef28	0x2f2	data	Portuguese	Portugal
RT_STRING	0x5f21c	0x2f2	data
RT_STRING	0x5f510	0x106	data	Arabic	Saudi Arabia
RT_STRING	0x5f618	0x106	data	Catalan	Spain
RT_STRING	0x5f720	0x106	data	Chinese	Taiwan
RT_STRING	0x5f828	0x106	data	Czech	Czech Republic
RT_STRING	0x5f930	0x106	data	Danish	Denmark
RT_STRING	0x5fa38	0x106	data	German	Germany
RT_STRING	0x5fb40	0x106	data	Greek	Greece
RT_STRING	0x5fc48	0x106	data	English	United States
RT_STRING	0x5fd50	0x106	data	Finnish	Finland
RT_STRING	0x5fe58	0x106	data	French	France
RT_STRING	0x5ff60	0x106	data	Hebrew	Israel
RT_STRING	0x60068	0x106	data	Hungarian	Hungary
RT_STRING	0x60170	0x106	data	Italian	Italy
RT_STRING	0x60278	0x106	data	Japanese	Japan
RT_STRING	0x60380	0x106	data	Korean	North Korea
RT_STRING	0x60380	0x106	data	Korean	South Korea
RT_STRING	0x60488	0x106	data	Dutch	Netherlands
RT_STRING	0x60590	0x106	data	Norwegian	Norway
RT_STRING	0x60698	0x106	data	Polish	Poland
RT_STRING	0x607a0	0x106	data	Portuguese	Brazil
RT_STRING	0x608a8	0x106	data	Romanian	Romania
RT_STRING	0x609b0	0x106	data	Russian	Russia
RT_STRING	0x60ab8	0x106	data	Croatian	Croatia
RT_STRING	0x60bc0	0x106	data	Slovak	Slovakia
RT_STRING	0x60cc8	0x106	data	Swedish	Sweden
RT_STRING	0x60dd0	0x106	data	Thai	Thailand
RT_STRING	0x60ed8	0x106	data	Turkish	Turkey
RT_STRING	0x60fe0	0x106	data	Slovenian	Slovenia
RT_STRING	0x610e8	0x106	data	Estonian	Estonia
RT_STRING	0x611f0	0x106	data	Latvian	Lativa
RT_STRING	0x612f8	0x106	data	Lithuanian	Lithuania
RT_STRING	0x61400	0x106	data	Vietnamese	Vietnam
RT_STRING	0x61508	0x106	data	Basque	France
RT_STRING	0x61508	0x106	data	Basque	Spain
RT_STRING	0x61610	0x106	data	Chinese	China
RT_STRING	0x61718	0x106	data	Portuguese	Portugal
RT_STRING	0x61820	0x106	data
RT_GROUP_ICON	0x61928	0x5a	data	English	United States
RT_VERSION	0x61984	0xe40	data	English	United States
RT_MANIFEST	0x627c4	0x470	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleFileNameW, LocalFree, FormatMessageW, FindClose, FindFirstFileW, FindNextFileW, GetLastError, CloseHandle, GetFileSize, SetFilePointer, ReadFile, SetFileTime, WriteFile, SetEndOfFile, GetCurrentDirectoryW, CreateFileW, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, VirtualAlloc, VirtualFree, GetVersionExW, WaitForSingleObject, CreateEventW, SetEvent, ResetEvent, InitializeCriticalSection, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetWindowsDirectoryW, SetFileAttributesW, RemoveDirectoryW, DeleteFileW, GetShortPathNameW, GetTempPathW, GetTempFileNameW, lstrlenW, GetFullPathNameW, Sleep, GetVersion, LocalAlloc, SetCurrentDirectoryW, GetExitCodeProcess, CreateProcessW, GetCommandLineW, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, LoadLibraryA, GetSystemTimeAsFileTime, WideCharToMultiByte, MultiByteToWideChar, CreateDirectoryW, DeleteCriticalSection, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapSize, ExitProcess, HeapCreate, IsDebuggerPresent, RaiseException, RtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, ExitThread, CreateThread, GetCommandLineA, GetStartupInfoA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, TerminateProcess, GetCurrentProcess
USER32.dll	CharUpperW, DestroyWindow, RegisterWindowMessageW, LoadIconW, KillTimer, SetTimer, SetDlgItemTextW, EndDialog, IsDlgButtonChecked, GetDlgItem, SetWindowTextW, PeekMessageW, MessageBoxW, GetDesktopWindow, SetForegroundWindow, DialogBoxParamW, SendMessageW, GetWindowLongW, SetWindowLongW, ShowWindow, GetWindowTextW, GetWindowTextLengthW, LoadStringW, PostMessageW
ADVAPI32.dll	RegSetValueExW, RegCloseKey, RegCreateKeyExW
SHELL32.dll	ShellExecuteExW
ole32.dll	CoInitialize, CoCreateInstance
OLEAUT32.dll	SysAllocStringLen, SysAllocString, VariantClear, SysFreeString

Version Infos

Description	Data
LegalCopyright	All rights reserved
FileVersion	1.5.1
CompanyName	LI-COR, Inc.
Comments	This installation was built with InstallAware: http://www.installaware.com
ProductName	LI-180 Spectrometer
ProductVersion	1.5.1 0, 0
FileDescription	LI-COR Spectrum Installation
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Arabic	Saudi Arabia
Catalan	Spain
Chinese	Taiwan
Czech	Czech Republic
Danish	Denmark
German	Germany
Greek	Greece
Finnish	Finland
French	France
Hebrew	Israel
Hungarian	Hungary
Italian	Italy
Japanese	Japan
Korean	North Korea
Korean	South Korea
Dutch	Netherlands
Norwegian	Norway
Polish	Poland
Portuguese	Brazil
Romanian	Romania
Russian	Russia
Croatian	Croatia
Slovak	Slovakia
Swedish	Sweden
Thai	Thailand
Turkish	Turkey
Slovenian	Slovenia
Estonian	Estonia
Latvian	Lativa
Lithuanian	Lithuania
Vietnamese	Vietnam
Chinese	China
Portuguese	Portugal

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: LI180_win-1.5.1.exe PID: 6456 Parent PID: 5660

General

Start time:	21:43:00
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\LI180_win-1.5.1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LI180_win-1.5.1.exe'
Imagebase:	0x400000
File size:	10630347 bytes
MD5 hash:	77D64242FBD270B5363D383B51075783
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: LI-180_Installer.exe PID: 6652 Parent PID: 6456

General

Start time:	21:43:06
Start date:	25/02/2021
Path:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe
Wow64 process (32bit):	true
Commandline:	.\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k=''
Imagebase:	0x400000
File size:	6156254 bytes
MD5 hash:	A94344CD648287F3BC40B538AF42190B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.234871327.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: msiexec.exe PID: 6780 Parent PID: 3592

General

Start time:	21:43:33
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding BA9949B78EE4EB19368DAA67058A42BA
Imagebase:	0x1120000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	high

Chronological Activities

Analysis Process: x64DPInst.exe PID: 5932 Parent PID: 6652

General

Start time:	21:43:37
Start date:	25/02/2021
Path:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Imagebase:	0x7ff7518a0000
File size:	1050104 bytes
MD5 hash:	BE3C79033FA8302002D9D3A6752F2263
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: drvinst.exe PID: 4428 Parent PID: 6904

General

Start time:	21:43:39
Start date:	25/02/2021
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'c:\progra~2\li-180~1\driver'
Imagebase:	0x7ff7c4ce0000
File size:	166912 bytes
MD5 hash:	46F5A16FA391AB6EA97C602B4D2E7819
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: x86DPInst.exe PID: 4488 Parent PID: 6652

General

Start time:	21:43:46
Start date:	25/02/2021
Path:	C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Imagebase:	0xda0000
File size:	921992 bytes
MD5 hash:	30A0AFEE4AEA59772DB6434F1C0511AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LI180_win-1.5.1.exe PID: 6456 Parent PID: 5660 LI180_win-1.5.1.exeCOMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Executed Functions

Function 00413F63, Relevance: 71.0, APIs: 21, Strings: 19, Instructions: 1027
windowprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00413F63(void* __ecx, char* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t361;
				void* _t368;
				intOrPtr _t370;
				intOrPtr _t422;
				signed int _t428;
				signed int _t429;
				signed int _t439;
				signed int _t442;
				signed int _t447;
				signed int _t449;
				signed int _t461;
				signed int _t464;
				signed int _t465;
				void* _t470;
				signed int _t496;
				signed int _t503;
				signed int _t523;
				signed int _t531;
				signed int _t558;
				WCHAR** _t579;
				signed int _t592;
				signed int _t611;
				signed int _t615;
				signed int _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				void* _t694;
				void* _t695;
				void* _t703;
				void* _t705;
				void* _t707;
				void* _t709;
				void* _t711;
				void* _t713;
				void* _t715;
				void* _t717;
				void* _t719;
				void* _t834;
				signed int _t835;
				void* _t839;
				void* _t842;
				void* _t844;
				signed int _t847;
				void* _t849;
				void* _t850;
				char** _t852;

				_t831 = __edx;
				_t695 = __ecx;
				_t847 = _t849 - 0x68;
				_t850 = _t849 - 0x318;
				_t361 = M0042D330; // 0xdf8f31de
				 *(_t847 + 0x64) = _t361 ^ _t847;
				 *(_t847 - 0xb8) = 0;
				_t833 = GetVersionExW;
				 *0x43063c =  *((intOrPtr*)(_t847 + 0x70));
				 *(_t847 - 0xb0) = 0x114;
				if(GetVersionExW(_t847 - 0xb0) == 0 ||  *((intOrPtr*)(_t847 - 0xa0)) != 2) {
					E00411936(0, _t695, _t833, 0x114, 0,  *0x430680);
					L3:
					_t368 = 1;
					goto L4;
				} else {
					__imp__CoInitialize(0); // executed
					_t370 = E00413849(); // executed
					 *0x430640 = _t370;
					E00417D60(GetVersionExW, _t847 - 0xb0, 0, 0x114);
					_t852 = _t850 + 0xc;
					 *(_t847 - 0xb0) = 0x114;
					GetVersionExW(_t847 - 0xb0);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						L10:
						if(__eflags <= 0) {
							L12:
							E0040320A(_t847 - 0x1e4);
							E0040320A(_t847 - 0xdc);
							E0040320A(_t847 - 0x1a8);
							E0040320A(_t847 - 0x19c);
							E00401647(_t847 - 0xd0, _t847, GetCommandLineW());
							_push(_t847 - 0xdc);
							_push(_t847 - 0x1e4);
							_push(_t847 - 0xd0);
							E004088CF(0, _t833, 0x114, __eflags);
							_push( *(_t847 - 0xd0));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t703);
							E00408639(0x430644, _t847, E0040C825(_t703, _t847 - 0xc4, 0x11));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t705);
							E00408639(0x430650, _t847, E0040C825(_t705, _t847 - 0xc4, 0x12));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t707);
							E00408639(0x43065c, _t847, E0040C825(_t707, _t847 - 0xc4, 0x16));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t709);
							E00408639(0x430668, _t847, E0040C825(_t709, _t847 - 0xc4, 0x17));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t711);
							E00408639(0x430674, _t847, E0040C825(_t711, _t847 - 0xc4, 0xf));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t713);
							E00408639(0x430698, _t847, E0040C825(_t713, _t847 - 0xc4, 0xc));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t715);
							E00408639(0x4306a4, _t847, E0040C825(_t715, _t847 - 0xc4, 0x18));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t717);
							E00408639(0x430680, _t847, E0040C825(_t717, _t847 - 0xc4, 0x10));
							_push( *((intOrPtr*)(_t847 - 0xc4)));
							L00408BFB(0, _t833, 0x114, __eflags);
							_pop(_t719);
							E00408639(0x43068c, _t847, E0040C825(_t719, _t847 - 0xc4, 0x10));
							L00408BFB(0, _t833, 0x114, __eflags);
							 *_t852 = 0x2000; // executed
							_t422 = E00408BD0(0, _t833, __eflags,  *((intOrPtr*)(_t847 - 0xc4))); // executed
							 *((intOrPtr*)(_t847 - 0xe0)) = _t422;
							 *_t852 = 0x423a68;
							E00401647(_t847 - 0x174, _t847);
							E0040320A(_t847 - 0x180);
							_t840 = L"\"-k=";
							 *(_t847 - 0xb1) = 0;
							_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"-k=");
							__eflags = _t835;
							if(_t835 == 0) {
								_t840 = L"\"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"\"/k=");
								__eflags = _t835;
								if(_t835 != 0) {
									goto L13;
								}
								_t840 = L"-k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-k=");
								__eflags = _t835;
								if(_t835 != 0) {
									L17:
									_t428 = _t835 + E00417DDA(_t840) * 2;
									__eflags = _t428;
									if(_t428 != 0) {
										_push(_t847 - 0x174);
										__eflags =  *(_t847 - 0xb1);
										if(__eflags == 0) {
											_push(L" \t\n");
										} else {
											_push(L"\"\t\n");
										}
										_push(_t428);
										E00413C44(0, _t831, _t835, _t840, __eflags);
									}
									L22:
									__eflags =  *(_t847 - 0x170);
									if( *(_t847 - 0x170) != 0) {
										E00417F66( *((intOrPtr*)(_t847 - 0xe0)), 0x1000,  *((intOrPtr*)(_t847 - 0x174)));
										_t852 =  &(_t852[3]);
										E004090CA(_t847 - 0x180, _t847,  *((intOrPtr*)(_t847 - 0xe0)));
									}
									_t429 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-s");
									__eflags = _t429;
									if(_t429 != 0) {
										L28:
										 *((char*)(_t847 - 0xe0)) = 1;
										L29:
										E0040320A(_t847 - 0x15c);
										E00409101(0, _t835,  *0x43063c, _t847 - 0x15c);
										E0040898E(0, _t847 - 0xdc, _t831, _t835);
										E00408968(0, _t847 - 0xdc, _t831, _t835);
										 *(_t847 - 0xb1) =  *((intOrPtr*)(_t847 - 0xe0));
										 *(_t847 - 0xb8) = 3;
										_t841 = E00401647(_t847 - 0x1b4, _t847, L"-y");
										_t439 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xfc, 2))),  *_t436);
										__eflags = _t439;
										if(_t439 == 0) {
											L31:
											 *(_t847 - 0xb2) = 1;
											L32:
											__eflags =  *(_t847 - 0xb8) & 0x00000008;
											if(( *(_t847 - 0xb8) & 0x00000008) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												_t88 = _t847 - 0xb8;
												 *_t88 =  *(_t847 - 0xb8) & 0xfffffff7;
												__eflags =  *_t88;
												L00408BFB(0, _t835, _t841,  *_t88);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000004;
											if(( *(_t847 - 0xb8) & 0x00000004) != 0) {
												_push( *(_t847 - 0xd0));
												_t94 = _t847 - 0xb8;
												 *_t94 =  *(_t847 - 0xb8) & 0xfffffffb;
												__eflags =  *_t94;
												L00408BFB(0, _t835, _t841,  *_t94);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000002;
											if(( *(_t847 - 0xb8) & 0x00000002) != 0) {
												_push( *((intOrPtr*)(_t847 - 0xfc)));
												_t100 = _t847 - 0xb8;
												 *_t100 =  *(_t847 - 0xb8) & 0xfffffffd;
												__eflags =  *_t100;
												L00408BFB(0, _t835, _t841,  *_t100);
											}
											__eflags =  *(_t847 - 0xb8) & 0x00000001;
											if(__eflags != 0) {
												_push( *(_t847 - 0x1b4));
												L00408BFB(0, _t835, _t841, __eflags);
											}
											__eflags =  *(_t847 - 0xb2);
											if( *(_t847 - 0xb2) != 0) {
												 *(_t847 - 0xb1) = 1;
												E00408639(_t847 - 0xdc, _t847, E00408826(_t847 - 0xdc, _t847 - 0xc4, 2));
												_push( *((intOrPtr*)(_t847 - 0xc4)));
												L00408BFB(0, _t835, _t841, __eflags);
												E0040898E(0, _t847 - 0xdc, _t831, _t835);
												E00408968(0, _t847 - 0xdc, _t831, _t835);
											}
											E00408C69(_t847 - 0x1c0);
											_t736 =  *((intOrPtr*)(_t847 - 0x15c));
											_push(_t847 - 0x1c0);
											_push(";!@InstallEnd@!");
											_t831 = ";!@Install@!UTF-8!";
											_t442 = E00413CE0( *((intOrPtr*)(_t847 - 0x15c)), ";!@Install@!UTF-8!");
											__eflags = _t442;
											if(_t442 != 0) {
												E00401647(_t847 - 0x150, _t847, L".\\");
												_t738 = _t847 - 0x118;
												E0040320A(_t847 - 0x118);
												_t836 = MessageBoxW;
												 *(_t847 - 0xe4) = 1;
												__eflags =  *(_t847 - 0x1bc);
												if(__eflags == 0) {
													L62:
													 *((char*)(_t847 - 0x10c)) = 0;
													E0040320A(_t847 - 0x108);
													_t740 = _t847 - 0x10c;
													__eflags = E004113E5(0, _t847 - 0x10c, _t831, _t836, _t847,  *0x42d24c);
													if(__eflags != 0) {
														_t447 = E00408BD0(0, _t836, __eflags, 0x1c);
														__eflags = _t447;
														if(_t447 == 0) {
															_t842 = 0;
															__eflags = 0;
														} else {
															_t842 = E00413EA3(_t447);
														}
														E0040222C(_t847 - 0xb8, _t842);
														_t743 = _t842;
														_t449 = E004118A7(0, _t842, _t831, _t836, _t842, __eflags);
														__eflags = _t449;
														if(_t449 == 0) {
															E00404082(_t847 - 0x130, _t847, _t847 - 0x108);
															_t745 = _t847 - 0x168;
															 *(_t847 - 0xb2) = 0;
															E0040320A(_t847 - 0x168);
															_push( *((intOrPtr*)(_t847 - 0xe0)));
															_push(_t847 - 0x180);
															_push(1);
															_push(_t847 - 0x168);
															_push(_t847 - 0xb2);
															_push( *(_t847 - 0xe4));
															_push(_t847 - 0x130);
															_push(_t847 - 0x15c);
															_push(_t842);
															_t843 = E004135E5(0, _t831, _t836, _t842, __eflags);
															__eflags = _t843;
															if(__eflags == 0) {
																_push( *(_t847 - 0x168));
																L00408BFB(0, _t836, _t843, __eflags);
																E00413E7B(0, _t847 - 0xf0, _t836, _t843, __eflags);
																_t843 = SetCurrentDirectoryW; // executed
																_t461 = SetCurrentDirectoryW( *(_t847 - 0x108)); // executed
																__eflags = _t461;
																if(__eflags != 0) {
																	__eflags =  *(_t847 - 0x1a4);
																	if( *(_t847 - 0x1a4) == 0) {
																		__eflags =  *(_t847 - 0x114);
																		if( *(_t847 - 0x114) != 0) {
																			L101:
																			E0040320A(_t847 - 0x124);
																			_push(_t847 - 0x124);
																			_t464 = E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																			__eflags = _t464;
																			if(_t464 == 0) {
																				E0040320A(_t847 - 0xfc);
																				_push(_t847 - 0xfc);
																				E00410D94( *((intOrPtr*)(_t847 - 0x15c)));
																				E00408639(_t847 - 0x124, _t847, _t847 - 0xfc);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			_t465 = E00417FD5( *((intOrPtr*)(_t847 - 0x118)), L"%%T");
																			__eflags = _t465;
																			if(_t465 == 0) {
																				__eflags =  *(_t847 - 0x14c);
																				if( *(_t847 - 0x14c) != 0) {
																					E004099DF(_t847 - 0x150);
																				}
																			} else {
																				E00408639(_t847 - 0x150, _t847, _t847 - 0x130);
																				E004099DF(_t847 - 0x150);
																				E00401647(_t847 - 0xc4, _t847, 0x423a68);
																				E00401647(_t847 - 0xfc, _t847, L"%%T\\");
																				E0040C8C5(_t847 - 0x118, _t847 - 0xfc, _t847 - 0xc4);
																				_push( *((intOrPtr*)(_t847 - 0xfc)));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *((intOrPtr*)(_t847 - 0xc4)));
																				L00408BFB(0, _t836, _t843, __eflags);
																			}
																			__eflags =  *(_t847 - 0xd8);
																			if(__eflags != 0) {
																				E00408670(_t847 - 0x118, _t831, __eflags, 0x20);
																				E00408FDE(_t847 - 0x118, __eflags, _t847 - 0xdc);
																			}
																			 *((short*)(_t847 - 0x27e)) = 0;
																			_push(_t847 - 0x118);
																			_push(_t847 - 0x150);
																			_push(_t847 - 0x26c);
																			 *(_t847 - 0x2b0) = 0x44;
																			 *((intOrPtr*)(_t847 - 0x2ac)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a8)) = 0;
																			 *((intOrPtr*)(_t847 - 0x2a4)) = 0;
																			 *((intOrPtr*)(_t847 - 0x284)) = 0;
																			 *((intOrPtr*)(_t847 - 0x27c)) = 0;
																			_t470 = E004096A4(0, _t836, _t843, __eflags);
																			_t836 = _t470;
																			_push(E00401647(_t847 - 0x18c, _t847, "\""));
																			_push(_t847 - 0x180);
																			_push(E00401647(_t847 - 0x248, _t847, L"\" /k=\""));
																			_push(_t847 - 0x124);
																			_push(E00401647(_t847 - 0x254, _t847, L" /m=\""));
																			_push(_t470);
																			_push(_t847 - 0x260);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0x23c);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xfc);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xc4);
																			_push(E004096A4(0, _t470, _t843, __eflags));
																			_push(_t847 - 0xd0);
																			E004096A4(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xc4)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0xfc)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x23c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x260)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x26c)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x254)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *((intOrPtr*)(_t847 - 0x248)));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_push( *(_t847 - 0x18c));
																			L00408BFB(0, _t836, _t843, __eflags);
																			_t852 =  &(_t852[8]);
																			_t496 = CreateProcessW(0,  *(_t847 - 0xd0), 0, 0, 0, 0, 0,  *(_t847 - 0x108), _t847 - 0x2b0, _t847 - 0x230); // executed
																			__eflags = _t496;
																			if(__eflags != 0) {
																				CloseHandle( *(_t847 - 0x22c));
																				_push( *(_t847 - 0xd0));
																				_t836 =  *(_t847 - 0x230);
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L114:
																				L00408BFB(0, _t836, _t843, __eflags);
																				__eflags = _t836;
																				if(__eflags == 0) {
																					SetCurrentDirectoryW( *(_t847 - 0xf0));
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t503 =  *(_t847 - 0xb8);
																					__eflags = _t503;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t503 + 8))(_t503);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
																					_t844 = 0;
																				} else {
																					WaitForSingleObject(_t836, 0xffffffff);
																					GetExitCodeProcess(_t836, _t847 - 0xe4); // executed
																					CloseHandle(_t836);
																					_t836 =  *(_t847 - 0xe4);
																					SetCurrentDirectoryW( *(_t847 - 0xf0)); // executed
																					_push( *(_t847 - 0xf0));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_push( *((intOrPtr*)(_t847 - 0x130)));
																					L00408BFB(0, _t836, _t843, __eflags);
																					_t523 =  *(_t847 - 0xb8);
																					__eflags = _t523;
																					if(__eflags != 0) {
																						 *((intOrPtr*)( *_t523 + 8))(_t523);
																					}
																					E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags); // executed
																					_t844 = _t836;
																				}
																				goto L52;
																			} else {
																				__eflags =  *(_t847 - 0xb1);
																				if(__eflags == 0) {
																					E004119F6(0);
																				}
																				_push( *(_t847 - 0xd0));
																				L00408BFB(0, _t836, _t843, __eflags);
																				_push( *(_t847 - 0x124));
																				L95:
																				L00408BFB(0, _t836, _t843, __eflags);
																				goto L87;
																			}
																		}
																		_t781 = _t847 - 0x118;
																		E004090CA(_t847 - 0x118, _t847, L"setup.exe");
																		_push( *((intOrPtr*)(_t847 - 0x118)));
																		_t558 = E00409421(0, _t831, _t836, SetCurrentDirectoryW, __eflags);
																		__eflags = _t558;
																		if(_t558 != 0) {
																			goto L101;
																		}
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t781, _t836, SetCurrentDirectoryW, 0,  *0x4306a4);
																		}
																		goto L87;
																	}
																	E00404082(_t847 - 0xd0, _t847, _t847 - 0x1a8);
																	_t836 =  *(_t847 - 0xd0);
																	 *(_t847 - 0x220) = 0x3c;
																	 *((intOrPtr*)(_t847 - 0x21c)) = 0x140;
																	 *((intOrPtr*)(_t847 - 0x218)) = 0;
																	 *((intOrPtr*)(_t847 - 0x214)) = 0;
																	 *(_t847 - 0x210) = _t836;
																	__eflags =  *(_t847 - 0xd8);
																	if(__eflags != 0) {
																		E00408FDE(_t847 - 0x19c, __eflags, _t847 - 0xdc);
																	}
																	_t783 = _t847 - 0x124;
																	E00404082(_t847 - 0x124, _t847, _t847 - 0x19c);
																	asm("sbb eax, eax");
																	 *((intOrPtr*)(_t847 - 0x208)) = 0;
																	 *(_t847 - 0x20c) =  ~( *(_t847 - 0x120)) &  *(_t847 - 0x124);
																	 *((intOrPtr*)(_t847 - 0x204)) = 1;
																	 *(_t847 - 0x1e8) = 0;
																	ShellExecuteExW(_t847 - 0x220);
																	__eflags =  *((intOrPtr*)(_t847 - 0x200)) - 0x20;
																	if(__eflags > 0) {
																		_push( *(_t847 - 0x124));
																		_t836 =  *(_t847 - 0x1e8);
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push( *(_t847 - 0xd0));
																		goto L114;
																	} else {
																		__eflags =  *(_t847 - 0xb1);
																		if(__eflags == 0) {
																			E00411936(0, _t783, _t836, _t843, 0,  *0x430698);
																		}
																		_push( *(_t847 - 0x124));
																		L00408BFB(0, _t836, _t843, __eflags);
																		_push(_t836);
																		goto L95;
																	}
																}
																L87:
																SetCurrentDirectoryW( *(_t847 - 0xf0));
																_push( *(_t847 - 0xf0));
																L85:
																L00408BFB(0, _t836, _t843, __eflags);
																_push( *((intOrPtr*)(_t847 - 0x130)));
																L00408BFB(0, _t836, _t843, __eflags);
																goto L72;
															}
															__eflags =  *(_t847 - 0xb1);
															if(__eflags != 0) {
																L84:
																_push( *(_t847 - 0x168));
																goto L85;
															}
															__eflags = _t843 - 1;
															if(_t843 == 1) {
																L78:
																E00408639(_t847 - 0x168, _t847, E0040C825(_t745, _t847 - 0xc4, 0xf));
																_push( *((intOrPtr*)(_t847 - 0xc4)));
																L00408BFB(0, _t836, _t843, __eflags);
																_pop(_t745);
																_t843 = 0x80004005;
																L79:
																__eflags = _t843 - 0x80004004;
																if(__eflags != 0) {
																	_push(0xa);
																	_push(_t847 - 0xc4);
																	__eflags =  *(_t847 - 0x164);
																	if( *(_t847 - 0x164) == 0) {
																		_t579 = E0040C825(_t745);
																		 *((intOrPtr*)(_t847 - 0x190)) = 0x424188;
																		 *(_t847 - 0x18c) = _t843;
																		 *((intOrPtr*)(_t847 - 0x188)) = 0;
																		 *((intOrPtr*)(_t847 - 0x184)) = 0;
																		MessageBoxW(0, E0041397A(_t847 - 0x190),  *_t579, 0x12010);
																		E00413802(_t847 - 0x190);
																	} else {
																		E0040C825(_t745);
																		MessageBoxW(0,  *(_t847 - 0x168), ??, ??);
																	}
																	_push( *((intOrPtr*)(_t847 - 0xc4)));
																	L00408BFB(0, _t836, _t843, __eflags);
																}
																goto L84;
															}
															__eflags =  *(_t847 - 0xb2);
															if( *(_t847 - 0xb2) == 0) {
																goto L79;
															}
															goto L78;
														} else {
															__eflags =  *(_t847 - 0xb1);
															if( *(_t847 - 0xb1) == 0) {
																E00411936(0, _t743, _t836, _t842, 0,  *0x43068c);
															}
															L72:
															_t531 =  *(_t847 - 0xb8);
															__eflags = _t531;
															if(__eflags != 0) {
																 *((intOrPtr*)( *_t531 + 8))(_t531);
															}
															L65:
															E00413A1F(0, _t847 - 0x10c, _t836, _t843, __eflags);
															_t844 = 1;
															L52:
															_push( *((intOrPtr*)(_t847 - 0x118)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x150)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1c0)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x15c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x180)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x174)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x19c)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1a8)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0xdc)));
															L00408BFB(0, _t836, _t844, __eflags);
															_push( *((intOrPtr*)(_t847 - 0x1e4)));
															L00408BFB(0, _t836, _t844, __eflags);
															_t368 = _t844;
															L4:
															_pop(_t834);
															_pop(_t839);
															_pop(_t694);
															return E00416B12(_t368, _t694,  *(_t847 + 0x64) ^ _t847, _t831, _t834, _t839);
														}
													}
													__eflags =  *(_t847 - 0xb1);
													if(__eflags == 0) {
														E00411936(0, _t740, _t836, _t841, 0,  *0x43065c);
													}
													goto L65;
												}
												_push(_t847 - 0x144);
												_push(_t847 - 0x1c0);
												 *((intOrPtr*)(_t847 - 0x140)) = 0;
												 *((intOrPtr*)(_t847 - 0x13c)) = 0;
												 *((intOrPtr*)(_t847 - 0x138)) = 0;
												 *((intOrPtr*)(_t847 - 0x134)) = 4;
												 *((intOrPtr*)(_t847 - 0x144)) = 0x4242e0;
												_t592 = E00408E31(0, MessageBoxW, _t841, __eflags);
												__eflags = _t592;
												if(_t592 != 0) {
													E00401647(_t847 - 0xd0, _t847, L"Title");
													E00408DF4(_t847 - 0xd0, _t847 - 0x1b4, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"BeginPrompt";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1cc, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"Progress";
													E00401647(_t847 - 0xd0, _t847,  *(_t847 - 0xd0));
													E00408DF4(_t847 - 0xd0, _t847 - 0x1d8, _t847 - 0x144, _t847 - 0xd0);
													L00408BFB(0, MessageBoxW, _t841, __eflags);
													 *_t852 = L"no";
													_t611 = E004089E5(_t847 - 0xd0,  *((intOrPtr*)(_t847 - 0x1d8)),  *(_t847 - 0xd0));
													__eflags = _t611;
													if(_t611 == 0) {
														 *(_t847 - 0xe4) = 0;
													}
													E00401647(_t847 - 0xd0, _t847, L"Directory");
													_t615 = E00408DBE(_t847 - 0x144, _t847 - 0xd0);
													_push( *(_t847 - 0xd0));
													_t843 = _t615;
													L00408BFB(0, _t836, _t843, __eflags);
													__eflags = _t843;
													if(_t843 >= 0) {
														__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc;
														E00408639(_t847 - 0x150, _t847,  *((intOrPtr*)( *((intOrPtr*)(_t847 - 0x138)) + _t843 * 4)) + 0xc);
													}
													__eflags =  *(_t847 - 0x1c8);
													if( *(_t847 - 0x1c8) == 0) {
														L61:
														E00401647(_t847 - 0xd0, _t847, L"RunProgram");
														E00408639(_t847 - 0x118, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteFile");
														E00408639(_t847 - 0x1a8, _t847, E00408DF4(_t847 - 0xd0, _t847 - 0xc4, _t847 - 0x144, _t847 - 0xd0));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														E00401647(_t847 - 0xd0, _t847, L"ExecuteParameters");
														_push(_t847 - 0xdc);
														_push(E00408DF4(_t847 - 0xd0, _t847 - 0xfc, _t847 - 0x144, _t847 - 0xd0));
														_push(_t847 - 0xc4);
														E00408639(_t847 - 0x19c, _t847, E004096A4(0, _t836, _t843, __eflags));
														_push( *((intOrPtr*)(_t847 - 0xc4)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0xfc)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0xd0));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[6]);
														E00413B6D(0, _t847 - 0x144, _t836, _t843, __eflags);
														goto L62;
													} else {
														__eflags =  *(_t847 - 0xb1);
														if( *(_t847 - 0xb1) != 0) {
															goto L61;
														}
														__eflags = MessageBoxW(0,  *(_t847 - 0x1cc),  *(_t847 - 0x1b4), 0x24) - 6;
														if(__eflags == 0) {
															goto L61;
														}
														_push( *((intOrPtr*)(_t847 - 0x1d8)));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1cc));
														L00408BFB(0, _t836, _t843, __eflags);
														_push( *(_t847 - 0x1b4));
														L00408BFB(0, _t836, _t843, __eflags);
														_t852 =  &(_t852[3]);
														_t844 = 0;
														L51:
														E00413B6D(0, _t847 - 0x144, _t836, _t844, __eflags);
														goto L52;
													}
												}
												__eflags =  *(_t847 - 0xb1);
												if( *(_t847 - 0xb1) == 0) {
													E00411936(0, _t738, MessageBoxW, _t841, 0,  *0x430650);
												}
												_t844 = 1;
												__eflags = 1;
												goto L51;
											} else {
												__eflags =  *(_t847 - 0xb1);
												if(__eflags == 0) {
													E00411936(0, _t736, _t835, _t841, 0,  *0x430644);
												}
												_push( *((intOrPtr*)(_t847 - 0x1c0)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x15c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x180)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x174)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x19c)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1a8)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0xdc)));
												L00408BFB(0, _t835, _t841, __eflags);
												_push( *((intOrPtr*)(_t847 - 0x1e4)));
												L00408BFB(0, _t835, _t841, __eflags);
												goto L3;
											}
										}
										 *(_t847 - 0xb8) = 0xf;
										_t843 = E00401647(_t847 - 0xd0, _t847, L"/y");
										_t681 = E004089E5(_t847 - 0xdc,  *((intOrPtr*)(E00408730(_t847 - 0xdc, _t847 - 0xc4, 2))),  *_t678);
										 *(_t847 - 0xb2) = 0;
										__eflags = _t681;
										if(_t681 != 0) {
											goto L32;
										}
										goto L31;
									}
									_t682 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"-S");
									__eflags = _t682;
									if(_t682 != 0) {
										goto L28;
									}
									_t683 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/s");
									__eflags = _t683;
									if(_t683 != 0) {
										goto L28;
									}
									_t684 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/S");
									 *((char*)(_t847 - 0xe0)) = 0;
									__eflags = _t684;
									if(_t684 == 0) {
										goto L29;
									}
									goto L28;
								}
								_t840 = L"/k=";
								_t835 = E00417FD5( *((intOrPtr*)(_t847 - 0xdc)), L"/k=");
								__eflags = _t835;
								if(_t835 == 0) {
									goto L22;
								}
								goto L17;
							}
							L13:
							 *(_t847 - 0xb1) = 1;
							goto L17;
						}
						L11:
						E00413A48(0, __eflags);
						goto L12;
					}
					__eflags =  *(_t847 - 0xa8);
					if(__eflags != 0) {
						L8:
						__eflags =  *(_t847 - 0xa8) - 1;
						if(__eflags >= 0) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
							goto L10;
						}
					}
					E004138BE(0, _t831, __eflags);
					__eflags =  *((intOrPtr*)(_t847 - 0xac)) - 6;
					if(__eflags != 0) {
						goto L10;
					}
					goto L8;
				}
			}

0x00413f63
0x00413f63
0x00413f64
0x00413f68
0x00413f6e
0x00413f75
0x00413f7f
0x00413f86
0x00413f8c
0x00413f9d
0x00413fa7
0x00413fb9
0x00413fbe
0x00413fc0
0x00000000
0x00413fd5
0x00413fd6
0x00413fdc
0x00413fe2
0x00413fef
0x00413ff4
0x00413ffe
0x00414004
0x00414006
0x0041400d
0x00414035
0x00414035
0x0041403c
0x00414042
0x0041404d
0x00414058
0x00414063
0x00414075
0x00414080
0x00414087
0x0041408e
0x0041408f
0x00414094
0x0041409a
0x0041409f
0x004140b4
0x004140b9
0x004140bf
0x004140c4
0x004140d9
0x004140de
0x004140e4
0x004140e9
0x004140fe
0x00414103
0x00414109
0x0041410e
0x00414123
0x00414128
0x0041412e
0x00414133
0x00414148
0x0041414d
0x00414153
0x00414158
0x0041416d
0x00414172
0x00414178
0x0041417d
0x00414192
0x00414197
0x0041419d
0x004141a2
0x004141b7
0x004141bc
0x004141c2
0x004141c7
0x004141dc
0x004141e7
0x004141ec
0x004141f3
0x004141fe
0x00414204
0x0041420b
0x00414216
0x0041421b
0x00414227
0x00414232
0x00414236
0x00414238
0x00414243
0x00414254
0x00414258
0x0041425a
0x00000000
0x00000000
0x0041425c
0x0041426d
0x00414271
0x00414273
0x0041428e
0x00414294
0x00414298
0x0041429a
0x004142a2
0x004142a3
0x004142a9
0x004142b2
0x004142ab
0x004142ab
0x004142ab
0x004142b7
0x004142b8
0x004142b8
0x004142bd
0x004142bd
0x004142c3
0x004142d6
0x004142db
0x004142ea
0x004142ea
0x004142fa
0x00414301
0x00414303
0x0041434d
0x0041434d
0x00414354
0x0041435a
0x0041436c
0x00414377
0x00414382
0x00414398
0x0041439e
0x004143ad
0x004143c7
0x004143cc
0x004143ce
0x00414413
0x00414413
0x0041441a
0x0041441a
0x00414421
0x00414423
0x00414429
0x00414429
0x00414429
0x00414430
0x00414435
0x00414436
0x0041443d
0x0041443f
0x00414445
0x00414445
0x00414445
0x0041444c
0x00414451
0x00414452
0x00414459
0x0041445b
0x00414461
0x00414461
0x00414461
0x00414468
0x0041446d
0x0041446e
0x00414475
0x00414477
0x0041447d
0x00414482
0x00414483
0x00414489
0x0041449a
0x004144ad
0x004144b2
0x004144b8
0x004144c4
0x004144cf
0x004144cf
0x004144da
0x004144df
0x004144eb
0x004144ec
0x004144f1
0x004144f6
0x004144fb
0x004144fd
0x0041457e
0x00414583
0x00414589
0x0041458e
0x00414594
0x0041459b
0x004145a1
0x00414915
0x0041491b
0x00414921
0x0041492c
0x00414937
0x00414939
0x00414964
0x0041496a
0x0041496c
0x00414979
0x00414979
0x0041496e
0x00414975
0x00414975
0x00414982
0x00414987
0x00414989
0x0041498e
0x00414990
0x004149c5
0x004149ca
0x004149d0
0x004149d6
0x004149db
0x004149e7
0x004149e8
0x004149f0
0x004149f7
0x004149f8
0x00414a04
0x00414a0b
0x00414a0c
0x00414a12
0x00414a14
0x00414a16
0x00414afc
0x00414b02
0x00414b0e
0x00414b19
0x00414b1f
0x00414b21
0x00414b23
0x00414b35
0x00414b3b
0x00414c35
0x00414c3b
0x00414c79
0x00414c7f
0x00414c8a
0x00414c91
0x00414c96
0x00414c98
0x00414ca0
0x00414cab
0x00414cb2
0x00414cc4
0x00414cc9
0x00414ccf
0x00414cd4
0x00414ce0
0x00414ce7
0x00414ce9
0x00414d5c
0x00414d62
0x00414d6b
0x00414d6b
0x00414ceb
0x00414cf8
0x00414d04
0x00414d14
0x00414d24
0x00414d3d
0x00414d42
0x00414d48
0x00414d4d
0x00414d53
0x00414d59
0x00414d70
0x00414d76
0x00414d80
0x00414d92
0x00414d92
0x00414d99
0x00414da6
0x00414dad
0x00414db4
0x00414db5
0x00414dbf
0x00414dc5
0x00414dcb
0x00414dd1
0x00414dd7
0x00414ddd
0x00414ded
0x00414df4
0x00414dfb
0x00414e0c
0x00414e13
0x00414e24
0x00414e25
0x00414e2c
0x00414e32
0x00414e39
0x00414e3f
0x00414e46
0x00414e4c
0x00414e53
0x00414e59
0x00414e60
0x00414e61
0x00414e66
0x00414e6c
0x00414e71
0x00414e77
0x00414e7c
0x00414e82
0x00414e87
0x00414e8d
0x00414e92
0x00414e98
0x00414e9d
0x00414ea3
0x00414ea8
0x00414eae
0x00414eb3
0x00414eb9
0x00414ebe
0x00414ee1
0x00414ee7
0x00414ee9
0x00414f15
0x00414f1b
0x00414f21
0x00414f27
0x00414f2c
0x00414f32
0x00414f32
0x00414f39
0x00414f3b
0x00414fa9
0x00414fab
0x00414fb1
0x00414fb6
0x00414fbc
0x00414fc1
0x00414fc9
0x00414fcb
0x00414fd0
0x00414fd0
0x00414fd9
0x00414fde
0x00414f3d
0x00414f40
0x00414f4e
0x00414f55
0x00414f61
0x00414f67
0x00414f69
0x00414f6f
0x00414f74
0x00414f7a
0x00414f7f
0x00414f87
0x00414f89
0x00414f8e
0x00414f8e
0x00414f97
0x00414f9c
0x00414f9c
0x00000000
0x00414eeb
0x00414eeb
0x00414ef1
0x00414ef4
0x00414ef4
0x00414ef9
0x00414eff
0x00414f04
0x00414c0d
0x00414c0d
0x00000000
0x00414c13
0x00414ee9
0x00414c42
0x00414c48
0x00414c4d
0x00414c53
0x00414c58
0x00414c5a
0x00000000
0x00000000
0x00414c5c
0x00414c62
0x00414c6f
0x00414c6f
0x00000000
0x00414c62
0x00414b4e
0x00414b53
0x00414b59
0x00414b63
0x00414b6d
0x00414b73
0x00414b79
0x00414b7f
0x00414b85
0x00414b94
0x00414b94
0x00414ba0
0x00414ba6
0x00414bb3
0x00414bbb
0x00414bc1
0x00414bce
0x00414bd8
0x00414bde
0x00414be4
0x00414beb
0x00414c19
0x00414c1f
0x00414c25
0x00414c2a
0x00000000
0x00414bed
0x00414bed
0x00414bf3
0x00414bfc
0x00414bfc
0x00414c01
0x00414c07
0x00414c0c
0x00000000
0x00414c0c
0x00414beb
0x00414b25
0x00414b2b
0x00414b2d
0x00414ae5
0x00414ae5
0x00414aea
0x00414af0
0x00000000
0x00414af6
0x00414a1c
0x00414a22
0x00414adf
0x00414adf
0x00000000
0x00414adf
0x00414a28
0x00414a2b
0x00414a35
0x00414a4a
0x00414a4f
0x00414a55
0x00414a5a
0x00414a5b
0x00414a60
0x00414a60
0x00414a66
0x00414a68
0x00414a70
0x00414a71
0x00414a77
0x00414a90
0x00414aa3
0x00414aad
0x00414ab3
0x00414ab9
0x00414ac6
0x00414ace
0x00414a79
0x00414a79
0x00414a8c
0x00414a8c
0x00414ad3
0x00414ad9
0x00414ade
0x00000000
0x00414a66
0x00414a2d
0x00414a33
0x00000000
0x00000000
0x00000000
0x00414992
0x00414992
0x00414998
0x004149a1
0x004149a1
0x004149a6
0x004149a6
0x004149ac
0x004149ae
0x004149b3
0x004149b3
0x0041494f
0x00414955
0x0041495c
0x0041460a
0x0041460a
0x00414610
0x00414615
0x0041461b
0x00414620
0x00414626
0x0041462b
0x00414631
0x00414636
0x0041463c
0x00414641
0x00414647
0x0041464c
0x00414652
0x00414657
0x0041465d
0x00414662
0x00414668
0x0041466d
0x00414673
0x0041467b
0x00413fc1
0x00413fc4
0x00413fc5
0x00413fc8
0x00413fd2
0x00413fd2
0x00414990
0x0041493b
0x00414941
0x0041494a
0x0041494a
0x00000000
0x00414941
0x004145ad
0x004145b4
0x004145b5
0x004145bb
0x004145c1
0x004145c7
0x004145d1
0x004145db
0x004145e0
0x004145e2
0x0041468d
0x004146a7
0x004146b2
0x004146bd
0x004146c4
0x004146de
0x004146e9
0x004146f4
0x004146fb
0x00414715
0x00414720
0x00414725
0x00414732
0x00414737
0x00414739
0x0041473b
0x0041473b
0x0041474c
0x0041475f
0x00414764
0x0041476a
0x0041476c
0x00414771
0x00414774
0x0041477f
0x00414789
0x00414789
0x0041478e
0x00414794
0x004147df
0x004147ea
0x00414810
0x00414815
0x0041481b
0x00414820
0x00414826
0x00414838
0x0041485e
0x00414863
0x00414869
0x0041486e
0x00414874
0x00414886
0x00414891
0x004148ac
0x004148b3
0x004148c0
0x004148c5
0x004148cb
0x004148d0
0x004148d6
0x004148db
0x004148e1
0x004148e6
0x004148ec
0x004148f1
0x004148f7
0x004148fc
0x00414902
0x00414907
0x00414910
0x00000000
0x00414796
0x00414796
0x0041479c
0x00000000
0x00000000
0x004147af
0x004147b2
0x00000000
0x00000000
0x004147b4
0x004147ba
0x004147bf
0x004147c5
0x004147ca
0x004147d0
0x004147d5
0x004147d8
0x004145ff
0x00414605
0x00000000
0x00414605
0x00414794
0x004145e8
0x004145ee
0x004145f7
0x004145f7
0x004145fe
0x004145fe
0x00000000
0x004144ff
0x004144ff
0x00414505
0x0041450e
0x0041450e
0x00414513
0x00414519
0x0041451e
0x00414524
0x00414529
0x0041452f
0x00414534
0x0041453a
0x0041453f
0x00414545
0x0041454a
0x00414550
0x00414555
0x0041455b
0x00414560
0x00414566
0x00000000
0x0041456b
0x004144fd
0x004143db
0x004143ea
0x00414404
0x00414409
0x0041440f
0x00414411
0x00000000
0x00000000
0x00000000
0x00414411
0x00414310
0x00414317
0x00414319
0x00000000
0x00000000
0x00414326
0x0041432d
0x0041432f
0x00000000
0x00000000
0x0041433c
0x00414343
0x00414349
0x0041434b
0x00000000
0x00000000
0x00000000
0x0041434b
0x00414275
0x00414286
0x0041428a
0x0041428c
0x00000000
0x00000000
0x00000000
0x0041428c
0x0041423a
0x0041423a
0x00000000
0x0041423a
0x00414037
0x00414037
0x00000000
0x00414037
0x0041400f
0x00414015
0x00414025
0x00414025
0x0041402c
0x00000000
0x0041402e
0x0041402e
0x00000000
0x0041402e
0x0041402c
0x00414017
0x0041401c
0x00414023
0x00000000
0x00000000
0x00000000
0x00414023

APIs

GetVersionExW.KERNEL32(?), ref: 00413FA3
CoInitialize.OLE32(00000000), ref: 00413FD6
_memset.LIBCMT ref: 00413FEF
GetVersionExW.KERNEL32(?), ref: 00414004
GetCommandLineW.KERNEL32 ref: 00414068

Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4

_wcslen.LIBCMT ref: 0041428F

Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A0F
Part of subcall function 004089E5: CharUpperW.USER32(?), ref: 00408A1B

Part of subcall function 00408E31: __EH_prolog3.LIBCMT ref: 00408E38

~_Task_impl.LIBCPMT ref: 00414605
MessageBoxW.USER32(00000000,?,?,00000024), ref: 004147AD
~_Task_impl.LIBCPMT ref: 00414910

Part of subcall function 00413B6D: __EH_prolog3.LIBCMT ref: 00413B74

MessageBoxW.USER32(00000000,?,00000000,00012010), ref: 00414A8C

Part of subcall function 00411936: MessageBoxW.USER32(?,?,?,00012010), ref: 00411955

Part of subcall function 0041397A: FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
Part of subcall function 0041397A: lstrlenW.KERNEL32(00000000), ref: 004139AA

MessageBoxW.USER32(00000000,00000000,?,00012010), ref: 00414AC6

Part of subcall function 00413802: LocalFree.KERNEL32(?), ref: 00413820

Part of subcall function 00413E7B: __EH_prolog3.LIBCMT ref: 00413E82

SetCurrentDirectoryW.KERNELBASE(?,?,00000000,004243F8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414B1F
SetCurrentDirectoryW.KERNEL32(?,setup.exe), ref: 00414B2B
ShellExecuteExW.SHELL32(0000003C), ref: 00414BDE
CreateProcessW.KERNELBASE ref: 00414EE1
CloseHandle.KERNEL32(?), ref: 00414F15
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00414F40
GetExitCodeProcess.KERNELBASE ref: 00414F4E
CloseHandle.KERNEL32(?), ref: 00414F55
SetCurrentDirectoryW.KERNELBASE(?), ref: 00414F67

Part of subcall function 00409421: __EH_prolog3.LIBCMT ref: 00409428

SetCurrentDirectoryW.KERNEL32(?), ref: 00414FA9

Strings

;!@InstallEnd@!, xrefs: 004144EC
Directory, xrefs: 00414741
" /k=", xrefs: 00414DFC
%%T, xrefs: 00414CD5
;!@Install@!UTF-8!, xrefs: 004144F1
%%T\, xrefs: 00414D19
ExecuteParameters, xrefs: 0041487B
BB, xrefs: 004145D1
"-k=, xrefs: 0041421B, 00414220
Title, xrefs: 00414682
setup.exe, xrefs: 00414C3D
"/k=, xrefs: 00414243, 00414248, 0041428E
/k=, xrefs: 00414275, 0041427A
RunProgram, xrefs: 004147DF
", xrefs: 004142AB
-k=, xrefs: 0041425C, 00414261
, xrefs: 004142B2
/m=", xrefs: 00414E14
ExecuteFile, xrefs: 0041482D

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Message$CurrentDirectoryH_prolog3$CharCloseHandleProcessTask_implUpperVersion$CodeCommandCreateException@8ExecuteExitFormatFreeInitializeLineLocalObjectShellSingleThrowWait_malloc_memset_wcslenlstrlen
String ID: $ /m="$"$" /k="$"-k=$"/k=$%%T$%%T\$-k=$/k=$;!@Install@!UTF-8!$;!@InstallEnd@!$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe$BB
API String ID: 3256839097-2619287984
Opcode ID: 00efbe8a624502acfbeb9be38f8b9056ae963b15d8610d163ee1729f1e0755e5
Instruction ID: 0adf49adcb97444a0658e12179214cffe8ab958646542027bda483d16c8951a9
Opcode Fuzzy Hash: 00efbe8a624502acfbeb9be38f8b9056ae963b15d8610d163ee1729f1e0755e5
Instruction Fuzzy Hash: 3D926B71804229AEDB21AB61DD92FDEB779AF44314F0041EFB149720A2DF395EC49F68

Uniqueness

Uniqueness Score: -1.00%

Function 00409263, Relevance: 4.6, APIs: 3, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00409263(void* __ebx, void** __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t17;
				void* _t24;
				intOrPtr _t27;
				void* _t34;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t45;
				void** _t47;
				intOrPtr _t48;
				WCHAR* _t50;
				intOrPtr _t52;
				struct _WIN32_FIND_DATAW* _t53;
				void* _t55;

				_t45 = __edx;
				_t53 = _t55 - 0x24c;
				_t17 = M0042D330; // 0xdf8f31de
				 *(_t53 + 0x250) = _t17 ^ _t53;
				_push(0x10);
				E00416B21(E004215F5, __ebx, __edi, __esi);
				_t50 =  *(_t53 + 0x25c);
				_t47 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) =  *((intOrPtr*)(_t53 + 0x260));
				if(E004091A4(__ecx) != 0) {
					_t36 = FindFirstFileW;
					_t24 = FindFirstFileW(_t50, _t53); // executed
					 *_t47 = _t24;
					__eflags = _t24 - 0xffffffff;
					if(__eflags != 0) {
						L6:
						E00409208(_t53, _t45,  *((intOrPtr*)(_t53 - 0x10)), __eflags);
						_t27 = 1;
					} else {
						E0040320A(_t53 - 0x1c);
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						__eflags = E00409876(__eflags, _t50, _t53 - 0x1c);
						if(__eflags != 0) {
							_t34 = FindFirstFileW( *(_t53 - 0x1c), _t53); // executed
							 *_t47 = _t34;
						}
						_push( *(_t53 - 0x1c));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						L00408BFB(_t36, _t47, _t50, __eflags);
						__eflags =  *_t47 - 0xffffffff;
						if(__eflags == 0) {
							goto L1;
						} else {
							goto L6;
						}
					}
				} else {
					L1:
					_t27 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				_pop(_t48);
				_pop(_t52);
				_pop(_t37);
				return E00416B12(_t27, _t37,  *(_t53 + 0x250) ^ _t53, _t45, _t48, _t52);
			}

0x00409263
0x0040926a
0x0040926e
0x00409275
0x0040927b
0x00409282
0x0040928d
0x00409293
0x00409295
0x0040929f
0x004092a5
0x004092b0
0x004092b2
0x004092b4
0x004092b7
0x004092f0
0x004092f6
0x004092fb
0x004092b9
0x004092bc
0x004092c1
0x004092cf
0x004092d1
0x004092da
0x004092dc
0x004092dc
0x004092de
0x004092e1
0x004092e5
0x004092ea
0x004092ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004092ee
0x004092a1
0x004092a1
0x004092a1
0x004092a1
0x00409300
0x00409308
0x00409309
0x0040930a
0x0040931f

APIs

__EH_prolog3.LIBCMT ref: 00409282

Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF

FindFirstFileW.KERNELBASE(?,00000000,00000010), ref: 004092B0
FindFirstFileW.KERNELBASE(?,00000000,?,?), ref: 004092DA

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Find$FileFirst$CloseH_prolog3
String ID:
API String ID: 410050502-0
Opcode ID: f8aafbbc4bf4f3c8c08a1887eef990cb6c1537c5b940a27dc3a7832453c173eb
Instruction ID: 90385d78ba4da19f661f7c17792072272f02829a24cb1b28e9608c506c2898f7
Opcode Fuzzy Hash: f8aafbbc4bf4f3c8c08a1887eef990cb6c1537c5b940a27dc3a7832453c173eb
Instruction Fuzzy Hash: FD21A531900209ABDF10EF64DC456EEB3B4FF54325F50457EE824A72C2DB39AE059B18

Uniqueness

Uniqueness Score: -1.00%

Function 00413849, Relevance: 3.0, APIs: 2, Instructions: 44
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00413849() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _t18;
				signed int _t20;
				signed int _t22;
				signed int _t24;

				if(GetVersion() < 0x106) {
					L4:
					return 0;
				}
				_v8 = _v8 & 0x00000000;
				__imp__CoCreateInstance(0x424144, 0, 0x15, 0x424468,  &_v8); // executed
				_t18 = _v8;
				if(_t18 == 0) {
					goto L4;
				}
				 *((intOrPtr*)( *_t18 + 0xc))(_t18);
				_t20 = _v8;
				_v12 = _v12 & 0x00000000;
				 *((intOrPtr*)( *_t20))(_t20, 0x424154,  &_v12);
				_t22 = _v12;
				if(_t22 == 0) {
					goto L4;
				}
				_v16 = _v16 & 0x00000000;
				 *((intOrPtr*)( *_t22))(_t22, 0x424164,  &_v16);
				_t24 = _v16;
				if(_t24 == 0) {
					goto L4;
				}
				return _t24;
			}

0x0041385a
0x004138ba
0x00000000
0x004138ba
0x0041385c
0x00413872
0x00413878
0x0041387d
0x00000000
0x00000000
0x00413882
0x00413885
0x00413888
0x00413898
0x0041389a
0x0041389f
0x00000000
0x00000000
0x004138a1
0x004138b1
0x004138b3
0x004138b8
0x00000000
0x00000000
0x004138bd

APIs

GetVersion.KERNEL32 ref: 0041384F
CoCreateInstance.OLE32(00424144,00000000,00000015,00424468,00000000), ref: 00413872

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
Instruction ID: 000772e63e32c23fd11f283ae19779ba3719b23df6ed4c586ad162505f51138c
Opcode Fuzzy Hash: 1df9f16ccb6b58e935b73724829fc73732dd41c85f6bb66b2655cf45922927b1
Instruction Fuzzy Hash: E401DE74B40209AFEB10DFA0D849BAEB7B9EF84706F504495F501E7294D778DA44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413A48, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00413A48(void* __ebx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t19;
				long _t43;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;
				void* _t55;
				signed int _t56;
				void* _t58;

				_t56 = _t58 - 0x39c;
				_t19 = M0042D330; // 0xdf8f31de
				 *(_t56 + 0x398) = _t19 ^ _t56;
				 *(_t56 - 0x78) = 0;
				E00417D60(0x206, _t56 - 0x76, 0, 0x206);
				GetModuleFileNameW(0, _t56 - 0x78, 0x208);
				 *(_t56 + 0x190) = 0;
				E00417D60(0x206, _t56 + 0x192, 0, 0x206);
				E00417F66(_t56 + 0x190, 0x104, L"Applications\\");
				E00417ECB(_t56 + 0x190, 0x104, E00417E68(_t56 - 0x78, 0x5c) + 2);
				 *(_t56 - 0x7c) = 0;
				RegCreateKeyExW(0x80000000, _t56 + 0x190, 0, 0, 0, 0xf003f, 0, _t56 - 0x7c, 0); // executed
				 *(_t56 - 0x80) = 0;
				RegSetValueExW( *(_t56 - 0x7c), L"IsHostApp", 0, 1, _t56 - 0x80, 2); // executed
				_t43 = RegCloseKey( *(_t56 - 0x7c));
				_t52 = _t49;
				_t55 = _t53;
				return E00416B12(_t43, __ebx,  *(_t56 + 0x398) ^ _t56, _t48, _t52, _t55);
			}

0x00413a49
0x00413a56
0x00413a5d
0x00413a6d
0x00413a78
0x00413a8a
0x00413a93
0x00413aa2
0x00413ab9
0x00413ad4
0x00413af6
0x00413af9
0x00413b03
0x00413b16
0x00413b1f
0x00413b2b
0x00413b2e
0x00413b3b

APIs

_memset.LIBCMT ref: 00413A78
GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00413A8A
_memset.LIBCMT ref: 00413AA2
_wcsrchr.LIBCMT ref: 00413AC4
RegCreateKeyExW.KERNELBASE(80000000,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00413AF9
RegSetValueExW.KERNELBASE(?,IsHostApp,00000000,00000001,?,00000002), ref: 00413B16
RegCloseKey.ADVAPI32(?), ref: 00413B1F

Strings

IsHostApp, xrefs: 00413B0E
Applications\, xrefs: 00413AA7

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: _memset$CloseCreateFileModuleNameValue_wcsrchr
String ID: Applications\$IsHostApp
API String ID: 1474337858-1667566961
Opcode ID: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
Instruction ID: f3e52b5f11f812091451beb3f7458e6075dc3339fdcbbde6c0cf17278445c60e
Opcode Fuzzy Hash: 5e3dc54ae11a1f9641f6188a72024ae741d618748a8b804301cdbc1b71d582ac
Instruction Fuzzy Hash: DD216072A00258BADB31AFB1EC49EEF7BBCEF49704F10002ABA19D7141D6745644CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004107BB, Relevance: 15.1, APIs: 10, Instructions: 129
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004107BB(intOrPtr* __ecx, intOrPtr _a4, signed short _a8, unsigned int _a12) {
				void* _t39;
				void* _t42;
				void* _t48;
				void* _t51;
				void* _t54;
				void* _t56;
				void* _t59;
				intOrPtr _t83;
				WCHAR** _t95;

				_t97 = __ecx;
				_t83 = _a4;
				_t39 = _t83 - 5;
				if(_t39 == 0) {
					_push(_a12 >> 0x10);
					_push(_a12 & 0x0000ffff);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x1c))();
				}
				_t42 = _t39 - 0x41;
				if(_t42 == 0) {
					if( *((intOrPtr*)(__ecx + 0x18)) == 0) {
						return 0;
					}
					_a12[6] = 0;
					SetForegroundWindow(GetDesktopWindow());
					L20:
					return 1;
				}
				_t48 = _t42 - 8;
				if(_t48 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x30))();
				}
				_t51 = _t48 - 5;
				if(_t51 == 0) {
					 *((intOrPtr*)( *__ecx + 0x20))();
					goto L20;
				}
				_t54 = _t51 - 0xbd;
				if(_t54 == 0) {
					_t56 =  *((intOrPtr*)( *__ecx + 0x10))();
					SetEvent( *(__ecx + 0x1c));
					return _t56;
				}
				_t59 = _t54 - 1;
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x18))();
				}
				if(_t59 == 0) {
					_push(_a12);
					_push(_a8);
					return  *((intOrPtr*)( *__ecx + 0x34))();
				}
				_t95 = _a12;
				if(_t83 !=  *((intOrPtr*)(__ecx + 8))) {
					L11:
					if(_t83 !=  *((intOrPtr*)(_t97 + 0x10))) {
						L15:
						return 0;
					}
					ShowWindow( *(_t97 + 4), 5);
					do {
					} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
					 *((intOrPtr*)(_t97 + 0xc)) = MessageBoxW( *(_t97 + 4),  *_t95, _t95[1], _t95[2]);
					SetEvent( *(_t97 + 0x14));
					goto L15;
				}
				ShowWindow( *(__ecx + 4), 5);
				do {
				} while (PeekMessageW(0,  *(_t97 + 4), 0, 0, 0) != 0);
				 *((intOrPtr*)(_t97 + 0xc)) = E0041079E(_t95, _a8 & 0x0000ffff,  *(_t97 + 4));
				SetEvent( *(_t97 + 0x14));
				_t83 = _a4;
				goto L11;
			}

0x004107c0
0x004107c2
0x004107c7
0x004107ca
0x00410909
0x0041090e
0x0041090f
0x00000000
0x00410914
0x004107d0
0x004107d3
0x004108e6
0x00000000
0x004108fd
0x004108eb
0x004108f5
0x004108ce
0x00000000
0x004108ce
0x004107d9
0x004107dc
0x004108d2
0x004108d7
0x00000000
0x004108dc
0x004107e2
0x004107e5
0x004108cb
0x00000000
0x004108cb
0x004107eb
0x004107f0
0x004108b5
0x004108bd
0x00000000
0x004108c3
0x004107f6
0x004107f7
0x004108a2
0x004108a7
0x00000000
0x004108ac
0x004107ff
0x00410893
0x00410898
0x00000000
0x0041089d
0x00410808
0x0041080e
0x0041084b
0x0041084e
0x0041088b
0x00000000
0x0041088d
0x00410855
0x0041085b
0x00410869
0x00410882
0x00410885
0x00000000
0x00410885
0x00410815
0x0041081b
0x00410829
0x0041083f
0x00410842
0x00410848
0x00000000

APIs

ShowWindow.USER32(?,00000005), ref: 00410815
PeekMessageW.USER32 ref: 00410823
SetEvent.KERNEL32(?,?,?), ref: 00410842
ShowWindow.USER32(?,00000005), ref: 00410855
PeekMessageW.USER32 ref: 00410863
MessageBoxW.USER32(?,?,?,?), ref: 00410879
SetEvent.KERNEL32(?), ref: 00410885
SetEvent.KERNEL32(?), ref: 004108BD
GetDesktopWindow.USER32 ref: 004108EE
SetForegroundWindow.USER32(00000000), ref: 004108F5

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Window$EventMessage$PeekShow$DesktopForeground
String ID:
API String ID: 492945738-0
Opcode ID: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
Instruction ID: ef53d117bb9aac1f46f3e2f1aa8cb95ae6132c7bce52066b60c1aa11a3ec3fe9
Opcode Fuzzy Hash: 1020dcf3a7cf4a9841e136e5eebde1db1a257eca119acd236c22988f0cc26945
Instruction Fuzzy Hash: 32417EB4204605EFDB255F64CC58CAABBB9FF08311700491AF85287621C779DD91DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00417A38, Relevance: 12.0, APIs: 8, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00417A38(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E0041871A();
				_t27 = E004186FA(E00418714());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t51 + 4));
					E00418922(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E0041874E(E00418714(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x434300;
				if( *0x434300 != 0) {
					_t42 = E0041AFE0(_t73, 0x434300);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t58, _t61, _t64, _t74); // executed
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t62 = _v0;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E0041871A();
					_t65 = E0041AE0D(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L16:
						_push(_t65);
						E004174DE(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E004187A8(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t38 =  &_a8;
						}
						_t33 = CreateThread(_v0, _a4, E00417A38, _t65, _a16, _t38); // executed
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L16;
						}
					}
				} else {
					_t40 = E0041AD48(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E0041B335(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}

0x00417a38
0x00417a3d
0x00417a3e
0x00417a49
0x00417a50
0x00417a7c
0x00417a82
0x00417a88
0x00417a8b
0x00417a8e
0x00417a8f
0x00417a92
0x00417a52
0x00417a52
0x00417a63
0x00417a6c
0x00417a6c
0x00417a78
0x00417a78
0x00417a97
0x00417a9e
0x00417aa5
0x00417aaa
0x00417aab
0x00417aad
0x00417aaf
0x00417aaf
0x00417aad
0x00417ab5
0x00417aba
0x00417ac0
0x00417ac1
0x00417ac2
0x00417ac3
0x00417ac8
0x00417acb
0x00417acd
0x00417aeb
0x00417aec
0x00417afd
0x00417b01
0x00417b03
0x00417b4f
0x00417b4f
0x00417b50
0x00417b56
0x00417b59
0x00417b5e
0x00417b63
0x00417b64
0x00417b64
0x00417b05
0x00417b0a
0x00417b0d
0x00417b0e
0x00417b16
0x00417b1a
0x00417b1d
0x00417b22
0x00417b25
0x00417b27
0x00417b29
0x00417b29
0x00417b3c
0x00417b42
0x00417b44
0x00417b4c
0x00000000
0x00417b4c
0x00417b44
0x00417acf
0x00417acf
0x00417ad4
0x00417ad5
0x00417ad6
0x00417ad7
0x00417ad8
0x00417ad9
0x00417adf
0x00417ae7
0x00417ae7
0x00417b6a

APIs

___set_flsgetvalue.LIBCMT ref: 00417A3E

Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744

___fls_getvalue@4.LIBCMT ref: 00417A49

Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708

___fls_setvalue@8.LIBCMT ref: 00417A5C

Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F

GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
ExitThread.KERNEL32 ref: 00417A6C
GetCurrentThreadId.KERNEL32 ref: 00417A72
__freefls@4.LIBCMT ref: 00417A92
__IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 1925773019-0
Opcode ID: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
Instruction ID: 23fa8d03a6744e6ba2d29b3b09d89d6d24b2700031a043de03642765a198108a
Opcode Fuzzy Hash: ad25c5c030c8e423ef252c91bc7494b41323f4b5739d17432caa5a6650f4ba42
Instruction Fuzzy Hash: F8014474504201ABC714AF72DC499DE7BB9AF44359720852EB80587252DF3CD9C2C66D

Uniqueness

Uniqueness Score: -1.00%

Function 0040255F, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0040255F(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t241;
				signed int _t244;
				signed int _t245;
				void* _t246;
				intOrPtr _t248;
				signed int _t255;
				signed int _t259;
				intOrPtr _t261;
				signed int _t262;
				signed int _t263;
				signed int _t273;
				signed int _t274;
				intOrPtr _t278;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t286;
				signed int _t287;
				signed int _t292;
				signed int _t295;
				signed int _t298;
				signed int _t299;
				signed int _t302;
				signed int _t308;
				signed int _t311;
				signed int _t316;
				intOrPtr _t323;
				signed int _t338;
				signed int _t339;
				intOrPtr _t341;
				signed int _t361;
				intOrPtr _t391;
				intOrPtr _t399;
				signed int _t402;
				signed int _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr _t408;
				signed int _t411;
				void* _t414;
				signed int _t415;
				signed int _t417;
				intOrPtr _t418;
				void* _t419;
				void* _t429;

				_t399 = __edx;
				_push(0xb8);
				_t241 = E00416B54(E00420E32, __ebx, __edi, __esi);
				_t402 = 0;
				 *((intOrPtr*)(_t419 - 4)) = 0;
				 *((char*)(_t419 + 8)) = _t241 & 0xffffff00 |  *(_t419 + 0x6c) != 0x00000000;
				E0040222C(_t419 + 0x70,  *(_t419 + 0x70));
				_t338 =  *(_t419 + 0x60);
				 *((char*)(_t419 + 0x6f)) =  *((intOrPtr*)(_t419 + 0x68)) == 0xffffffff;
				 *(_t419 + 0x44) = 0;
				 *((intOrPtr*)(_t419 + 0x48)) = 0;
				if( *((char*)(_t419 + 0x6f)) != 0) {
					 *((intOrPtr*)(_t419 + 0x68)) =  *((intOrPtr*)(_t338 + 0x7c));
				}
				if( *((intOrPtr*)(_t419 + 0x68)) != _t402) {
					 *(_t419 + 0x30) = _t402;
					 *(_t419 + 0x34) = _t402;
					 *(_t419 + 0x38) = _t402;
					 *((intOrPtr*)(_t419 + 0x3c)) = 4;
					 *((intOrPtr*)(_t419 + 0x2c)) = 0x423428;
					 *((char*)(_t419 - 4)) = 2;
					 *(_t419 + 0x54) = _t402;
					while(1) {
						_t244 =  *(_t419 + 0x54);
						__eflags = _t244 -  *((intOrPtr*)(_t419 + 0x68));
						if(_t244 >=  *((intOrPtr*)(_t419 + 0x68))) {
							break;
						}
						__eflags =  *((char*)(_t419 + 0x6f));
						if( *((char*)(_t419 + 0x6f)) == 0) {
							_t244 =  *( *(_t419 + 0x64) + _t244 * 4);
						}
						_t417 =  *( *((intOrPtr*)(_t338 + 0x1c8)) + _t244 * 4);
						 *(_t419 + 0x4c) = _t244;
						__eflags = _t417 - 0xffffffff;
						if(__eflags != 0) {
							_t316 =  *(_t419 + 0x34);
							__eflags = _t316 - _t402;
							if(__eflags == 0) {
								L15:
								_push(_t417);
								_push(0xffffffff);
								_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
								_t49 = _t419 + 0x2c; // 0x423428
								 *((char*)(_t419 - 4)) = 4;
								E0040251F(_t338, _t49, _t402, _t417, __eflags);
								 *((char*)(_t419 - 4)) = 2;
								E00408BC5(_t419 - 0x30);
								_t391 = E004023E2( *((intOrPtr*)( *((intOrPtr*)(_t338 + 0x58)) + _t417 * 4)));
								_t58 = _t419 + 0x44;
								 *_t58 =  *(_t419 + 0x44) + _t391;
								__eflags =  *_t58;
								_t323 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								 *((intOrPtr*)(_t323 + 0x20)) = _t391;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t323 + 0x24)) = _t399;
								L16:
								_t408 =  *((intOrPtr*)( *(_t419 + 0x38) +  *(_t419 + 0x34) * 4 - 4));
								_t341 =  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x60) + 0x1b4)) + _t417 * 4));
								_t418 =  *((intOrPtr*)(_t408 + 0x10));
								while(1) {
									_t328 =  *(_t419 + 0x4c) - _t341;
									__eflags = _t418 -  *(_t419 + 0x4c) - _t341;
									if(_t418 >  *(_t419 + 0x4c) - _t341) {
										break;
									}
									_t78 = _t408 + 8; // 0xa
									E0040220A(_t78, (_t328 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t418 = _t418 + 1;
								}
								_t338 =  *(_t419 + 0x60);
								goto L20;
							}
							__eflags = _t417 -  *((intOrPtr*)( *((intOrPtr*)( *(_t419 + 0x38) + _t316 * 4 - 4)) + 4));
							if(__eflags == 0) {
								goto L16;
							}
							goto L15;
						} else {
							_push(_t417);
							_push(_t244);
							_push(E004022AF(_t338, _t419 - 0x38, _t399, _t402, _t417, __eflags));
							_t38 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 3;
							E0040251F(_t338, _t38, _t402, _t417, __eflags);
							 *((char*)(_t419 - 4)) = 2;
							E00408BC5(_t419 - 0x30);
							L20:
							 *(_t419 + 0x54) =  *(_t419 + 0x54) + 1;
							_t402 = 0;
							continue;
						}
					}
					_t245 =  *(_t419 + 0x70);
					_t246 =  *((intOrPtr*)( *_t245 + 0xc))(_t245,  *(_t419 + 0x44),  *((intOrPtr*)(_t419 + 0x48)));
					_t410 = _t246;
					__eflags = _t246 - _t402;
					if(__eflags == 0) {
						E004019B6(_t419 - 0xc4, __eflags, 1);
						 *((char*)(_t419 - 4)) = 5;
						 *(_t419 + 0x1c) = _t402;
						 *(_t419 + 0x20) = _t402;
						 *(_t419 + 0x24) = _t402;
						 *(_t419 + 0x28) = _t402;
						_t248 = E00408BD0(_t338, _t402, __eflags, 0x38);
						 *((intOrPtr*)(_t419 + 0x68)) = _t248;
						 *((char*)(_t419 - 4)) = 6;
						__eflags = _t248 - _t402;
						if(_t248 == _t402) {
							_t411 = 0;
							__eflags = 0;
						} else {
							_t411 = E0040ACF5(_t248);
						}
						 *((char*)(_t419 - 4)) = 5;
						 *((intOrPtr*)(_t419 + 0x48)) = _t411;
						E0040222C(_t419 + 0x50, _t411);
						_push(_t402);
						 *((char*)(_t419 - 4)) = 7;
						E0040AC22(_t411,  *(_t419 + 0x70));
						_t403 = 0;
						__eflags = 0;
						 *(_t419 + 0x4c) = 0;
						while(1) {
							 *(_t411 + 0x28) =  *(_t419 + 0x24);
							 *(_t411 + 0x2c) =  *(_t419 + 0x28);
							 *(_t411 + 0x20) =  *(_t419 + 0x1c);
							 *(_t411 + 0x24) =  *(_t419 + 0x20);
							_t255 = E0040AC17(_t411);
							_t412 = _t255;
							__eflags = _t255;
							if(_t255 != 0) {
								break;
							}
							__eflags = _t403 -  *(_t419 + 0x34);
							if(__eflags < 0) {
								_t404 =  *((intOrPtr*)( *(_t419 + 0x38) + _t403 * 4));
								 *((intOrPtr*)(_t419 + 0xc)) =  *((intOrPtr*)(_t404 + 0x20));
								 *((intOrPtr*)(_t419 + 0x10)) =  *((intOrPtr*)(_t404 + 0x24));
								 *((intOrPtr*)(_t419 + 0x14)) = 0;
								 *((intOrPtr*)(_t419 + 0x18)) = 0;
								_t259 = E00408BD0(_t338, _t404, __eflags, 0x38);
								 *(_t419 + 0x40) = _t259;
								 *((char*)(_t419 - 4)) = 8;
								__eflags = _t259;
								if(__eflags == 0) {
									 *(_t419 + 0x54) = 0;
								} else {
									 *(_t419 + 0x54) = E00402B81(_t338, _t259, _t404, 0, __eflags);
								}
								_t350 = _t419 + 0x6c;
								 *((char*)(_t419 - 4)) = 7;
								E0040222C(_t419 + 0x6c,  *(_t419 + 0x54));
								_t261 =  *_t404;
								 *((char*)(_t419 - 4)) = 9;
								_t414 = _t338 + 0x10;
								__eflags = _t261 - 0xffffffff;
								if(_t261 == 0xffffffff) {
									_t350 =  *(_t414 + 0x1a4);
									_t261 =  *((intOrPtr*)( *(_t414 + 0x1a4) +  *(_t404 + 4) * 4));
								}
								__eflags =  *(_t338 + 0x1e4);
								_t262 = E00402F5C(_t338,  *(_t419 + 0x54), _t404, _t414, 0, _t261, _t404 + 8,  *(_t419 + 0x70),  *((intOrPtr*)(_t419 + 8)), (_t350 & 0xffffff00 |  *(_t338 + 0x1e4) != 0x00000000) & 0x000000ff); // executed
								_t339 = _t262;
								__eflags = _t339;
								if(_t339 == 0) {
									__eflags =  *_t404 - 0xffffffff;
									if( *_t404 != 0xffffffff) {
										L76:
										_t263 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t263;
										if(_t263 != 0) {
											 *((intOrPtr*)( *_t263 + 8))(_t263);
										}
										L78:
										 *(_t419 + 0x4c) =  *(_t419 + 0x4c) + 1;
										 *(_t419 + 0x24) =  *(_t419 + 0x24) +  *((intOrPtr*)(_t419 + 0xc));
										_t338 =  *(_t419 + 0x60);
										asm("adc [ebp+0x28], eax");
										 *(_t419 + 0x1c) =  *(_t419 + 0x1c) +  *((intOrPtr*)(_t419 + 0x14));
										_t411 =  *((intOrPtr*)(_t419 + 0x48));
										asm("adc [ebp+0x20], eax");
										_t403 =  *(_t419 + 0x4c);
										continue;
									}
									_t406 =  *(_t404 + 4);
									 *(_t419 + 0x40) =  *( *((intOrPtr*)(_t414 + 0x48)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x14)) = E0040242E(_t414, _t406);
									_t338 =  *( *((intOrPtr*)(_t414 + 0x190)) + _t406 * 4);
									 *((intOrPtr*)(_t419 + 0x18)) = _t399;
									_t273 = E00402280(_t414, _t406, 0);
									 *(_t419 + 0x64) =  *(_t419 + 0x64) & 0x00000000;
									_t403 = _t273;
									 *((intOrPtr*)(_t419 + 4)) = _t399;
									_t274 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0xa;
									__eflags = _t274;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t274))(_t274, 0x424174, _t419 + 0x64);
									}
									_t399 = _t419 + 0x6b;
									_push(_t399);
									_push( *(_t419 + 0x64));
									_push( *(_t419 + 0x50));
									 *((char*)(_t419 - 4)) = 0xb;
									_push( *(_t419 + 0x6c));
									_push( *(_t419 + 0x40));
									_push( *((intOrPtr*)(_t414 + 0xc)) + _t338 * 8);
									_push( *((intOrPtr*)(_t419 + 4)));
									_push(_t403);
									_push( *((intOrPtr*)( *(_t419 + 0x60) + 8)));
									_t415 = E00401ADB(_t338, _t419 - 0xc4, _t403, _t414, __eflags);
									__eflags = _t415 - 1;
									if(_t415 != 1) {
										__eflags = _t415 - 0x80004001;
										if(_t415 != 0x80004001) {
											__eflags = _t415;
											if(_t415 == 0) {
												_t361 =  *(_t419 + 0x54);
												_t278 =  *((intOrPtr*)(_t361 + 0x18));
												__eflags =  *((intOrPtr*)(_t361 + 0x28)) -  *((intOrPtr*)(_t278 + 8));
												if( *((intOrPtr*)(_t361 + 0x28)) !=  *((intOrPtr*)(_t278 + 8))) {
													goto L56;
												}
												 *((intOrPtr*)(_t419 - 4)) = 9;
												_t295 =  *(_t419 + 0x64);
												__eflags = _t295;
												if(_t295 != 0) {
													 *((intOrPtr*)( *_t295 + 8))(_t295);
												}
												goto L76;
											}
											_t281 =  *(_t419 + 0x64);
											 *((char*)(_t419 - 4)) = 9;
											goto L57;
										}
										_t361 =  *(_t419 + 0x54);
										_push(1);
										goto L68;
									} else {
										_t361 =  *(_t419 + 0x54);
										L56:
										_push(2);
										L68:
										_t415 = E00402EF1(_t338, _t361, _t403, _t419);
										_t281 =  *(_t419 + 0x64);
										 *((char*)(_t419 - 4)) = 9;
										__eflags = _t415;
										if(_t415 != 0) {
											L57:
											__eflags = _t281;
											if(_t281 != 0) {
												 *((intOrPtr*)( *_t281 + 8))(_t281);
											}
											_t282 =  *(_t419 + 0x6c);
											 *((char*)(_t419 - 4)) = 7;
											__eflags = _t282;
											if(_t282 != 0) {
												 *((intOrPtr*)( *_t282 + 8))(_t282);
											}
											break;
										}
										__eflags = _t281;
										if(_t281 != 0) {
											 *((intOrPtr*)( *_t281 + 8))(_t281);
										}
										_t292 =  *(_t419 + 0x6c);
										 *((char*)(_t419 - 4)) = 7;
										__eflags = _t292;
										if(_t292 != 0) {
											 *((intOrPtr*)( *_t292 + 8))(_t292);
										}
										 *((char*)(_t419 - 4)) = 7;
										goto L78;
									}
								} else {
									_t298 =  *(_t419 + 0x6c);
									 *((char*)(_t419 - 4)) = 7;
									__eflags = _t298;
									if(_t298 != 0) {
										 *((intOrPtr*)( *_t298 + 8))(_t298);
									}
									_t299 =  *(_t419 + 0x50);
									 *((char*)(_t419 - 4)) = 5;
									__eflags = _t299;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t299 + 8))(_t299);
									}
									 *((char*)(_t419 - 4)) = 2;
									E0040246D(_t419 - 0xc4, _t414, __eflags);
									_t167 = _t419 + 0x2c; // 0x423428
									 *((char*)(_t419 - 4)) = 1;
									E0040232F(_t339, _t167, _t404, _t414, __eflags);
									_t302 =  *(_t419 + 0x70);
									 *((char*)(_t419 - 4)) = 0;
									__eflags = _t302;
									if(_t302 != 0) {
										 *((intOrPtr*)( *_t302 + 8))(_t302);
									}
									_t287 = _t339;
									goto L79;
								}
							}
							_t308 =  *(_t419 + 0x50);
							 *((char*)(_t419 - 4)) = 5;
							__eflags = _t308;
							if(__eflags != 0) {
								 *((intOrPtr*)( *_t308 + 8))(_t308);
							}
							 *((char*)(_t419 - 4)) = 2;
							E0040246D(_t419 - 0xc4, _t412, __eflags);
							_t127 = _t419 + 0x2c; // 0x423428
							 *((char*)(_t419 - 4)) = 1;
							E0040232F(_t338, _t127, _t403, _t412, __eflags);
							_t311 =  *(_t419 + 0x70);
							__eflags = _t311;
							goto L4;
						}
						_t283 =  *(_t419 + 0x50);
						 *((char*)(_t419 - 4)) = 5;
						__eflags = _t283;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *((char*)(_t419 - 4)) = 2;
						E0040246D(_t419 - 0xc4, _t415, __eflags);
						_t118 = _t419 + 0x2c; // 0x423428
						 *((char*)(_t419 - 4)) = 1;
						E0040232F(_t338, _t118, _t403, _t415, __eflags);
						_t286 =  *(_t419 + 0x70);
						__eflags = _t286;
						L23:
						 *((char*)(_t419 - 4)) = 0;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t286 + 8))(_t286);
						}
						_t287 = _t415;
						goto L79;
					}
					_t86 = _t419 + 0x2c; // 0x423428
					 *((char*)(_t419 - 4)) = 1;
					E0040232F(_t338, _t86, _t402, _t410, __eflags);
					_t286 =  *(_t419 + 0x70);
					__eflags = _t286 - _t402;
					goto L23;
				} else {
					_t311 =  *(_t419 + 0x70);
					_t429 = _t311 - _t402;
					L4:
					 *((char*)(_t419 - 4)) = 0;
					if(_t429 != 0) {
						 *((intOrPtr*)( *_t311 + 8))(_t311);
					}
					_t287 = 0;
					L79:
					 *[fs:0x0] =  *((intOrPtr*)(_t419 - 0xc));
					return _t287;
				}
			}

0x0040255f
0x00402563
0x0040256d
0x00402575
0x00402580
0x00402583
0x00402586
0x0040258f
0x00402592
0x0040259a
0x0040259d
0x004025a0
0x004025a5
0x004025a5
0x004025ab
0x004025c5
0x004025c8
0x004025cb
0x004025ce
0x004025d5
0x004025dc
0x004025e0
0x004025e3
0x004025e3
0x004025e6
0x004025e9
0x00000000
0x00000000
0x004025ef
0x004025f3
0x004025f8
0x004025f8
0x00402601
0x00402604
0x00402607
0x0040260a
0x00402634
0x00402637
0x00402639
0x00402647
0x00402647
0x00402648
0x00402652
0x00402653
0x00402656
0x0040265a
0x00402662
0x00402666
0x00402679
0x0040267e
0x0040267e
0x0040267e
0x00402681
0x00402685
0x00402688
0x0040268b
0x0040268e
0x00402694
0x004026a1
0x004026a4
0x004026a7
0x004026aa
0x004026ac
0x004026ae
0x00000000
0x00000000
0x004026b7
0x004026ba
0x004026bf
0x004026bf
0x004026c2
0x00000000
0x004026c2
0x00402642
0x00402645
0x00000000
0x00000000
0x00000000
0x0040260c
0x0040260c
0x0040260d
0x00402616
0x00402617
0x0040261a
0x0040261e
0x00402626
0x0040262a
0x004026c5
0x004026c5
0x004026c8
0x00000000
0x004026c8
0x0040260a
0x004026d2
0x004026db
0x004026de
0x004026e0
0x004026e2
0x00402710
0x00402717
0x0040271b
0x0040271e
0x00402721
0x00402724
0x00402727
0x0040272d
0x00402730
0x00402734
0x00402736
0x00402743
0x00402743
0x00402738
0x0040273f
0x0040273f
0x00402749
0x0040274d
0x00402750
0x00402755
0x0040275b
0x0040275f
0x00402764
0x00402764
0x00402766
0x00402769
0x0040276c
0x00402772
0x00402778
0x00402780
0x00402783
0x00402788
0x0040278a
0x0040278c
0x00000000
0x00000000
0x004027c4
0x004027c7
0x00402802
0x00402808
0x00402812
0x00402815
0x00402818
0x0040281b
0x00402821
0x00402824
0x00402828
0x0040282a
0x00402838
0x0040282c
0x00402833
0x00402833
0x0040283e
0x00402841
0x00402845
0x0040284a
0x0040284c
0x00402850
0x00402853
0x00402856
0x0040285b
0x00402861
0x00402861
0x00402864
0x00402883
0x00402888
0x0040288a
0x0040288c
0x004028e3
0x004028e6
0x00402aa7
0x00402aa7
0x00402aaa
0x00402aae
0x00402ab0
0x00402ab5
0x00402ab5
0x00402ab8
0x00402ab8
0x00402abe
0x00402ac4
0x00402ac7
0x00402acd
0x00402ad3
0x00402ad6
0x00402ad9
0x00000000
0x00402ad9
0x004028ec
0x004028f8
0x00402900
0x00402909
0x00402911
0x00402914
0x00402919
0x0040291d
0x0040291f
0x00402922
0x00402925
0x00402929
0x0040292b
0x00402939
0x00402939
0x00402944
0x00402947
0x00402948
0x0040294e
0x00402951
0x00402955
0x00402958
0x0040295b
0x0040295c
0x0040295f
0x00402960
0x0040296c
0x0040296e
0x00402971
0x004029c2
0x004029c8
0x004029e3
0x004029e5
0x004029f0
0x004029f3
0x004029f9
0x004029fc
0x00000000
0x00000000
0x00402a02
0x00402a9a
0x00402a9d
0x00402a9f
0x00402aa4
0x00402aa4
0x00000000
0x00402a9f
0x004029e7
0x004029ea
0x00000000
0x004029ea
0x004029ca
0x004029cd
0x00000000
0x00402973
0x00402973
0x00402976
0x00402976
0x004029cf
0x004029d4
0x004029d6
0x004029d9
0x004029dd
0x004029df
0x0040297a
0x0040297a
0x0040297c
0x00402981
0x00402981
0x00402984
0x00402987
0x0040298b
0x0040298d
0x00402996
0x00402996
0x00000000
0x0040298d
0x0040299e
0x004029a0
0x004029a5
0x004029a5
0x004029a8
0x004029ab
0x004029af
0x004029b1
0x004029b6
0x004029b6
0x004029b9
0x00000000
0x004029b9
0x0040288e
0x0040288e
0x00402891
0x00402895
0x00402897
0x0040289c
0x0040289c
0x0040289f
0x004028a2
0x004028a6
0x004028a8
0x004028ad
0x004028ad
0x004028b6
0x004028ba
0x004028bf
0x004028c2
0x004028c6
0x004028cb
0x004028ce
0x004028d2
0x004028d4
0x004028d9
0x004028d9
0x004028dc
0x00000000
0x004028dc
0x0040288c
0x004027c9
0x004027cc
0x004027d0
0x004027d2
0x004027d7
0x004027d7
0x004027e0
0x004027e4
0x004027e9
0x004027ec
0x004027f0
0x004027f5
0x004027f8
0x00000000
0x004027f8
0x0040278e
0x00402791
0x00402795
0x00402797
0x0040279c
0x0040279c
0x004027a5
0x004027a9
0x004027ae
0x004027b1
0x004027b5
0x004027ba
0x004027bd
0x004026f5
0x004026f5
0x004026f9
0x004026fe
0x004026fe
0x00402701
0x00000000
0x00402701
0x004026e4
0x004026e7
0x004026eb
0x004026f0
0x004026f3
0x00000000
0x004025ad
0x004025ad
0x004025b0
0x004025b2
0x004025b2
0x004025b6
0x004025bb
0x004025bb
0x004025be
0x00402aec
0x00402aef
0x00402afe
0x00402afe

APIs

__EH_prolog3_catch.LIBCMT ref: 0040256D
~_Task_impl.LIBCPMT ref: 004026EB
~_Task_impl.LIBCPMT ref: 004027B5
~_Task_impl.LIBCPMT ref: 004027F0
~_Task_impl.LIBCPMT ref: 004028C6

Strings

(4B, xrefs: 00402617

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Task_impl$H_prolog3_catch
String ID: (4B
API String ID: 3201307039-3941014785
Opcode ID: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
Instruction ID: f0288910dd9c909d91c94d4f3f33727955864a049ee0700389af622be2fa39fd
Opcode Fuzzy Hash: 7dd698598920f49c7f00bcb4c319b7e72603d0c720e5309275cb43d7f27d00b5
Instruction Fuzzy Hash: DD026C70A00248DFDB11DF68CA88A9D7BB5AF58304F1441AAFC09A73D2CBB9ED45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040543E, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040543E(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				intOrPtr _t199;
				signed int _t206;
				intOrPtr* _t208;
				intOrPtr* _t220;
				intOrPtr _t227;
				intOrPtr* _t230;
				intOrPtr _t233;
				void* _t237;
				intOrPtr _t242;
				intOrPtr _t277;
				signed int _t279;
				intOrPtr _t280;
				intOrPtr* _t282;
				intOrPtr* _t286;
				intOrPtr _t288;
				intOrPtr* _t290;
				intOrPtr* _t291;
				void* _t296;

				_t296 = __eflags;
				_push(0x10c);
				E00416B21(E00421214, __ebx, __edi, __esi);
				_t282 = __ecx;
				 *((intOrPtr*)(_t291 + 0x1c)) = 0;
				 *((intOrPtr*)(_t291 + 0x20)) = 0;
				 *((intOrPtr*)(_t291 + 0x24)) = 0;
				 *((intOrPtr*)(_t291 + 0x28)) = 8;
				 *((intOrPtr*)(_t291 + 0x18)) = 0x423384;
				_t279 = 0x42341c;
				 *(_t291 - 4) = 0;
				 *((intOrPtr*)(_t291 - 0x58)) = 0;
				 *((intOrPtr*)(_t291 - 0x54)) = 0;
				 *((intOrPtr*)(_t291 - 0x50)) = 0;
				 *((intOrPtr*)(_t291 - 0x4c)) = 1;
				 *(_t291 - 0x5c) = 0x42341c;
				_t242 = 4;
				 *((intOrPtr*)(_t291 - 0x6c)) = 0;
				 *((intOrPtr*)(_t291 - 0x68)) = 0;
				 *((intOrPtr*)(_t291 - 0x64)) = 0;
				 *((intOrPtr*)(_t291 - 0x60)) = _t242;
				 *((intOrPtr*)(_t291 - 0x70)) = 0x423358;
				 *((intOrPtr*)(_t291 + 0x30)) = 0;
				 *((intOrPtr*)(_t291 + 0x34)) = 0;
				 *((intOrPtr*)(_t291 + 0x38)) = 0;
				 *((intOrPtr*)(_t291 + 0x3c)) = _t242;
				 *((intOrPtr*)(_t291 + 0x2c)) = 0x423498;
				 *((intOrPtr*)(_t291 - 0x44)) = 0;
				 *((intOrPtr*)(_t291 - 0x40)) = 0;
				 *((intOrPtr*)(_t291 - 0x3c)) = 0;
				 *((intOrPtr*)(_t291 - 0x38)) = _t242;
				 *((intOrPtr*)(_t291 - 0x48)) = 0x423358;
				 *((intOrPtr*)(_t291 - 0x1c)) = 0;
				 *((intOrPtr*)(_t291 - 0x18)) = 0;
				 *((intOrPtr*)(_t291 - 0x14)) = 0;
				 *((intOrPtr*)(_t291 - 0x10)) = 8;
				 *((intOrPtr*)(_t291 - 0x20)) = 0x423384;
				 *((intOrPtr*)(_t291 - 0x30)) = 0;
				 *((intOrPtr*)(_t291 - 0x2c)) = 0;
				 *((intOrPtr*)(_t291 - 0x28)) = 0;
				 *((intOrPtr*)(_t291 - 0x24)) = 1;
				 *(_t291 - 0x34) = 0x42341c;
				 *((intOrPtr*)(_t291 + 4)) = 0;
				 *((intOrPtr*)(_t291 + 8)) = 0;
				 *((intOrPtr*)(_t291 + 0xc)) = 0;
				 *((intOrPtr*)(_t291 + 0x10)) = _t242;
				 *_t291 = 0x423358;
				_t286 =  *((intOrPtr*)(_t291 + 0x64));
				 *(_t291 - 4) = 7;
				E004053BF(0, __ecx, 0x42341c, 0, _t286, _t291 + 0x18, _t291 - 0x5c, _t291 - 0x70, _t291 + 0x2c, _t291 - 0x48, _t291 - 0x20, _t291 - 0x34, _t291);
				 *(_t291 + 0x40) = 0;
				E004019B6(_t291 - 0x118, _t296, 1);
				 *((intOrPtr*)(_t291 + 0x44)) =  *_t286 +  *((intOrPtr*)(_t291 + 0x5c));
				asm("adc eax, [ebp+0x60]");
				_t297 =  *((intOrPtr*)(_t291 + 0x34));
				 *((intOrPtr*)(_t291 + 0x48)) =  *((intOrPtr*)(_t286 + 4));
				 *(_t291 + 0x60) = 0;
				if( *((intOrPtr*)(_t291 + 0x34)) <= 0) {
					L17:
					 *(_t291 - 4) = 7;
					E0040246D(_t291 - 0x118, _t286, _t307); // executed
					 *(_t291 - 4) = 6;
					E00408BC5(_t291);
					 *(_t291 - 4) = 5;
					E00408BC5(_t291 - 0x34);
					 *(_t291 - 4) = 4;
					E00408BC5(_t291 - 0x20);
					 *(_t291 - 4) = 3;
					E00408BC5(_t291 - 0x48);
					 *(_t291 - 4) = 2;
					E00403264(0, _t291 + 0x2c, _t282, _t286, _t307);
					 *(_t291 - 4) = 1;
					E00408BC5(_t291 - 0x70);
					 *(_t291 - 4) = 0;
					E00408BC5(_t291 - 0x5c);
					 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
					E00408BC5(_t291 + 0x18);
					_t199 = 0;
					L18:
					 *[fs:0x0] =  *((intOrPtr*)(_t291 - 0xc));
					return _t199;
				}
				 *((intOrPtr*)(_t291 - 0x88)) = 0;
				 *((intOrPtr*)(_t291 - 0x84)) = 0;
				 *((intOrPtr*)(_t291 - 0x8c)) = 0x423364;
				while(1) {
					 *((intOrPtr*)(_t291 + 0x64)) =  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x38)) +  *(_t291 + 0x60) * 4));
					_t288 =  *((intOrPtr*)(_t291 + 0x68));
					_t67 = _t291 - 0x8c; // 0x423364
					 *(_t291 - 4) = 9;
					E00404E08(0, _t288, _t282, _t288, _t297);
					_push(0);
					 *(_t291 - 4) = 8;
					L00408BFB(0, _t282, _t288, _t297);
					_t289 =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t260 =  *((intOrPtr*)(_t291 + 0x64));
					 *(_t291 + 0x50) =  *( *((intOrPtr*)(_t288 + 0xc)) +  *(_t288 + 8) * 4 - 4);
					_t206 = E004023E2( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t291 - 0x80) = _t206;
					if(_t206 != _t206) {
						break;
					}
					_t299 = 0 - _t279;
					if(0 != _t279) {
						break;
					}
					E0040140A(_t289, _t291, _t206);
					_t220 = E00408BD0(0, _t282, _t299, 0x14);
					_t300 = _t220;
					if(_t220 == 0) {
						_t290 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t220 + 4)) = 0;
						 *_t220 = 0x423518;
						_t290 = _t220;
					}
					E0040222C(_t291 + 0x4c, _t290);
					_push( *((intOrPtr*)(_t291 + 0x70)));
					_push( *((intOrPtr*)(_t291 + 0x6c)));
					_push(0);
					_push( *((intOrPtr*)(_t291 + 0x4c)));
					 *((intOrPtr*)(_t290 + 8)) =  *((intOrPtr*)( *(_t291 + 0x50) + 8));
					_push( *((intOrPtr*)(_t291 + 0x64)));
					 *(_t290 + 0xc) =  *(_t291 - 0x80);
					 *((intOrPtr*)(_t290 + 0x10)) = 0;
					_t91 = _t291 + 0x40; // 0x42352c
					_t289 =  *_t91;
					_push( *((intOrPtr*)(_t291 + 0x24)) + _t289 * 8);
					_push( *((intOrPtr*)(_t291 + 0x48)));
					 *(_t291 - 4) = 0xa;
					_push( *((intOrPtr*)(_t291 + 0x44)));
					_push( *_t282);
					_t227 = E00401ADB(0, _t291 - 0x118, _t282, _t289, _t300);
					 *((intOrPtr*)(_t291 + 0x14)) = _t227;
					if(_t227 != 0) {
						L20:
						_t208 =  *((intOrPtr*)(_t291 + 0x4c));
						 *(_t291 - 4) = 8;
						__eflags = _t208;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t208 + 8))(_t208);
						}
						 *(_t291 - 4) = 7;
						E0040246D(_t291 - 0x118, _t289, __eflags);
						 *(_t291 - 4) = 6;
						E00408BC5(_t291);
						 *(_t291 - 4) = 5;
						E00408BC5(_t291 - 0x34);
						 *(_t291 - 4) = 4;
						E00408BC5(_t291 - 0x20);
						 *(_t291 - 4) = 3;
						E00408BC5(_t291 - 0x48);
						 *(_t291 - 4) = 2;
						E00403264(0, _t291 + 0x2c, _t282, _t289, __eflags);
						 *(_t291 - 4) = 1;
						E00408BC5(_t291 - 0x70);
						 *(_t291 - 4) = 0;
						E00408BC5(_t291 - 0x5c);
						 *(_t291 - 4) =  *(_t291 - 4) | 0xffffffff;
						E00408BC5(_t291 + 0x18);
						_t199 =  *((intOrPtr*)(_t291 + 0x14));
						goto L18;
					} else {
						if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x54)) == 0) {
							L10:
							 *(_t291 + 0x50) = 0;
							if( *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)) <= 0) {
								L14:
								_t230 =  *((intOrPtr*)(_t291 + 0x4c));
								 *(_t291 - 4) = 8;
								if(_t230 != 0) {
									 *((intOrPtr*)( *_t230 + 8))(_t230);
								}
								 *(_t291 + 0x60) =  *(_t291 + 0x60) + 1;
								_t307 =  *(_t291 + 0x60) -  *((intOrPtr*)(_t291 + 0x34));
								if( *(_t291 + 0x60) <  *((intOrPtr*)(_t291 + 0x34))) {
									continue;
								} else {
									goto L17;
								}
							}
							_t277 =  *((intOrPtr*)(_t291 + 0x24));
							do {
								_t280 =  *((intOrPtr*)(_t277 + 4 + _t289 * 8));
								_t233 =  *((intOrPtr*)(_t277 + _t289 * 8));
								_t289 = _t289 + 1;
								 *((intOrPtr*)(_t291 + 0x44)) =  *((intOrPtr*)(_t291 + 0x44)) + _t233;
								 *((intOrPtr*)(_t291 - 0x74)) = _t280;
								asm("adc [ebp+0x48], edx");
								 *((intOrPtr*)(_t282 + 0x48)) =  *((intOrPtr*)(_t282 + 0x48)) + _t233;
								asm("adc [edi+0x4c], eax");
								 *(_t291 + 0x50) =  *(_t291 + 0x50) + 1;
								_t279 =  *(_t291 + 0x50);
							} while (_t279 <  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x30)));
							 *(_t291 + 0x40) = _t289;
							goto L14;
						}
						_t279 =  *(_t291 - 0x80);
						_t237 = E0040C9E9( *((intOrPtr*)( *(_t291 + 0x50) + 8)), _t279);
						_t260 =  *((intOrPtr*)(_t291 + 0x64));
						if(_t237 !=  *((intOrPtr*)( *((intOrPtr*)(_t291 + 0x64)) + 0x50))) {
							break;
						}
						goto L10;
					}
				}
				E00403C2E(_t260, _t282);
				goto L20;
			}

0x0040543e
0x00405442
0x0040544c
0x00405451
0x0040545a
0x0040545d
0x00405460
0x00405463
0x0040546a
0x0040546d
0x00405472
0x00405475
0x00405478
0x0040547b
0x0040547e
0x00405485
0x0040548a
0x00405490
0x00405493
0x00405496
0x00405499
0x0040549c
0x0040549f
0x004054a2
0x004054a5
0x004054a8
0x004054ab
0x004054b2
0x004054b5
0x004054b8
0x004054bb
0x004054be
0x004054c1
0x004054c4
0x004054c7
0x004054ca
0x004054d1
0x004054d4
0x004054d7
0x004054da
0x004054dd
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054f0
0x004054f3
0x004054f6
0x0040551d
0x00405521
0x0040552e
0x00405531
0x0040553b
0x00405541
0x00405544
0x00405547
0x0040554a
0x0040554d
0x004056af
0x004056b5
0x004056b9
0x004056c1
0x004056c5
0x004056cd
0x004056d1
0x004056d9
0x004056dd
0x004056e5
0x004056e9
0x004056f1
0x004056f5
0x004056fd
0x00405701
0x00405709
0x0040570c
0x00405711
0x00405718
0x0040571d
0x0040571f
0x00405722
0x00405731
0x00405731
0x00405553
0x00405559
0x0040555f
0x00405569
0x00405572
0x00405575
0x00405578
0x00405581
0x00405585
0x0040558a
0x0040558b
0x0040558f
0x0040559b
0x0040559f
0x004055a2
0x004055a5
0x004055aa
0x004055af
0x00000000
0x00000000
0x004055b5
0x004055b7
0x00000000
0x00000000
0x004055c0
0x004055c7
0x004055cd
0x004055cf
0x004055de
0x004055de
0x004055d1
0x004055d1
0x004055d4
0x004055da
0x004055da
0x004055e4
0x004055e9
0x004055ef
0x004055f5
0x004055f6
0x004055f9
0x004055ff
0x00405602
0x00405605
0x0040560b
0x0040560b
0x00405613
0x00405614
0x00405617
0x0040561b
0x0040561e
0x00405625
0x0040562a
0x0040562f
0x00405739
0x00405739
0x0040573c
0x00405740
0x00405742
0x00405747
0x00405747
0x00405750
0x00405754
0x0040575c
0x00405760
0x00405768
0x0040576c
0x00405774
0x00405778
0x00405780
0x00405784
0x0040578c
0x00405790
0x00405798
0x0040579c
0x004057a4
0x004057a7
0x004057ac
0x004057b3
0x004057b8
0x00000000
0x00405635
0x0040563b
0x00405657
0x0040565d
0x00405660
0x0040568f
0x0040568f
0x00405692
0x00405698
0x0040569d
0x0040569d
0x004056a0
0x004056a6
0x004056a9
0x00000000
0x00000000
0x00000000
0x00000000
0x004056a9
0x00405662
0x00405665
0x00405665
0x00405669
0x0040566c
0x0040566d
0x00405670
0x00405673
0x00405676
0x0040567b
0x0040567e
0x00405684
0x00405687
0x0040568c
0x00000000
0x0040568c
0x00405643
0x00405646
0x0040564b
0x00405651
0x00000000
0x00000000
0x00000000
0x00405651
0x0040562f
0x00405734
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0040544C
~_Task_impl.LIBCPMT ref: 004056F5

Part of subcall function 00404E08: __EH_prolog3.LIBCMT ref: 00404E0F

~_Task_impl.LIBCPMT ref: 00405790

Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4

Strings

d3B, xrefs: 00405578, 0040557E
,5B, xrefs: 0040560B
X3B, xrefs: 0040548B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3Task_impl$Exception@8Throw_malloc
String ID: ,5B$X3B$d3B
API String ID: 3886086520-1481860430
Opcode ID: 89f05471e8aeb08cf41d8de4455ee3d88d96d3c2bfdf4cf63ae2d17f9b71ca96
Instruction ID: 814289aad0976a7bf2f57e0359f589b9b41a73cc03a2e1a0d3bfeed728cac17b
Opcode Fuzzy Hash: 89f05471e8aeb08cf41d8de4455ee3d88d96d3c2bfdf4cf63ae2d17f9b71ca96
Instruction Fuzzy Hash: A8D105B0901248DFCB14DFA9C980ADDBBB4FF18304F5481AEF959A7281DB78AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E50, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00405E50(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t97;
				intOrPtr* _t111;
				signed int _t114;
				void* _t120;
				void* _t123;
				void* _t130;
				signed int _t133;
				signed int _t143;
				signed int _t144;
				void* _t149;
				void* _t164;
				signed int _t167;
				intOrPtr _t169;
				intOrPtr* _t171;
				signed int _t172;
				void* _t173;

				_push(0x34);
				E00416B21(E004212C3, __ebx, __edi, __esi);
				_t171 = __ecx;
				_t169 =  *((intOrPtr*)(_t173 + 8));
				E00403043(_t169);
				 *((intOrPtr*)(_t169 + 0x138)) =  *((intOrPtr*)(_t171 + 0x20));
				 *((intOrPtr*)(_t169 + 0x13c)) =  *((intOrPtr*)(_t171 + 0x24));
				_t97 = _t169 + 0x130;
				 *_t97 =  *((intOrPtr*)(_t171 + 0x2e));
				_t148 =  *((intOrPtr*)(_t171 + 0x2f));
				 *((char*)(_t169 + 0x131)) =  *((intOrPtr*)(_t171 + 0x2f));
				if( *_t97 != 0) {
					L1:
					E00403C2E(_t148, _t169);
				}
				_t143 =  *(_t171 + 0x40);
				 *((intOrPtr*)(_t173 + 8)) =  *((intOrPtr*)(_t171 + 0x30));
				_t148 = _t171 + 0x34;
				 *((intOrPtr*)(_t173 - 0x18)) =  *_t148;
				 *((intOrPtr*)(_t173 - 0x14)) =  *((intOrPtr*)(_t148 + 4));
				 *(_t173 - 0x20) =  *(_t171 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t173 - 0x10)) =  *((intOrPtr*)(_t171 + 0x44));
				if(E0040C9E9(_t148, _t164) !=  *((intOrPtr*)(_t173 + 8))) {
					goto L1;
				}
				 *((intOrPtr*)(_t169 + 0x140)) =  *((intOrPtr*)(_t171 + 0x20)) + 0x20;
				_t149 = 0;
				asm("adc edx, ecx");
				_t108 =  *(_t173 - 0x20) | _t143;
				 *((intOrPtr*)(_t169 + 0x144)) =  *((intOrPtr*)(_t171 + 0x24));
				if(( *(_t173 - 0x20) | _t143) != 0) {
					if(_t143 > _t149 ||  *(_t173 - 0x20) > 0xffffffff) {
						L6:
						_t108 = 1;
					} else {
						__eflags =  *((intOrPtr*)(_t173 - 0x14)) - _t149;
						if(__eflags > 0) {
							L10:
							_t111 =  *_t171;
							_t108 =  *((intOrPtr*)( *_t111 + 0x10))(_t111,  *((intOrPtr*)(_t173 - 0x18)),  *((intOrPtr*)(_t173 - 0x14)), 1, _t149);
							__eflags = _t108;
							if(_t108 == 0) {
								 *((intOrPtr*)(_t173 - 0x2c)) = 0x423364;
								 *((intOrPtr*)(_t173 - 0x28)) = 0;
								 *((intOrPtr*)(_t173 - 0x24)) = 0;
								 *((intOrPtr*)(_t173 - 4)) = 0;
								_t38 = _t173 - 0x2c; // 0x423364
								E0040140A(_t38, _t173,  *(_t173 - 0x20));
								_t114 = E0040B06F(__eflags,  *_t171,  *((intOrPtr*)(_t173 - 0x24)),  *(_t173 - 0x20)); // executed
								__eflags = _t114;
								if(__eflags == 0) {
									_t167 =  *(_t173 - 0x20);
									asm("adc ecx, 0x0");
									 *((intOrPtr*)(_t171 + 0x48)) =  *((intOrPtr*)(_t171 + 0x48)) + _t167 + 0x20;
									asm("adc [esi+0x4c], ecx");
									_t148 =  *((intOrPtr*)(_t173 - 0x24));
									asm("adc ebx, [ebp-0x14]");
									asm("adc ebx, 0x0");
									 *((intOrPtr*)(_t169 + 0x1c8)) = _t167 +  *((intOrPtr*)(_t173 - 0x18)) + 0x20;
									 *(_t169 + 0x1cc) = _t143;
									_t120 = E0040C9E9( *((intOrPtr*)(_t173 - 0x24)), _t167);
									__eflags = _t120 -  *((intOrPtr*)(_t173 - 0x10));
									if(_t120 !=  *((intOrPtr*)(_t173 - 0x10))) {
										goto L1;
									} else {
										 *((char*)(_t173 - 0x14)) = 0;
										_t51 = _t173 - 0x2c; // 0x423364
										 *((char*)(_t173 - 4)) = 1;
										E00404430(_t171, _t51);
										_t144 = 0;
										 *((intOrPtr*)(_t173 - 0x3c)) = 0;
										 *(_t173 - 0x38) = 0;
										 *((intOrPtr*)(_t173 - 0x34)) = 0;
										 *((intOrPtr*)(_t173 - 0x30)) = 4;
										 *((intOrPtr*)(_t173 - 0x40)) = 0x42352c;
										_t148 =  *((intOrPtr*)(_t171 + 0x18));
										 *((char*)(_t173 - 4)) = 2;
										_t123 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
										__eflags = _t123 - 1;
										if(_t123 != 1) {
											L17:
											__eflags = _t123 - 0x17;
											if(_t123 != 0x17) {
												goto L1;
											} else {
												__eflags = _t167 - _t144;
												if(__eflags != 0) {
													goto L1;
												} else {
													_t62 = _t173 - 0x40; // 0x42352c
													_t148 = _t171;
													_t144 = E0040543E(_t144, _t171, _t169, _t171, __eflags,  *((intOrPtr*)(_t169 + 0x140)),  *((intOrPtr*)(_t169 + 0x144)), _t169 + 0x150, _t62,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
													__eflags = _t144;
													if(__eflags == 0) {
														__eflags =  *(_t173 - 0x38);
														if(__eflags != 0) {
															__eflags =  *(_t173 - 0x38) - 1;
															if( *(_t173 - 0x38) > 1) {
																goto L1;
															} else {
																E004043F7(_t173 - 0x18);
																E00404430(_t171,  *((intOrPtr*)( *((intOrPtr*)(_t173 - 0x34)))));
																_t148 =  *((intOrPtr*)(_t171 + 0x18));
																_t130 = E00403CC9( *((intOrPtr*)(_t171 + 0x18)), _t167);
																__eflags = _t130 - 1;
																if(_t130 != 1) {
																	goto L1;
																} else {
																	__eflags = _t167;
																	if(__eflags != 0) {
																		goto L1;
																	} else {
																		goto L26;
																	}
																}
															}
														} else {
															_t72 = _t173 - 0x40; // 0x42352c
															 *((char*)(_t173 - 4)) = 1;
															E00404035(_t144, _t72, _t169, _t171, __eflags);
															 *((char*)(_t173 - 4)) = 0;
															E004043F7(_t173 - 0x18);
															_t144 = 0;
															goto L13;
														}
													} else {
														_t67 = _t173 - 0x40; // 0x42352c
														 *((char*)(_t173 - 4)) = 1;
														E00404035(_t144, _t67, _t169, _t171, __eflags);
														 *((char*)(_t173 - 4)) = 0;
														E004043F7(_t173 - 0x18);
														goto L13;
													}
												}
											}
										} else {
											__eflags = _t167;
											if(__eflags == 0) {
												L26:
												 *((intOrPtr*)(_t169 + 0x1c0)) =  *((intOrPtr*)(_t171 + 0x48));
												 *((intOrPtr*)(_t169 + 0x1c4)) =  *((intOrPtr*)(_t171 + 0x4c));
												_t133 = E004057C0(_t144, _t171, _t167, _t169, _t171, __eflags, _t169,  *((intOrPtr*)(_t173 + 0xc)),  *((intOrPtr*)(_t173 + 0x10)));
												_t87 = _t173 - 0x40; // 0x42352c
												_t172 = _t133;
												 *((char*)(_t173 - 4)) = 1;
												E00404035(_t144, _t87, _t169, _t172, __eflags);
												 *((char*)(_t173 - 4)) = 0;
												E004043F7(_t173 - 0x18);
												_push( *((intOrPtr*)(_t173 - 0x24)));
												L00408BFB(_t144, _t169, _t172, __eflags);
												_t108 = _t172;
												goto L27;
											} else {
												goto L17;
											}
										}
									}
								} else {
									_t144 = _t114;
									L13:
									_push( *((intOrPtr*)(_t173 - 0x24)));
									L00408BFB(_t144, _t169, _t171, __eflags);
									_t108 = _t144;
									L27:
								}
							}
						} else {
							if(__eflags < 0) {
								goto L6;
							} else {
								__eflags =  *((intOrPtr*)(_t173 - 0x18)) - _t149;
								if( *((intOrPtr*)(_t173 - 0x18)) < _t149) {
									goto L6;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return E00416BF9(_t108);
			}

0x00405e50
0x00405e57
0x00405e5c
0x00405e5e
0x00405e63
0x00405e6b
0x00405e74
0x00405e7d
0x00405e83
0x00405e88
0x00405e8b
0x00405e91
0x00405e93
0x00405e93
0x00405e93
0x00405e9b
0x00405e9e
0x00405ea1
0x00405ea6
0x00405eac
0x00405eb2
0x00405eba
0x00405ebb
0x00405ec6
0x00000000
0x00000000
0x00405ed3
0x00405edc
0x00405edd
0x00405edf
0x00405ee1
0x00405ee7
0x00405eef
0x00405ef7
0x00405ef9
0x00405eff
0x00405eff
0x00405f02
0x00405f0b
0x00405f0b
0x00405f19
0x00405f1e
0x00405f20
0x00405f26
0x00405f2d
0x00405f30
0x00405f36
0x00405f39
0x00405f3c
0x00405f4a
0x00405f4f
0x00405f51
0x00405f64
0x00405f6e
0x00405f71
0x00405f76
0x00405f7c
0x00405f7f
0x00405f85
0x00405f88
0x00405f8e
0x00405f94
0x00405f99
0x00405f9c
0x00000000
0x00405fa2
0x00405fa2
0x00405fa6
0x00405fae
0x00405fb2
0x00405fb7
0x00405fb9
0x00405fbc
0x00405fbf
0x00405fc2
0x00405fc9
0x00405fd0
0x00405fd3
0x00405fd7
0x00405fdc
0x00405fdf
0x00405fe9
0x00405fe9
0x00405fec
0x00000000
0x00405ff2
0x00405ff2
0x00405ff4
0x00000000
0x00405ffa
0x00405ffd
0x00406003
0x0040601e
0x00406020
0x00406022
0x00406041
0x00406045
0x00406066
0x0040606a
0x00000000
0x00406070
0x00406073
0x00406081
0x00406086
0x00406089
0x0040608e
0x00406091
0x00000000
0x00406097
0x00406097
0x00406099
0x00000000
0x00000000
0x00000000
0x00000000
0x00406099
0x00406091
0x00406047
0x00406047
0x0040604a
0x0040604e
0x00406056
0x0040605a
0x0040605f
0x00000000
0x0040605f
0x00406024
0x00406024
0x00406027
0x0040602b
0x00406033
0x00406037
0x00000000
0x00406037
0x00406022
0x00405ff4
0x00405fe1
0x00405fe1
0x00405fe3
0x0040609f
0x004060a8
0x004060b4
0x004060ba
0x004060bf
0x004060c2
0x004060c4
0x004060c8
0x004060d0
0x004060d4
0x004060d9
0x004060dc
0x004060e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fe3
0x00405fdf
0x00405f53
0x00405f53
0x00405f55
0x00405f55
0x00405f58
0x00405f5d
0x004060e3
0x004060e3
0x00405f51
0x00405f04
0x00405f04
0x00000000
0x00405f06
0x00405f06
0x00405f09
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f09
0x00405f04
0x00405f02
0x00405eef
0x004060e9

APIs

__EH_prolog3.LIBCMT ref: 00405E57

Part of subcall function 00403C2E: __CxxThrowException@8.LIBCMT ref: 00403C48

~_Task_impl.LIBCPMT ref: 0040602B
~_Task_impl.LIBCPMT ref: 0040604E
~_Task_impl.LIBCPMT ref: 004060C8

Strings

,5B, xrefs: 00405FFD, 00406005
d3B, xrefs: 00405F39

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Task_impl$Exception@8H_prolog3Throw
String ID: ,5B$d3B
API String ID: 2671850710-4022472632
Opcode ID: 37ac2dd807b087e83301ac34187e4f1a000248bbc5afb3bfb8b662fdc613bc7d
Instruction ID: 22ed54c7a815a4ab7570c59c5c815cf412b8cd08c948cb3af00627dc78b13c80
Opcode Fuzzy Hash: 37ac2dd807b087e83301ac34187e4f1a000248bbc5afb3bfb8b662fdc613bc7d
Instruction Fuzzy Hash: 89813970A00649DFCB15DFA5C881ADEBBB0FF08304F14452EE545B7391D739AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041203E, Relevance: 10.6, APIs: 7, Instructions: 93
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0041203E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t35;
				int _t36;
				void* _t41;
				void* _t47;
				void* _t52;
				struct HWND__** _t78;
				void* _t80;
				void* _t82;

				_push(0x24);
				E00416B21(E00421EEC, __ebx, __edi, __esi);
				_t80 = __ecx;
				 *(__ecx + 0x40) =  *(__ecx + 0x40) | 0xffffffff;
				 *(__ecx + 0x44) =  *(__ecx + 0x44) | 0xffffffff;
				 *(__ecx + 0x4c) =  *(__ecx + 0x4c) | 0xffffffff;
				_t78 = __ecx + 4;
				 *((intOrPtr*)(_t80 + 0x48)) = GetDlgItem( *_t78, 0x3e8);
				_t35 = _t80 + 0x98;
				_t84 =  *_t35;
				if( *_t35 >= 0) {
					SendMessageW( *_t78, 0x80, 1, LoadIconW( *0x43063c,  *_t35 & 0x0000ffff));
				}
				_t36 = SetTimer( *_t78, 3, 0x64, 0); // executed
				 *(_t80 + 0x20) = _t36;
				E00411A09(_t78,  *((intOrPtr*)(_t80 + 0x24)));
				E00411E99(_t80);
				E0040320A(_t82 - 0x24);
				 *((intOrPtr*)(_t82 - 4)) = 0;
				_t41 = E0040C825(_t82 - 0x24, _t82 - 0x18, 0x47);
				 *((char*)(_t82 - 4)) = 1;
				E00408639(_t82 - 0x24, _t82, _t41);
				_push( *(_t82 - 0x18));
				 *((char*)(_t82 - 4)) = 0;
				L00408BFB(0, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 0x3e7,  *(_t82 - 0x24)); // executed
				E0040320A(_t82 - 0x18);
				 *((char*)(_t82 - 4)) = 2;
				_t47 = E0040C825(_t82 - 0x18, _t82 - 0x30, 0x15);
				 *((char*)(_t82 - 4)) = 3;
				E00408639(_t82 - 0x18, _t82, _t47);
				_push( *((intOrPtr*)(_t82 - 0x30)));
				 *((char*)(_t82 - 4)) = 2;
				L00408BFB(SetDlgItemTextW, _t78, _t80, _t84);
				SetDlgItemTextW( *_t78, 2,  *(_t82 - 0x18)); // executed
				 *(_t80 + 0x58) =  *_t78;
				_t52 = E00410729(_t80);
				 *((char*)(_t80 + 0x50)) = 1;
				_t81 = _t80 + 0x54;
				_t64 = _t52;
				E0040FCA0(_t80 + 0x54);
				_push( *(_t82 - 0x18));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				_push( *(_t82 - 0x24));
				L00408BFB(_t52, _t78, _t81, _t80 + 0x54);
				return E00416BF9(_t64);
			}

0x0041203e
0x00412045
0x0041204a
0x0041204c
0x00412050
0x00412054
0x0041205d
0x00412068
0x0041206b
0x00412073
0x00412075
0x00412091
0x00412091
0x0041209e
0x004120a9
0x004120ac
0x004120b3
0x004120bb
0x004120c6
0x004120c9
0x004120d2
0x004120d6
0x004120db
0x004120de
0x004120e1
0x004120f7
0x004120fc
0x00412107
0x0041210b
0x00412114
0x00412118
0x0041211d
0x00412120
0x00412124
0x00412131
0x00412137
0x0041213a
0x0041213f
0x00412143
0x00412147
0x00412149
0x0041214e
0x00412151
0x00412156
0x00412159
0x00412167

APIs

__EH_prolog3.LIBCMT ref: 00412045
GetDlgItem.USER32 ref: 00412062
LoadIconW.USER32 ref: 00412081
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00412091
SetTimer.USER32 ref: 0041209E
SetDlgItemTextW.USER32 ref: 004120F7
SetDlgItemTextW.USER32 ref: 00412131

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Item$Text$H_prolog3IconLoadMessageSendTimer
String ID:
API String ID: 939275570-0
Opcode ID: b5a1f2fd79a4d6ec9c43f6b1f7724fdb4dc7d40301fbf03e95c372824f78d78f
Instruction ID: 21c704d9c836a514070a3f35ff2bc92d5ecee665b3ff0147aa08f3bdc7422be8
Opcode Fuzzy Hash: b5a1f2fd79a4d6ec9c43f6b1f7724fdb4dc7d40301fbf03e95c372824f78d78f
Instruction Fuzzy Hash: 6E31A071500344EFDB11ABA1CD46ADDBFB4AF08314F10016EF291A61E2CF7A6A55DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00401ADB, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00401ADB(void* __ebx, signed int* __ecx, intOrPtr __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t329;
				signed int _t346;
				intOrPtr* _t355;
				signed int _t357;
				signed int _t360;
				signed int _t361;
				signed int _t369;
				signed int _t370;
				signed int _t383;
				signed int _t389;
				signed int _t390;
				unsigned int _t394;
				signed int _t398;
				signed int _t404;
				signed int _t405;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t418;
				signed int _t424;
				signed int _t425;
				signed int _t427;
				signed int _t428;
				signed char _t429;
				signed int _t432;
				signed int _t440;
				signed int _t446;
				signed int _t447;
				intOrPtr _t478;
				intOrPtr _t488;
				signed int _t494;
				unsigned int* _t504;
				signed int _t508;
				signed int _t521;
				signed int _t543;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				intOrPtr* _t553;
				signed int _t555;
				signed int* _t556;
				intOrPtr* _t557;
				signed int _t558;
				signed int _t561;
				signed int _t562;
				intOrPtr* _t563;
				void* _t568;

				_t568 = __eflags;
				_t545 = __edi;
				_push(0xcc);
				E00416B21(E00420D66, __ebx, __edi, __esi);
				 *(_t563 + 0x34) = __ecx;
				_t555 =  *(_t563 + 0x60);
				if(E004041D7(__ebx, _t555, __edi, _t555, _t568) != 0) {
					 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 0;
					 *((intOrPtr*)(_t563 + 4)) = 0;
					 *(_t563 + 8) = 0;
					 *((intOrPtr*)(_t563 + 0xc)) = 0;
					 *((intOrPtr*)(_t563 + 0x10)) = 4;
					 *_t563 = 0x4233bc;
					_push(_t563 - 0x70);
					 *(_t563 - 4) = 0;
					 *((intOrPtr*)(_t563 - 0x74)) = 0;
					E0040FCFC(__eflags);
					 *(_t563 - 4) = 1;
					E00406200(_t563 - 0x74,  *(_t563 + 0x50));
					__eflags =  *(_t555 + 0x30);
					 *(_t563 + 0x50) = 0;
					if(__eflags <= 0) {
						L15:
						_t457 = _t563 - 0xd8;
						 *(_t563 + 0x28) =  *( *(_t563 + 0x60) + 8);
						E004018AB(_t563 - 0xd8, __eflags);
						 *(_t563 - 4) = 4;
						E004017E4(_t563 - 0xd8,  *(_t563 + 0x60), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						__eflags =  *_t556;
						if( *_t556 == 0) {
							L17:
							E00408B5A();
							_t547 =  &(_t556[0x1d]);
							E00402B01( &(_t556[0x1d]));
							__eflags = _t556[0x1a];
							if(__eflags != 0) {
								_t424 = E00408BD0(0, _t547, __eflags, 0x88);
								__eflags = _t424;
								if(_t424 == 0) {
									_t425 = 0;
									__eflags = 0;
								} else {
									_t425 = E004018D0(_t424);
								}
								_t556[0x1b] = _t425;
								E00406200(_t547, _t425);
								_t427 = _t556[0x1b];
								__eflags = _t427;
								if(_t427 == 0) {
									_t428 = 0;
									__eflags = 0;
								} else {
									_t428 = _t427 + 4;
								}
								_t556[0x1c] = _t428;
							}
							_t329 =  *((intOrPtr*)( *(_t556[0x1c])))(_t563 - 0xd8);
							__eflags = _t329;
							if(__eflags == 0) {
								__eflags =  *(_t563 + 0x28);
								 *(_t563 + 0x44) = 0;
								if(__eflags <= 0) {
									L45:
									E004019EB( &(_t556[1]), _t563 - 0xd8);
									 *_t556 = 1;
									L46:
									 *((intOrPtr*)( *(_t556[0x1c]) + 4))();
									__eflags =  *(_t563 + 0x28);
									 *(_t563 + 0x34) = 0;
									 *(_t563 + 0x30) = 0;
									 *(_t563 + 0x2c) = 0;
									if( *(_t563 + 0x28) <= 0) {
										L88:
										E004011A3(_t563 - 0xd8,  *((intOrPtr*)( *((intOrPtr*)(_t563 - 0x90)))), _t563 + 0x60, _t563 + 0x70);
										__eflags = _t556[0x1a];
										if(_t556[0x1a] != 0) {
											 *(_t556[0x1b] + 0x70) =  *(_t563 + 0x60);
										}
										__eflags =  *(_t563 + 0x28);
										if(__eflags != 0) {
											 *((intOrPtr*)(_t563 - 0x48)) = 0;
											 *((intOrPtr*)(_t563 - 0x44)) = 0;
											 *((intOrPtr*)(_t563 - 0x40)) = 0;
											 *((intOrPtr*)(_t563 - 0x3c)) = 4;
											 *((intOrPtr*)(_t563 - 0x4c)) = 0x42339c;
											 *(_t563 - 4) = 0xf;
											E00408A61(_t563 - 0x4c,  *(_t563 + 8));
											_t547 = 0;
											__eflags =  *(_t563 + 8);
											if( *(_t563 + 8) <= 0) {
												L102:
												_t557 = _t556[0x1d];
												 *((intOrPtr*)(_t563 - 0x24)) =  *((intOrPtr*)(_t563 + 0x64));
												_t558 =  *((intOrPtr*)( *_t557 + 0xc))(_t557,  *((intOrPtr*)(_t563 - 0x40)), 0,  *(_t563 + 8), _t563 - 0x24, 0, 1,  *((intOrPtr*)(_t563 + 0x68)));
												 *(_t563 - 4) = 4;
												E00408BC5(_t563 - 0x4c);
												goto L27;
											} else {
												goto L101;
											}
											do {
												L101:
												E0040105E(_t563 - 0x4c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t563 + 0xc)) + _t547 * 4)))));
												_t547 = _t547 + 1;
												__eflags = _t547 -  *(_t563 + 8);
											} while (_t547 <  *(_t563 + 8));
											goto L102;
										} else {
											_t558 = 0;
											goto L27;
										}
									}
									 *((intOrPtr*)(_t563 + 0x20)) = 0;
									do {
										 *(_t563 + 0x3c) =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x2c) * 4);
										_t547 =  *( *((intOrPtr*)(_t563 + 0x20)) + _t556[0x21]);
										 *(_t563 + 0x24) = 0;
										_t355 =  *_t547;
										 *(_t563 - 4) = 8;
										 *((intOrPtr*)( *_t355))(_t355, 0x424064, _t563 + 0x24);
										_t357 =  *(_t563 + 0x24);
										__eflags = _t357;
										if(_t357 == 0) {
											L51:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(_t357 != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											 *(_t563 + 0x44) = 0;
											_t547 =  *_t547;
											 *(_t563 - 4) = 9;
											 *( *_t547)(_t547, 0x4240e4, _t563 + 0x44);
											_t360 =  *(_t563 + 0x44);
											__eflags = _t360;
											if(_t360 == 0) {
												L61:
												 *(_t563 - 4) = 4;
												__eflags = _t360;
												if(_t360 != 0) {
													 *((intOrPtr*)( *_t360 + 8))(_t360);
												}
												_t361 =  *(_t563 + 0x3c);
												_t549 =  *(_t361 + 0x18);
												_t478 = 4;
												 *((intOrPtr*)(_t563 + 0x20)) =  *((intOrPtr*)(_t563 + 0x20)) + _t478;
												 *(_t563 + 0x40) =  *(_t361 + 0x14);
												 *((intOrPtr*)(_t563 - 0x1c)) = 0;
												 *((intOrPtr*)(_t563 - 0x18)) = 0;
												 *((intOrPtr*)(_t563 - 0x14)) = 0;
												 *((intOrPtr*)(_t563 - 0x10)) = _t478;
												 *((intOrPtr*)(_t563 - 0x20)) = 0x423390;
												 *((intOrPtr*)(_t563 - 0x34)) = 0;
												 *((intOrPtr*)(_t563 - 0x30)) = 0;
												 *((intOrPtr*)(_t563 - 0x2c)) = 0;
												 *((intOrPtr*)(_t563 - 0x28)) = _t478;
												 *((intOrPtr*)(_t563 - 0x38)) = 0x423390;
												 *(_t563 - 4) = 0xe;
												E00408A61(_t563 - 0x20,  *(_t361 + 0x14));
												E00408A61(_t563 - 0x38, _t549);
												__eflags = _t549;
												if(_t549 <= 0) {
													_t547 =  *(_t563 + 0x60);
													goto L81;
												} else {
													 *(_t563 + 0x3c) = _t549;
													_t547 =  *(_t563 + 0x60);
													do {
														E0040105E(_t563 - 0x38,  *((intOrPtr*)(_t547 + 0x48)) +  *(_t563 + 0x30) * 8);
														 *(_t563 + 0x30) =  *(_t563 + 0x30) + 1;
														_t221 = _t563 + 0x3c;
														 *_t221 =  *(_t563 + 0x3c) - 1;
														__eflags =  *_t221;
													} while ( *_t221 != 0);
													L81:
													 *(_t563 + 0x3c) = 0;
													__eflags =  *(_t563 + 0x40);
													if( *(_t563 + 0x40) <= 0) {
														goto L87;
													} else {
														goto L82;
													}
													do {
														L82:
														_t369 = E00401237(_t547,  *(_t563 + 0x34));
														__eflags = _t369;
														if(_t369 < 0) {
															_t370 = E00401282(_t547,  *(_t563 + 0x34));
															__eflags = _t370;
															if(_t370 < 0) {
																 *(_t563 - 4) = 0xd;
																E00408BC5(_t563 - 0x38);
																 *(_t563 - 4) = 4;
																E00408BC5(_t563 - 0x20);
																goto L94;
															}
															_t488 =  *((intOrPtr*)(_t563 + 0x5c));
															goto L86;
														}
														_t370 =  *( *((intOrPtr*)(_t547 + 0x20)) + 4 + _t369 * 8);
														_t488 =  *((intOrPtr*)(_t547 + 0x48));
														L86:
														E0040105E(_t563 - 0x20, _t488 + _t370 * 8);
														 *(_t563 + 0x3c) =  *(_t563 + 0x3c) + 1;
														 *(_t563 + 0x34) =  &(( *(_t563 + 0x34))[0]);
														__eflags =  *(_t563 + 0x3c) -  *(_t563 + 0x40);
													} while ( *(_t563 + 0x3c) <  *(_t563 + 0x40));
													goto L87;
												}
											} else {
												_t494 =  *(_t563 + 0x6c);
												__eflags = _t494;
												if(__eflags == 0) {
													 *(_t563 - 4) = 4;
													 *((intOrPtr*)( *_t360 + 8))(_t360);
													L94:
													_t558 = 0x80004005;
													goto L27;
												}
												 *(_t563 + 0x38) = 0;
												 *(_t563 - 4) = 0xa;
												_t547 =  *((intOrPtr*)( *_t494 + 0xc))(_t494, _t563 + 0x38);
												__eflags = _t547;
												if(_t547 != 0) {
													L95:
													__imp__#6( *(_t563 + 0x38));
													_t383 =  *(_t563 + 0x44);
													 *(_t563 - 4) = 4;
													__eflags = _t383;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t383 + 8))(_t383);
													}
													_t558 = _t547;
													goto L27;
												}
												 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
												 *((intOrPtr*)(_t563 + 0x18)) = 0;
												 *(_t563 + 0x1c) = 0;
												 *(_t563 - 4) = 0xb;
												 *((char*)( *((intOrPtr*)(_t563 + 0x70)))) = 1;
												E00401647(_t563 - 0x58, _t563,  *(_t563 + 0x38));
												_t551 =  *(_t563 - 0x54);
												 *(_t563 - 4) = 0xc;
												 *(_t563 + 0x40) = _t551 + _t551;
												E0040140A(_t563 + 0x14, _t563, _t551 + _t551);
												__eflags = _t551;
												if(__eflags <= 0) {
													L59:
													_t389 =  *(_t563 + 0x44);
													_t390 =  *((intOrPtr*)( *_t389 + 0xc))(_t389,  *(_t563 + 0x1c),  *(_t563 + 0x40));
													_push( *((intOrPtr*)(_t563 - 0x58)));
													_t547 = _t390;
													L00408BFB(0, _t547, _t556, __eflags);
													_push( *(_t563 + 0x1c));
													__eflags = _t547;
													if(__eflags != 0) {
														L00408BFB(0, _t547, _t556, __eflags);
														goto L95;
													}
													 *((intOrPtr*)(_t563 + 0x14)) = 0x423364;
													L00408BFB(0, _t547, _t556, __eflags);
													__imp__#6( *(_t563 + 0x38));
													_t360 =  *(_t563 + 0x44);
													goto L61;
												}
												_t504 =  *(_t563 + 0x1c);
												_t543 =  *((intOrPtr*)(_t563 - 0x58)) - _t504;
												__eflags = _t543;
												do {
													_t394 =  *(_t504 + _t543) & 0x0000ffff;
													 *_t504 = _t394;
													_t504[0] = _t394 >> 8;
													_t504 =  &(_t504[0]);
													_t551 = _t551 - 1;
													__eflags = _t551;
												} while (__eflags != 0);
												goto L59;
											}
										}
										_t508 =  *( *(_t563 + 0x3c) + 0xc);
										 *(_t563 + 0x40) = _t508;
										__eflags = _t508 - 0xffffffff;
										if(__eflags > 0) {
											 *(_t563 - 4) = 4;
											L79:
											 *((intOrPtr*)( *_t357 + 8))(_t357);
											L77:
											_t558 = 0x80004001;
											goto L27;
										}
										_t398 =  *((intOrPtr*)( *_t357 + 0xc))(_t357,  *((intOrPtr*)( *(_t563 + 0x3c) + 0x10)),  *(_t563 + 0x40));
										 *(_t563 + 0x40) = _t398;
										__eflags = _t398;
										_t357 =  *(_t563 + 0x24);
										if(_t398 != 0) {
											L70:
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t357 + 8))(_t357);
											}
											_t558 =  *(_t563 + 0x40);
											goto L27;
										}
										goto L51;
										L87:
										_t550 =  *(_t563 + 0x2c);
										 *((intOrPtr*)( *(_t556[0x1c]) + 8))(_t550,  *((intOrPtr*)(_t563 - 0x14)),  *((intOrPtr*)(_t563 - 0x2c)));
										 *(_t563 - 4) = 0xd;
										E00408BC5(_t563 - 0x38);
										 *(_t563 - 4) = 4;
										E00408BC5(_t563 - 0x20);
										_t547 = _t550 + 1;
										__eflags = _t547 -  *(_t563 + 0x28);
										 *(_t563 + 0x2c) = _t547;
									} while (_t547 <  *(_t563 + 0x28));
									goto L88;
								} else {
									goto L29;
								}
								while(1) {
									L29:
									_t547 =  *( *((intOrPtr*)( *(_t563 + 0x60) + 0xc)) +  *(_t563 + 0x44) * 4);
									 *(_t563 + 0x58) = 0;
									 *(_t563 + 0x50) = 0;
									_push(0);
									_push(_t563 + 0x50);
									_push(_t563 + 0x58);
									_push( *((intOrPtr*)(_t547 + 4)));
									 *(_t563 - 4) = 6;
									_push( *_t547);
									_t404 = E00409D4D( *(_t563 + 0x44), _t556, __eflags);
									 *(_t563 + 0x40) = _t404;
									__eflags = _t404;
									if(_t404 != 0) {
										break;
									}
									 *(_t563 + 0x38) = 0;
									__eflags =  *((intOrPtr*)(_t547 + 0x14)) - 1;
									 *(_t563 - 4) = 7;
									if( *((intOrPtr*)(_t547 + 0x14)) != 1) {
										L35:
										__eflags =  *(_t563 + 0x50);
										if( *(_t563 + 0x50) == 0) {
											_t357 =  *(_t563 + 0x58);
											 *(_t563 - 4) = 4;
											__eflags = _t357;
											if(__eflags == 0) {
												goto L77;
											}
											goto L79;
										}
										E00406200(_t563 + 0x38,  *(_t563 + 0x50));
										__eflags = _t556[0x1a];
										if(__eflags != 0) {
											E00406D8E(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x50));
										}
										L38:
										_push(_t563 + 0x38);
										E004014BA(0,  &(_t556[0x1e]), _t547, _t556, __eflags);
										_t410 =  *(_t563 + 0x38);
										 *(_t563 - 4) = 6;
										__eflags = _t410;
										if(_t410 != 0) {
											 *((intOrPtr*)( *_t410 + 8))(_t410);
										}
										_t411 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t411;
										if(_t411 != 0) {
											 *((intOrPtr*)( *_t411 + 8))(_t411);
										}
										_t412 =  *(_t563 + 0x58);
										 *(_t563 - 4) = 4;
										__eflags = _t412;
										if(_t412 != 0) {
											 *((intOrPtr*)( *_t412 + 8))(_t412);
										}
										 *(_t563 + 0x44) =  *(_t563 + 0x44) + 1;
										__eflags =  *(_t563 + 0x44) -  *(_t563 + 0x28);
										if(__eflags < 0) {
											continue;
										} else {
											goto L45;
										}
									}
									__eflags =  *((intOrPtr*)(_t547 + 0x18)) - 1;
									if( *((intOrPtr*)(_t547 + 0x18)) != 1) {
										goto L35;
									}
									_t521 =  *(_t563 + 0x58);
									__eflags = _t521;
									if(_t521 == 0) {
										_t418 =  *(_t563 + 0x50);
										 *(_t563 - 4) = 5;
										__eflags = _t418;
										if(_t418 != 0) {
											 *((intOrPtr*)( *_t418 + 8))(_t418);
											_t521 =  *(_t563 + 0x58);
										}
										 *(_t563 - 4) = 4;
										__eflags = _t521;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t521 + 8))(_t521);
										}
										goto L77;
									}
									E00406200(_t563 + 0x38, _t521);
									__eflags = _t556[0x1a];
									if(__eflags != 0) {
										E00406D69(_t556[0x1b], _t563, __eflags,  *(_t563 + 0x58));
									}
									goto L38;
								}
								_t405 =  *(_t563 + 0x50);
								 *(_t563 - 4) = 5;
								__eflags = _t405;
								if(_t405 != 0) {
									 *((intOrPtr*)( *_t405 + 8))(_t405);
								}
								_t357 =  *(_t563 + 0x58);
								goto L70;
							} else {
								_t558 = _t329;
								L27:
								 *(_t563 - 4) = 1;
								E0040136C(0, _t563 - 0xd8, _t547, _t558, __eflags);
								 *(_t563 - 4) = 0;
								E004013EF(_t563 - 0x74);
								 *(_t563 - 4) =  *(_t563 - 4) | 0xffffffff;
								E00401489(0, _t563, _t547, _t558, __eflags);
								_t346 = _t558;
								goto L2;
							}
						}
						_t547 =  &(_t556[1]);
						_t429 = E004012A6(_t457,  &(_t556[1]), _t563 - 0xd8);
						_t556 =  *(_t563 + 0x34);
						asm("sbb al, al");
						__eflags =  ~_t429 + 1;
						if( ~_t429 + 1 == 0) {
							goto L46;
						}
						goto L17;
					} else {
						goto L4;
					}
					do {
						L4:
						_t432 = E00408BD0(0, _t545, __eflags, 0x18);
						__eflags = _t432;
						if(_t432 == 0) {
							_t561 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t432 + 4)) = 0;
							 *_t432 = 0x423334;
							_t561 = _t432;
						}
						E0040222C(_t563 + 0x30, _t561);
						 *((intOrPtr*)(_t561 + 8)) = _t563 - 0x74;
						 *((intOrPtr*)(_t561 + 0x10)) =  *((intOrPtr*)(_t563 + 0x54));
						 *(_t561 + 0x14) =  *(_t563 + 0x58);
						_t553 =  *((intOrPtr*)(_t563 + 0x5c)) +  *(_t563 + 0x50) * 8;
						 *((intOrPtr*)(_t563 + 0x54)) =  *((intOrPtr*)(_t563 + 0x54)) +  *_t553;
						asm("adc [ebp+0x58], eax");
						 *(_t563 - 4) = 2;
						_t440 = E00408BD0(0, _t553, __eflags, 0x28);
						__eflags = _t440;
						if(_t440 == 0) {
							_t562 = 0;
							__eflags = 0;
						} else {
							 *((intOrPtr*)(_t440 + 4)) = 0;
							 *_t440 = 0x4233a8;
							 *((intOrPtr*)(_t440 + 8)) = 0;
							_t562 = _t440;
						}
						E0040222C(_t563 + 0x2c, _t562);
						_t37 = _t562 + 8; // 0x8
						 *(_t563 - 4) = 3;
						E00406200(_t37,  *(_t563 + 0x30));
						_t545 =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x10)) =  *_t553;
						_push(_t563 + 0x2c);
						 *((intOrPtr*)(_t562 + 0x14)) =  *((intOrPtr*)(_t553 + 4));
						 *((intOrPtr*)(_t562 + 0x18)) = 0;
						 *((intOrPtr*)(_t562 + 0x1c)) = 0;
						 *((char*)(_t562 + 0x20)) = 0;
						E004014BA(0, _t563,  *((intOrPtr*)(_t553 + 4)), _t562, __eflags);
						_t446 =  *(_t563 + 0x2c);
						 *(_t563 - 4) = 2;
						__eflags = _t446;
						if(_t446 != 0) {
							 *((intOrPtr*)( *_t446 + 8))(_t446);
						}
						_t447 =  *(_t563 + 0x30);
						 *(_t563 - 4) = 1;
						__eflags = _t447;
						if(_t447 != 0) {
							 *((intOrPtr*)( *_t447 + 8))(_t447);
						}
						 *(_t563 + 0x50) =  *(_t563 + 0x50) + 1;
						__eflags =  *(_t563 + 0x50) -  *((intOrPtr*)( *(_t563 + 0x60) + 0x30));
					} while (__eflags < 0);
					goto L15;
				} else {
					_t346 = 0x80004001;
					L2:
					 *[fs:0x0] =  *((intOrPtr*)(_t563 - 0xc));
					return _t346;
				}
			}

0x00401adb
0x00401adb
0x00401adf
0x00401ae9
0x00401aee
0x00401af1
0x00401afd
0x00401b1e
0x00401b20
0x00401b23
0x00401b26
0x00401b29
0x00401b30
0x00401b3a
0x00401b3b
0x00401b3e
0x00401b41
0x00401b4c
0x00401b50
0x00401b58
0x00401b5a
0x00401b5d
0x00401c3b
0x00401c41
0x00401c47
0x00401c4a
0x00401c56
0x00401c5a
0x00401c5f
0x00401c62
0x00401c64
0x00401c85
0x00401c88
0x00401c8d
0x00401c92
0x00401c97
0x00401c9a
0x00401ca1
0x00401ca7
0x00401ca9
0x00401cb4
0x00401cb4
0x00401cab
0x00401cad
0x00401cad
0x00401cb9
0x00401cbc
0x00401cc1
0x00401cc4
0x00401cc6
0x00401ccd
0x00401ccd
0x00401cc8
0x00401cc8
0x00401cc8
0x00401ccf
0x00401ccf
0x00401cde
0x00401ce0
0x00401ce2
0x00401d13
0x00401d16
0x00401d19
0x00401dfe
0x00401e08
0x00401e0d
0x00401e10
0x00401e15
0x00401e18
0x00401e1b
0x00401e1e
0x00401e21
0x00401e24
0x004020f6
0x0040210c
0x00402111
0x00402114
0x0040211c
0x0040211c
0x0040211f
0x00402122
0x0040218c
0x0040218f
0x00402192
0x00402195
0x0040219c
0x004021a9
0x004021ad
0x004021b2
0x004021b4
0x004021b7
0x004021cf
0x004021d5
0x004021e2
0x004021f2
0x004021f4
0x004021f8
0x00000000
0x00000000
0x00000000
0x00000000
0x004021b9
0x004021b9
0x004021c4
0x004021c9
0x004021ca
0x004021ca
0x00000000
0x00402124
0x00402124
0x00000000
0x00402124
0x00402122
0x00401e2a
0x00401e2d
0x00401e3c
0x00401e45
0x00401e48
0x00401e4b
0x00401e59
0x00401e5d
0x00401e5f
0x00401e62
0x00401e64
0x00401e96
0x00401e96
0x00401e9a
0x00401e9c
0x00401ea1
0x00401ea1
0x00401ea4
0x00401ea7
0x00401eb5
0x00401eb9
0x00401ebb
0x00401ebe
0x00401ec0
0x00401f7f
0x00401f7f
0x00401f83
0x00401f85
0x00401f8a
0x00401f8a
0x00401f8d
0x00401f93
0x00401f98
0x00401f99
0x00401fa1
0x00401fa4
0x00401fa7
0x00401faa
0x00401fad
0x00401fb0
0x00401fb3
0x00401fb6
0x00401fb9
0x00401fbc
0x00401fbf
0x00401fc6
0x00401fca
0x00401fd3
0x00401fd8
0x00401fda
0x0040206b
0x00000000
0x00401fe0
0x00401fe0
0x00401fe3
0x00401fe6
0x00401ff3
0x00401ff8
0x00401ffb
0x00401ffb
0x00401ffb
0x00401ffb
0x0040206e
0x0040206e
0x00402071
0x00402074
0x00000000
0x00000000
0x00000000
0x00000000
0x00402076
0x00402076
0x0040207b
0x00402080
0x00402082
0x00402095
0x0040209a
0x0040209c
0x00402175
0x00402179
0x00402181
0x00402185
0x00000000
0x00402185
0x004020a2
0x00000000
0x004020a2
0x00402087
0x0040208b
0x004020a5
0x004020ac
0x004020b1
0x004020b7
0x004020ba
0x004020ba
0x00000000
0x00402076
0x00401ec6
0x00401ec6
0x00401ec9
0x00401ecb
0x00402137
0x0040213b
0x0040213e
0x0040213e
0x00000000
0x0040213e
0x00401ed1
0x00401edb
0x00401ee2
0x00401ee4
0x00401ee6
0x00402148
0x0040214b
0x00402151
0x00402154
0x00402158
0x0040215a
0x0040215f
0x0040215f
0x00402162
0x00000000
0x00402162
0x00401eec
0x00401ef3
0x00401ef6
0x00401f02
0x00401f06
0x00401f09
0x00401f0e
0x00401f18
0x00401f1c
0x00401f1f
0x00401f24
0x00401f26
0x00401f41
0x00401f44
0x00401f4d
0x00401f50
0x00401f53
0x00401f55
0x00401f5a
0x00401f5d
0x00401f5f
0x00402169
0x00000000
0x0040216f
0x00401f65
0x00401f6c
0x00401f76
0x00401f7c
0x00000000
0x00401f7c
0x00401f28
0x00401f2e
0x00401f2e
0x00401f30
0x00401f30
0x00401f34
0x00401f39
0x00401f3d
0x00401f3e
0x00401f3e
0x00401f3e
0x00000000
0x00401f30
0x00401ec0
0x00401e69
0x00401e6c
0x00401e6f
0x00401e72
0x0040212b
0x00402063
0x00402066
0x0040204e
0x0040204e
0x00000000
0x0040204e
0x00401e85
0x00401e88
0x00401e8b
0x00401e8d
0x00401e90
0x00402016
0x00402016
0x0040201a
0x0040201c
0x00402021
0x00402021
0x00402024
0x00000000
0x00402024
0x00000000
0x004020bf
0x004020c8
0x004020ce
0x004020d4
0x004020d8
0x004020e0
0x004020e4
0x004020e9
0x004020ea
0x004020ed
0x004020ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d1f
0x00401d1f
0x00401d28
0x00401d2b
0x00401d2e
0x00401d31
0x00401d35
0x00401d39
0x00401d3a
0x00401d3d
0x00401d41
0x00401d43
0x00401d48
0x00401d4b
0x00401d4d
0x00000000
0x00000000
0x00401d53
0x00401d56
0x00401d5a
0x00401d5e
0x00401d8c
0x00401d8c
0x00401d8f
0x00402058
0x0040205b
0x0040205f
0x00402061
0x00000000
0x00000000
0x00000000
0x00402061
0x00401d9b
0x00401da0
0x00401da3
0x00401dab
0x00401dab
0x00401db0
0x00401db3
0x00401db7
0x00401dbc
0x00401dbf
0x00401dc3
0x00401dc5
0x00401dca
0x00401dca
0x00401dcd
0x00401dd0
0x00401dd4
0x00401dd6
0x00401ddb
0x00401ddb
0x00401dde
0x00401de1
0x00401de5
0x00401de7
0x00401dec
0x00401dec
0x00401def
0x00401df5
0x00401df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00401df8
0x00401d60
0x00401d64
0x00000000
0x00000000
0x00401d66
0x00401d69
0x00401d6b
0x0040202c
0x0040202f
0x00402033
0x00402035
0x0040203a
0x0040203d
0x0040203d
0x00402040
0x00402044
0x00402046
0x0040204b
0x0040204b
0x00000000
0x00402046
0x00401d75
0x00401d7a
0x00401d7d
0x00401d85
0x00401d85
0x00000000
0x00401d7d
0x00402002
0x00402005
0x00402009
0x0040200b
0x00402010
0x00402010
0x00402013
0x00000000
0x00401ce4
0x00401ce4
0x00401ce6
0x00401cec
0x00401cf0
0x00401cf8
0x00401cfb
0x00401d00
0x00401d07
0x00401d0c
0x00000000
0x00401d0c
0x00401ce2
0x00401c68
0x00401c71
0x00401c76
0x00401c7b
0x00401c7d
0x00401c7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b63
0x00401b63
0x00401b65
0x00401b6b
0x00401b6d
0x00401b7c
0x00401b7c
0x00401b6f
0x00401b6f
0x00401b72
0x00401b78
0x00401b78
0x00401b82
0x00401b8d
0x00401b93
0x00401b99
0x00401b9f
0x00401ba4
0x00401bac
0x00401baf
0x00401bb3
0x00401bb9
0x00401bbb
0x00401bcd
0x00401bcd
0x00401bbd
0x00401bbd
0x00401bc0
0x00401bc6
0x00401bc9
0x00401bc9
0x00401bd3
0x00401bdb
0x00401bde
0x00401be2
0x00401be9
0x00401bec
0x00401bf2
0x00401bf6
0x00401bf9
0x00401bfc
0x00401bff
0x00401c02
0x00401c07
0x00401c0a
0x00401c0e
0x00401c10
0x00401c15
0x00401c15
0x00401c18
0x00401c1b
0x00401c1f
0x00401c21
0x00401c26
0x00401c26
0x00401c29
0x00401c32
0x00401c32
0x00000000
0x00401aff
0x00401aff
0x00401b04
0x00401b07
0x00401b16
0x00401b16

APIs

__EH_prolog3.LIBCMT ref: 00401AE9

Part of subcall function 004041D7: __EH_prolog3.LIBCMT ref: 004041E1

Strings

d3B, xrefs: 00401F65

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID: d3B
API String ID: 431132790-3693543266
Opcode ID: cf0dc4ab19d31885ec8ce5b3ad83b83ab53703709598f757112d3c50809b9198
Instruction ID: fe56a826ab4fa0c4caee881864b3562cd941cd1960334c3267d892546610e000
Opcode Fuzzy Hash: cf0dc4ab19d31885ec8ce5b3ad83b83ab53703709598f757112d3c50809b9198
Instruction Fuzzy Hash: 23424871900289DFCB14DFA4C984A9DBBB1BF08304F24446EF94AA73A1CB79EE45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00417ABB, Relevance: 9.1, APIs: 6, Instructions: 71
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00417ABB(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E0041871A();
					_t44 = E0041AE0D(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E004174DE(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E0041AD6E(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E004187A8(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E00417A38, _t44, _a20, _t25); // executed
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E0041AD48(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E0041B335(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}

0x00417ac3
0x00417ac8
0x00417acb
0x00417acd
0x00417aeb
0x00417aec
0x00417afd
0x00417b01
0x00417b03
0x00417b4f
0x00417b4f
0x00417b50
0x00417b56
0x00417b59
0x00417b5e
0x00417b63
0x00417b64
0x00417b64
0x00417b05
0x00417b0a
0x00417b0d
0x00417b0e
0x00417b16
0x00417b1a
0x00417b1d
0x00417b22
0x00417b25
0x00417b27
0x00417b29
0x00417b29
0x00417b3c
0x00417b42
0x00417b44
0x00417b4c
0x00000000
0x00417b4c
0x00417b44
0x00417acf
0x00417acf
0x00417ad4
0x00417ad5
0x00417ad6
0x00417ad7
0x00417ad8
0x00417ad9
0x00417adf
0x00417ae7
0x00417ae7
0x00417b6a

APIs

___set_flsgetvalue.LIBCMT ref: 00417AEC
__calloc_crt.LIBCMT ref: 00417AF8
__getptd.LIBCMT ref: 00417B05
CreateThread.KERNELBASE(?,?,00417A38,00000000,?,?), ref: 00417B3C
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00417B46
__dosmaperr.LIBCMT ref: 00417B5E

Part of subcall function 0041AD48: __getptd_noexit.LIBCMT ref: 0041AD48

Part of subcall function 0041B335: __decode_pointer.LIBCMT ref: 0041B340

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
Instruction ID: 20030da27661398e7b4bd22b816fad984296ffe35ec401903591d51bcc064354
Opcode Fuzzy Hash: bd57337042e369ada8254afdd92a6befe6d8931571a8e1857cc31b4486f3c813
Instruction Fuzzy Hash: F111C872909204AFCB10BFA5DC828DF77B5EF04368B20402FF51597191DB79AA918B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004109DE, Relevance: 7.6, APIs: 5, Instructions: 53
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E004109DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				int _t24;
				void* _t28;
				signed int _t33;
				void* _t39;
				void* _t40;

				_push(0x10);
				E00416B21(E00421C6C, __ebx, __edi, __esi);
				_t39 = CreateFileW;
				_t21 = CreateFileW( *(_t40 + 8), 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
				 *(_t40 - 0x10) = _t21;
				_t42 = _t21 - 0xffffffff;
				if(_t21 == 0xffffffff) {
					E0040320A(_t40 - 0x1c);
					 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
					_t28 = E00409876(_t42,  *(_t40 + 8), _t40 - 0x1c);
					_t43 = _t28;
					if(_t28 != 0) {
						 *(_t40 - 0x10) = CreateFileW( *(_t40 - 0x1c), 0x40000000, 3, 0, 3, 0x2000000, 0);
					}
					_push( *(_t40 - 0x1c));
					L00408BFB(0x2000000, 0x40000000, _t39, _t43);
				}
				_t33 = 0;
				if( *(_t40 - 0x10) != 0xffffffff) {
					_t24 = SetFileTime( *(_t40 - 0x10),  *(_t40 + 0xc),  *(_t40 + 0x10),  *(_t40 + 0x14)); // executed
					_t33 = 0 | _t24 != 0x00000000;
					FindCloseChangeNotification( *(_t40 - 0x10)); // executed
				}
				return E00416BF9(_t33);
			}

0x004109de
0x004109e5
0x004109ea
0x00410a07
0x00410a09
0x00410a0c
0x00410a0f
0x00410a14
0x00410a19
0x00410a24
0x00410a29
0x00410a2b
0x00410a3c
0x00410a3c
0x00410a3f
0x00410a42
0x00410a47
0x00410a48
0x00410a4e
0x00410a5c
0x00410a67
0x00410a6a
0x00410a6a
0x00410a77

APIs

__EH_prolog3.LIBCMT ref: 004109E5
CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,00000010), ref: 00410A07
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00410A3A
SetFileTime.KERNELBASE(000000FF,?,000000FF,?), ref: 00410A5C
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00410A6A

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: File$Create$ChangeCloseFindH_prolog3NotificationTime
String ID:
API String ID: 617186795-0
Opcode ID: aca905d3188d7e82673b4bbc9b66b8ba9073e603646075513084e48b6d38d097
Instruction ID: 3613f7cd525b14c886710ac5f4de7458b184cc3a0c0b6e5d5c1753a367fab2e1
Opcode Fuzzy Hash: aca905d3188d7e82673b4bbc9b66b8ba9073e603646075513084e48b6d38d097
Instruction Fuzzy Hash: E8118231940219BBDF119F60DC01FEE7B79AF04714F10852AB6206A1E1C7B99A51DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004174DE, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E004174DE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x42a450);
				_t8 = E00417B6C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E00417BB1(_t8);
				}
				if( *0x4342d8 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x430e7c); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041AD48(_t31);
						 *_t10 = E0041AD06(GetLastError());
					}
					goto L9;
				}
				E00419EA7(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E00419EDA(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E00419F0A();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00417534();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x004174de
0x004174e0
0x004174e5
0x004174ea
0x004174ef
0x00417566
0x0041756b
0x0041756b
0x004174f8
0x0041753d
0x0041753e
0x0041753e
0x00417546
0x0041754c
0x0041754e
0x00417550
0x00417563
0x00417565
0x00000000
0x0041754e
0x004174fc
0x00417502
0x00417507
0x0041750d
0x00417512
0x00417514
0x00417515
0x00417516
0x0041751c
0x0041751d
0x00417524
0x0041752d
0x00000000
0x0041752f
0x0041752f
0x00000000
0x0041752f

APIs

__lock.LIBCMT ref: 004174FC

Part of subcall function 00419EA7: __mtinitlocknum.LIBCMT ref: 00419EBD
Part of subcall function 00419EA7: __amsg_exit.LIBCMT ref: 00419EC9
Part of subcall function 00419EA7: EnterCriticalSection.KERNEL32(?,?,?,004189B3,0000000D,0042A540,00000008,00417A97,?,00000000), ref: 00419ED1

___sbh_find_block.LIBCMT ref: 00417507
___sbh_free_block.LIBCMT ref: 00417516
RtlFreeHeap.NTDLL(00000000,?,0042A450,0000000C,004188F9,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 00417546
GetLastError.KERNEL32(?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2,?,?,?,004189B3,0000000D), ref: 00417557

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
Instruction ID: 64add48afb761cb90f48c248a03a0627652d4b19cf23b5e5f4340693ef6873dd
Opcode Fuzzy Hash: b015da1727d326e449cd797088a92338f16aa03c9485e9cd3d673cd42b4f956c
Instruction Fuzzy Hash: BA018F31909305BADB20AF71AD0ABDE3A759F017A9F60015FF414A66D1CB3C9AC08A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00410B45, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00410B45(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t14;
				long _t15;
				signed int _t16;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t14 = CreateDirectoryW( *(_t32 + 8), 0); // executed
				if(_t14 == 0) {
					_t15 = GetLastError();
					__eflags = _t15 - 0xb7;
					if(_t15 == 0xb7) {
						L6:
						_t16 = 0;
						__eflags = 0;
					} else {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						if(__eflags == 0) {
							_push( *(_t32 - 0x18));
							L00408BFB(__ebx, __edi, CreateDirectoryW, __eflags);
							goto L6;
						} else {
							_t22 = CreateDirectoryW( *(_t32 - 0x18), 0);
							_push( *(_t32 - 0x18));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t16 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					}
				} else {
					_t16 = 1;
				}
				return E00416BF9(_t16);
			}

0x00410b45
0x00410b4c
0x00410b5c
0x00410b60
0x00410b66
0x00410b6c
0x00410b71
0x00410bb1
0x00410bb1
0x00410bb1
0x00410b73
0x00410b76
0x00410b7b
0x00410b8b
0x00410b8d
0x00410ba8
0x00410bab
0x00000000
0x00410b8f
0x00410b94
0x00410b96
0x00410b99
0x00410b9b
0x00410ba0
0x00410ba3
0x00410ba3
0x00410b8d
0x00410b62
0x00410b62
0x00410b62
0x00410bb8

APIs

__EH_prolog3.LIBCMT ref: 00410B4C
CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C
GetLastError.KERNEL32 ref: 00410B66
CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00410B94

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CreateDirectory$ErrorH_prolog3Last
String ID:
API String ID: 2304068239-0
Opcode ID: 64b0f996e3112176e2dc3b27793bf3f0313bc59138573e1fd50ac37b15b07677
Instruction ID: 172f9d72519d5a2fa44a3033f577515c06ab2bcbe3982b179992f9fb810241dd
Opcode Fuzzy Hash: 64b0f996e3112176e2dc3b27793bf3f0313bc59138573e1fd50ac37b15b07677
Instruction Fuzzy Hash: 60F08131904215ABDF10AB91CD02BEE7F319F10715F51406AAA00661E2CB78EAD2969D

Uniqueness

Uniqueness Score: -1.00%

Function 004179BA, Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004179BA(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x4342fc;
				if( *0x4342fc != 0 && E0041AFE0(_t11, 0x4342fc) != 0) {
					 *0x4342fc();
				}
				if(E0041888F(_t6) != 0) {
					E00418A51(_t6, _t9, _t10, _t2); // executed
				}
				ExitThread(_a4);
			}

0x004179bf
0x004179c6
0x004179d7
0x004179d7
0x004179e4
0x004179e7
0x004179ec
0x004179f0

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 004179CD

Part of subcall function 0041AFE0: __FindPESection.LIBCMT ref: 0041B03B

__getptd_noexit.LIBCMT ref: 004179DD
__freeptd.LIBCMT ref: 004179E7
ExitThread.KERNEL32 ref: 004179F0

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
Instruction ID: 74958c9a6b692f66c632ff5e924dfbe5784b6134d24ea96b71ae755472240e2c
Opcode Fuzzy Hash: 248dff81f2ed47bffa5431741d82cf7db17d51ce89a6d991ca8d81712fb1923e
Instruction Fuzzy Hash: D2D0C27010420557E7103BA7DC0EBE736686F403D0F94402BB404900A0DE2CECD1C92D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD49, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E0040BD49(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t136;
				intOrPtr* _t142;
				signed int _t145;
				signed int _t146;
				signed int _t150;
				signed int _t154;
				signed int _t162;
				void* _t166;
				void* _t177;
				char* _t182;
				signed int _t192;
				signed int _t197;
				intOrPtr _t199;
				void* _t204;
				void* _t208;
				intOrPtr _t228;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t252;
				void* _t253;

				_t245 = __edx;
				_push(0x5c);
				E00416B21(E00421A44, __ebx, __edi, __esi);
				_t208 = __ecx;
				E00402B01(__ecx);
				_t247 = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((short*)( *((intOrPtr*)(__ecx + 0x30)))) = 0;
				E0040908D(0, __esi, _t253 - 0x20, __ecx + 4);
				 *((intOrPtr*)(_t253 - 4)) = 0;
				E0040320A(_t253 - 0x2c);
				 *((char*)(_t253 - 4)) = 1;
				if(E004099B4(_t253 - 0x20, 0x2e) >= 0) {
					_t204 = E00408826(_t253 - 0x20, _t253 - 0x44, _t135 + 1);
					 *((char*)(_t253 - 4)) = 2;
					E00408639(_t253 - 0x2c, _t253, _t204);
					_push( *((intOrPtr*)(_t253 - 0x44)));
					L00408BFB(_t208, 0, __esi, _t135 + 1);
				}
				 *(_t253 - 0x64) = _t247;
				 *(_t253 - 0x60) = _t247;
				 *(_t253 - 0x5c) = _t247;
				 *((intOrPtr*)(_t253 - 0x58)) = 4;
				 *((intOrPtr*)(_t253 - 0x68)) = 0x42350c;
				 *((char*)(_t253 - 4)) = 3;
				if( *(_t253 + 0xc) < _t247) {
					_t136 =  *((intOrPtr*)(_t253 + 8));
					_t249 = 0;
					__eflags =  *((intOrPtr*)(_t136 + 0x10)) - _t247;
					 *(_t253 + 0xc) = _t247;
					if( *((intOrPtr*)(_t136 + 0x10)) <= _t247) {
						L9:
						__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
						if( *((intOrPtr*)(_t253 + 0x10)) != _t247) {
							goto L14;
						}
						__eflags =  *(_t253 + 0xc) - 1;
						if( *(_t253 + 0xc) == 1) {
							E00408A4D(_t253 - 0x68, 1);
							goto L14;
						}
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t197 = E0040B987( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) + _t249 * 4)), _t253 - 0x2c);
						_push(_t249);
						_t240 = _t253 - 0x68;
						__eflags = _t197;
						if(_t197 < 0) {
							E0040105E(_t240);
						} else {
							E0040B786(_t240,  *(_t253 + 0xc));
							 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						}
						_t199 =  *((intOrPtr*)(_t253 + 8));
						_t249 = _t249 + 1;
						__eflags = _t249 -  *((intOrPtr*)(_t199 + 0x10));
					} while (_t249 <  *((intOrPtr*)(_t199 + 0x10)));
					goto L9;
				} else {
					E0040105E(_t253 - 0x68,  *(_t253 + 0xc));
					L14:
					 *(_t253 + 0xc) = _t247;
					if( *(_t253 - 0x60) <= _t247) {
						L28:
						_t251 = 1;
						L12:
						 *((char*)(_t253 - 4)) = 1;
						E00408BC5(_t253 - 0x68);
						_push( *((intOrPtr*)(_t253 - 0x2c)));
						L00408BFB(_t208, _t247, _t251, _t265);
						_push( *((intOrPtr*)(_t253 - 0x20)));
						L00408BFB(_t208, _t247, _t251, _t265);
						return E00416BF9(_t251);
					} else {
						goto L15;
					}
					do {
						L15:
						_t142 =  *((intOrPtr*)(_t253 + 0x10));
						if(_t142 == _t247) {
							L17:
							 *(_t253 - 0x14) = _t247;
							 *((char*)(_t253 - 4)) = 4;
							 *(_t208 + 0x1c) =  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4);
							_t145 = E0040B9BB( *((intOrPtr*)(_t253 + 8)),  *( *(_t253 - 0x5c) +  *(_t253 + 0xc) * 4), _t253 - 0x14);
							_t251 = _t145;
							if(_t145 != _t247) {
								_t146 =  *(_t253 - 0x14);
								 *((char*)(_t253 - 4)) = 3;
								__eflags = _t146 - _t247;
								if(_t146 != _t247) {
									 *((intOrPtr*)( *_t146 + 8))(_t146);
								}
								goto L12;
							}
							_t252 =  *(_t253 - 0x14);
							if(_t252 != _t247) {
								__eflags =  *((intOrPtr*)(_t253 + 0x10)) - _t247;
								if( *((intOrPtr*)(_t253 + 0x10)) == _t247) {
									 *(_t253 - 0x10) = _t247;
									 *((char*)(_t253 - 4)) = 5;
									 *((intOrPtr*)( *_t252))(_t252, 0x424134, _t253 - 0x10);
									_t150 =  *(_t253 - 0x10);
									__eflags = _t150 - _t247;
									if(_t150 == _t247) {
										 *((char*)(_t253 - 4)) = 3;
										 *((intOrPtr*)( *_t252 + 8))(_t252);
										L11:
										_t251 = 0x80004001;
										goto L12;
									}
									_t247 =  *((intOrPtr*)( *_t150 + 0xc))(_t150,  *((intOrPtr*)(_t253 + 0x14)));
									_t154 =  *(_t253 - 0x10);
									 *((char*)(_t253 - 4)) = 4;
									__eflags = _t154;
									if(_t154 != 0) {
										 *((intOrPtr*)( *_t154 + 8))(_t154);
									}
									L25:
									__eflags = _t247 - 1;
									if(_t247 != 1) {
										__eflags = _t247;
										if(_t247 == 0) {
											 *((short*)(_t253 - 0x54)) = 0;
											 *((short*)(_t253 - 0x52)) = 0;
											 *((char*)(_t253 - 4)) = 6;
											 *((intOrPtr*)( *_t252 + 0x20))(_t252, 0x37, _t253 - 0x54);
											__eflags =  *((short*)(_t253 - 0x54));
											if( *((short*)(_t253 - 0x54)) != 0) {
												__eflags =  *((short*)(_t253 - 0x54)) - 8;
												_t182 =  *(_t253 - 0x4c);
												if( *((short*)(_t253 - 0x54)) != 8) {
													_t182 = L"Unknown error";
												}
												E004090CA(_t208 + 0x30, _t253, _t182);
											}
											 *((char*)(_t253 - 4)) = 4;
											E00409A4A(_t253 - 0x54);
											E00406200(_t208, _t252);
											_t247 =  *( *((intOrPtr*)( *((intOrPtr*)(_t253 + 8)) + 0x14)) +  *(_t208 + 0x1c) * 4);
											__eflags =  *(_t247 + 0x20);
											if( *(_t247 + 0x20) != 0) {
												_t162 = E0040B987(_t247, _t253 - 0x2c);
												__eflags = _t162;
												if(__eflags < 0) {
													_t162 = 0;
													__eflags = 0;
												}
												_t228 =  *((intOrPtr*)(_t247 + 0x24));
												_t119 =  *((intOrPtr*)(_t228 + _t162 * 4)) + 0xc; // 0xc
												_push( *((intOrPtr*)(_t228 + _t162 * 4)));
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												_t166 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 0xa;
												E00408639(_t208 + 0x10, _t253, _t166);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, _t247, _t252, __eflags);
											} else {
												_t247 = 0x423a68;
												E00401647(_t253 - 0x44, _t253, 0x423a68);
												 *((char*)(_t253 - 4)) = 7;
												E00401647(_t253 - 0x38, _t253, 0x423a68);
												_push(_t253 - 0x44);
												_push(_t253 - 0x38);
												_push(_t253 - 0x20);
												_push(_t253 - 0x50);
												 *((char*)(_t253 - 4)) = 8;
												_t177 = E0040B72F(_t245, _t252, __eflags);
												 *((char*)(_t253 - 4)) = 9;
												E00408639(_t208 + 0x10, _t253, _t177);
												_push( *((intOrPtr*)(_t253 - 0x50)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x38)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
												_push( *((intOrPtr*)(_t253 - 0x44)));
												L00408BFB(_t208, 0x423a68, _t252, __eflags);
											}
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = 0;
										} else {
											 *((char*)(_t253 - 4)) = 3;
											 *((intOrPtr*)( *_t252 + 8))(_t252);
											_t251 = _t247;
										}
										goto L12;
									}
									 *((char*)(_t253 - 4)) = 3;
									 *((intOrPtr*)( *_t252 + 8))(_t252);
									_t247 = 0;
									__eflags = 0;
									goto L27;
								}
								_t247 =  *((intOrPtr*)( *_t252 + 0xc))(_t252,  *((intOrPtr*)(_t253 + 0x10)), 0x4239b0,  *((intOrPtr*)(_t253 + 0x18)));
								goto L25;
							}
							 *((char*)(_t253 - 4)) = 3;
							goto L27;
						}
						_t192 =  *((intOrPtr*)( *_t142 + 0x10))(_t142, _t247, _t247, _t247, _t247);
						if(_t192 != _t247) {
							_t251 = _t192;
							goto L12;
						}
						goto L17;
						L27:
						 *(_t253 + 0xc) =  *(_t253 + 0xc) + 1;
						_t265 =  *(_t253 + 0xc) -  *(_t253 - 0x60);
					} while ( *(_t253 + 0xc) <  *(_t253 - 0x60));
					goto L28;
				}
			}

0x0040bd49
0x0040bd49
0x0040bd50
0x0040bd55
0x0040bd57
0x0040bd5f
0x0040bd63
0x0040bd66
0x0040bd71
0x0040bd79
0x0040bd7c
0x0040bd86
0x0040bd91
0x0040bd9c
0x0040bda5
0x0040bda9
0x0040bdae
0x0040bdb1
0x0040bdb6
0x0040bdb7
0x0040bdba
0x0040bdbd
0x0040bdc0
0x0040bdc7
0x0040bdd1
0x0040bdd5
0x0040bde7
0x0040bdea
0x0040bdec
0x0040bdef
0x0040bdf2
0x0040be29
0x0040be29
0x0040be2c
0x00000000
0x00000000
0x0040be2e
0x0040be32
0x0040be66
0x00000000
0x0040be66
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bdf4
0x0040bdf4
0x0040be01
0x0040be06
0x0040be07
0x0040be0a
0x0040be0c
0x0040be1b
0x0040be0e
0x0040be11
0x0040be16
0x0040be16
0x0040be20
0x0040be23
0x0040be24
0x0040be24
0x00000000
0x0040bdd7
0x0040bddd
0x0040be6b
0x0040be6e
0x0040be71
0x0040bf39
0x0040bf3b
0x0040be39
0x0040be3c
0x0040be40
0x0040be45
0x0040be48
0x0040be4d
0x0040be50
0x0040be5e
0x00000000
0x00000000
0x00000000
0x0040be77
0x0040be77
0x0040be77
0x0040be7c
0x0040be90
0x0040be90
0x0040bea4
0x0040bea8
0x0040beab
0x0040beb0
0x0040beb4
0x0040bf48
0x0040bf4b
0x0040bf4f
0x0040bf51
0x0040bf5a
0x0040bf5a
0x00000000
0x0040bf51
0x0040beba
0x0040bebf
0x0040bec7
0x0040beca
0x0040bee1
0x0040bef0
0x0040bef4
0x0040bef6
0x0040bef9
0x0040befb
0x0040bf65
0x0040bf69
0x0040be34
0x0040be34
0x00000000
0x0040be34
0x0040bf06
0x0040bf08
0x0040bf0b
0x0040bf0f
0x0040bf11
0x0040bf16
0x0040bf16
0x0040bf19
0x0040bf19
0x0040bf1c
0x0040bf71
0x0040bf73
0x0040bf88
0x0040bf8c
0x0040bf99
0x0040bf9d
0x0040bfa0
0x0040bfa5
0x0040bfa7
0x0040bfac
0x0040bfaf
0x0040bfb1
0x0040bfb1
0x0040bfba
0x0040bfba
0x0040bfc2
0x0040bfc6
0x0040bfce
0x0040bfdc
0x0040bfdf
0x0040bfe3
0x0040c049
0x0040c04e
0x0040c050
0x0040c052
0x0040c052
0x0040c052
0x0040c054
0x0040c05a
0x0040c05e
0x0040c062
0x0040c066
0x0040c067
0x0040c070
0x0040c074
0x0040c079
0x0040c07c
0x0040bfe5
0x0040bfe5
0x0040bfee
0x0040bff7
0x0040bffb
0x0040c003
0x0040c007
0x0040c00b
0x0040c00f
0x0040c010
0x0040c014
0x0040c01d
0x0040c021
0x0040c026
0x0040c029
0x0040c02e
0x0040c031
0x0040c036
0x0040c039
0x0040c03e
0x0040c085
0x0040c089
0x0040c08c
0x0040bf75
0x0040bf78
0x0040bf7c
0x0040bf7f
0x0040bf7f
0x00000000
0x0040bf73
0x0040bf21
0x0040bf25
0x0040bf28
0x0040bf28
0x00000000
0x0040bf28
0x0040bedd
0x00000000
0x0040bedd
0x0040bec1
0x00000000
0x0040bec1
0x0040be85
0x0040be8a
0x0040bf41
0x00000000
0x0040bf41
0x00000000
0x0040bf2a
0x0040bf2a
0x0040bf30
0x0040bf30
0x00000000
0x0040be77

APIs

__EH_prolog3.LIBCMT ref: 0040BD50

Strings

h:B, xrefs: 0040BFE5
Unknown error, xrefs: 0040BFB1

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID: Unknown error$h:B
API String ID: 431132790-2896083918
Opcode ID: a51c651adc872019483f4ba974c706b8e48417f6d46dd7c364c84008cb000837
Instruction ID: 229dc10dfcce490ce841081ad363faeb39fea5f37d816de3d49a9016c6dfb729
Opcode Fuzzy Hash: a51c651adc872019483f4ba974c706b8e48417f6d46dd7c364c84008cb000837
Instruction Fuzzy Hash: 30B16070900248DFCB01DF95C9849DEBBB8EF59304F14446FF845BB292DB789A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404515, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404515(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t52;
				intOrPtr _t56;
				intOrPtr _t61;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t73;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				void* _t96;
				intOrPtr _t99;
				void* _t102;
				intOrPtr _t103;
				void* _t106;
				void* _t107;
				void* _t109;

				_t109 = __eflags;
				_push(0x24);
				E00416B21(E004210A6, __ebx, __edi, __esi);
				_t102 = __ecx;
				_t98 = __ecx + 0x28;
				_t52 = E0040B06F(_t109,  *((intOrPtr*)(_t106 + 8)), __ecx + 0x28, 0x20); // executed
				if(_t52 == 0) {
					if(E00403DB0(_t98) == 0) {
						 *((intOrPtr*)(_t106 - 0x30)) = 0x423364;
						 *((intOrPtr*)(_t106 - 0x2c)) = 0;
						 *((intOrPtr*)(_t106 - 0x28)) = 0;
						_t6 = _t106 - 0x30; // 0x423364
						 *((intOrPtr*)(_t106 - 4)) = 0;
						E0040140A(_t6, _t106, 0x10000);
						_t56 = 0x20;
						_t99 =  *((intOrPtr*)(_t106 - 0x28));
						 *((intOrPtr*)(_t106 - 0x10)) = _t56;
						E00416FC0(0, _t99, _t102, _t99, _t98, _t56);
						_t83 =  *((intOrPtr*)(_t102 + 0x20));
						 *((intOrPtr*)(_t106 - 0x20)) =  *((intOrPtr*)(_t102 + 0x24));
						while(1) {
							L4:
							_t93 =  *((intOrPtr*)(_t106 + 0xc));
							_t107 = _t107 + 0xc;
							__eflags = _t93;
							if(_t93 == 0) {
								goto L8;
							}
							_t91 = _t83 -  *((intOrPtr*)(_t102 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags =  *((intOrPtr*)(_t106 - 0x20)) -  *((intOrPtr*)(_t93 + 4));
							if(__eflags > 0) {
								L22:
								_push(_t99);
								L00408BFB(_t83, _t99, _t102, __eflags);
								_t52 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t91 -  *_t93;
									if(__eflags > 0) {
										goto L22;
									} else {
										while(1) {
											L8:
											_t61 =  *((intOrPtr*)(_t106 - 0x10));
											_t63 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t106 + 8)))) + 0xc))( *((intOrPtr*)(_t106 + 8)), _t61 + _t99, 0x10000 - _t61, _t106 - 0x1c);
											__eflags = _t63;
											if(__eflags != 0) {
												break;
											}
											_t65 =  *((intOrPtr*)(_t106 - 0x1c));
											 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) + _t65;
											__eflags = _t65;
											if(__eflags == 0) {
												_t103 = 1;
												L24:
												_push(_t99);
												goto L27;
											} else {
												__eflags =  *((intOrPtr*)(_t106 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t106 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t67 =  *((intOrPtr*)(_t106 - 0x10)) + 0xffffffe0;
													_t89 = 0;
													 *((intOrPtr*)(_t106 - 0x18)) = _t67;
													 *((intOrPtr*)(_t106 - 0x14)) = 0;
													__eflags = _t67;
													if(_t67 <= 0) {
														L21:
														_t83 = _t83 + _t67;
														asm("adc dword [ebp-0x20], 0x0");
														 *((intOrPtr*)(_t106 - 0x10)) =  *((intOrPtr*)(_t106 - 0x10)) - _t67;
														E00416C30(_t83, _t99, _t102, _t99, _t67 + _t99,  *((intOrPtr*)(_t106 - 0x10)));
														goto L4;
													} else {
														while(1) {
															__eflags =  *((char*)(_t99 + _t89)) - 0x37;
															if( *((char*)(_t99 + _t89)) == 0x37) {
															}
															L17:
															__eflags = _t89 - _t67;
															L18:
															if(__eflags == 0) {
																goto L21;
															} else {
																_t73 = E00403DB0(_t99 + _t89);
																__eflags = _t73;
																if(_t73 != 0) {
																	_t99 =  *((intOrPtr*)(_t106 - 0x14));
																	E00416FC0(_t83, _t99, _t102, _t102 + 0x28,  *((intOrPtr*)(_t106 - 0x28)) + _t99, 0x20);
																	_t78 =  *((intOrPtr*)(_t106 - 0x20));
																	_t92 =  *((intOrPtr*)(_t106 + 8));
																	_t96 = 0;
																	_t84 = _t83 + _t99;
																	asm("adc eax, edx");
																	 *((intOrPtr*)(_t102 + 0x20)) = _t84;
																	_t83 = _t84 + 0x20;
																	__eflags = _t83;
																	 *((intOrPtr*)(_t102 + 0x24)) = _t78;
																	asm("adc eax, edx");
																	_t79 =  *((intOrPtr*)( *_t92 + 0x10))(_t92, _t83, _t78, _t96, _t96);
																	_push( *((intOrPtr*)(_t106 - 0x28)));
																	_t103 = _t79;
																	L27:
																	L00408BFB(_t83, _t99, _t103, __eflags);
																	_t52 = _t103;
																} else {
																	 *((intOrPtr*)(_t106 - 0x14)) =  *((intOrPtr*)(_t106 - 0x14)) + 1;
																	__eflags =  *((intOrPtr*)(_t106 - 0x14)) -  *((intOrPtr*)(_t106 - 0x18));
																	_t99 =  *((intOrPtr*)(_t106 - 0x28));
																	_t67 =  *((intOrPtr*)(_t106 - 0x18));
																	if( *((intOrPtr*)(_t106 - 0x14)) <  *((intOrPtr*)(_t106 - 0x18))) {
																		_t89 =  *((intOrPtr*)(_t106 - 0x14));
																		while(1) {
																			__eflags =  *((char*)(_t99 + _t89)) - 0x37;
																			if( *((char*)(_t99 + _t89)) == 0x37) {
																			}
																			goto L14;
																		}
																		goto L17;
																	} else {
																		goto L21;
																	}
																}
															}
															goto L28;
															L14:
															__eflags = _t89 - _t67;
															if(__eflags < 0) {
																_t89 = _t89 + 1;
																__eflags = _t89;
																 *((intOrPtr*)(_t106 - 0x14)) = _t89;
																continue;
															}
															goto L18;
														}
													}
												}
											}
											goto L28;
										}
										_t103 = _t63;
										goto L24;
									}
								}
							}
							L28:
							goto L29;
						}
					} else {
						_t52 = 0;
					}
				}
				L29:
				return E00416BF9(_t52);
			}

0x00404515
0x00404515
0x0040451c
0x00404521
0x00404525
0x0040452c
0x00404535
0x00404542
0x0040454b
0x00404552
0x00404555
0x0040455d
0x00404560
0x00404563
0x0040456a
0x0040456d
0x00404571
0x00404574
0x0040457c
0x0040457f
0x00404582
0x00404582
0x00404582
0x00404585
0x00404588
0x0040458a
0x00000000
0x00000000
0x00404591
0x00404594
0x00404597
0x0040459a
0x0040463c
0x0040463c
0x0040463d
0x00404644
0x004045a0
0x004045a0
0x00000000
0x004045a2
0x004045a2
0x004045a4
0x00000000
0x004045aa
0x004045aa
0x004045aa
0x004045b3
0x004045c4
0x004045c7
0x004045c9
0x00000000
0x00000000
0x004045cb
0x004045ce
0x004045d1
0x004045d3
0x0040464e
0x00404649
0x00404649
0x00000000
0x004045d5
0x004045d5
0x004045d9
0x00000000
0x004045db
0x004045de
0x004045e1
0x004045e3
0x004045e6
0x004045e9
0x004045eb
0x00404622
0x00404622
0x00404624
0x00404628
0x00404632
0x00000000
0x004045ed
0x004045fc
0x004045fc
0x00404600
0x00404600
0x00404602
0x00404602
0x00404604
0x00404604
0x00000000
0x00404606
0x00404608
0x0040460d
0x0040460f
0x00404651
0x00404660
0x00404665
0x00404668
0x00404670
0x00404671
0x00404673
0x00404676
0x00404679
0x00404679
0x0040467c
0x00404682
0x00404687
0x0040468a
0x0040468d
0x0040468f
0x0040468f
0x00404694
0x00404611
0x00404611
0x00404617
0x0040461a
0x0040461d
0x00404620
0x004045ef
0x004045fc
0x004045fc
0x00404600
0x00404600
0x00000000
0x00404600
0x00000000
0x00000000
0x00000000
0x00000000
0x00404620
0x0040460f
0x00000000
0x004045f4
0x004045f4
0x004045f6
0x004045f8
0x004045f8
0x004045f9
0x00000000
0x004045f9
0x00000000
0x004045f6
0x004045fc
0x004045eb
0x004045d9
0x00000000
0x004045d3
0x00404647
0x00000000
0x00404647
0x004045a4
0x004045a0
0x00404696
0x00000000
0x00404696
0x00404544
0x00404544
0x00404544
0x00404542
0x00404697
0x0040469c

APIs

__EH_prolog3.LIBCMT ref: 0040451C

Strings

d3B, xrefs: 0040455D
, xrefs: 004045D5

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID: $d3B
API String ID: 431132790-198493696
Opcode ID: 83b410855113d24c3329abef7cce3c4cf9cbdbef297528ee660bdef2e009668b
Instruction ID: 3a515e4a4a240cacc8c10b0b89ac85215a11ea039d74a327c6dee710e8acc370
Opcode Fuzzy Hash: 83b410855113d24c3329abef7cce3c4cf9cbdbef297528ee660bdef2e009668b
Instruction Fuzzy Hash: 3D5170B1A00205ABCB10DFA5CC80AAFB7B5BF85314F14492EEA01B7681D77DE941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00412324, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00412324(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t25;
				intOrPtr* _t29;
				void* _t32;
				void* _t34;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t51;
				void* _t52;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t51 = __ecx;
				_t25 = __ecx + 0x10;
				 *(_t52 - 0x10) = _t25;
				EnterCriticalSection(_t25);
				_t26 =  *((intOrPtr*)(_t52 + 8));
				_t38 =  *((intOrPtr*)(_t52 + 0xc));
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				 *((intOrPtr*)(_t51 + 0x38)) =  *((intOrPtr*)(_t52 + 0x10));
				 *((intOrPtr*)(_t51 + 0x30)) =  *((intOrPtr*)(_t52 + 8));
				 *((intOrPtr*)(_t51 + 0x34)) =  *((intOrPtr*)(_t52 + 0xc));
				 *((intOrPtr*)(_t51 + 0x3c)) =  *((intOrPtr*)(_t52 + 0x14));
				if( *0x430640 != 0) {
					_t48 = _t51 + 8;
					E00411C88(_t48, _t26, _t38);
					_t29 =  *0x430640; // 0x4c77a8
					 *((intOrPtr*)( *_t29 + 0x28))(_t29,  *_t51, 2);
					_t49 =  *0x430640; // 0x4c77a8
					_t45 =  *((intOrPtr*)(_t51 + 0x34));
					 *((intOrPtr*)(_t52 + 0xc)) =  *_t48;
					_t32 = E00417780( *((intOrPtr*)(_t51 + 0x30)),  *_t48, _t45);
					asm("cdq");
					_t46 =  *((intOrPtr*)(_t51 + 0x3c));
					_t34 = E00417780( *((intOrPtr*)(_t51 + 0x38)),  *((intOrPtr*)(_t52 + 0xc)), _t46);
					asm("cdq");
					_t26 =  *((intOrPtr*)( *_t49 + 0x24))(_t49,  *_t51, _t34, _t46, _t32, _t45);
				}
				LeaveCriticalSection( *(_t52 - 0x10));
				return E00416BF9(_t26);
			}

0x00412324
0x0041232b
0x00412330
0x00412332
0x00412336
0x00412339
0x00412342
0x00412345
0x00412348
0x0041234c
0x00412352
0x00412355
0x00412358
0x00412362
0x00412365
0x0041236b
0x00412370
0x0041237c
0x00412381
0x0041238a
0x0041238f
0x00412392
0x0041239a
0x0041239c
0x004123a3
0x004123a8
0x004123ae
0x004123ae
0x004123b4
0x004123bf

APIs

__EH_prolog3.LIBCMT ref: 0041232B
EnterCriticalSection.KERNEL32(?,00000004), ref: 00412339
LeaveCriticalSection.KERNEL32(?), ref: 004123B4

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3Leave
String ID:
API String ID: 4250467438-0
Opcode ID: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
Instruction ID: 7b34ac69ecfa62052499947f8b89ca965626569db3180aad90851b79160f7002
Opcode Fuzzy Hash: f1ca1d38278928531743cf0973599496185f1997b087bd932536968317e365bd
Instruction Fuzzy Hash: A71123B5200600AFC760DF65C985AAAB7F6BF88300B50992EF95A87B60C738F951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004123C2, Relevance: 4.6, APIs: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004123C2(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t28;
				void* _t31;
				void* _t33;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				void* _t48;

				_push(4);
				E00416B21(E00421F0F, __ebx, __edi, __esi);
				_t47 = __ecx;
				_t23 = __ecx + 0x10;
				 *(_t48 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				 *((intOrPtr*)(_t47 + 0x38)) =  *((intOrPtr*)(_t48 + 8));
				_t25 =  *((intOrPtr*)(_t48 + 0xc));
				 *((intOrPtr*)(_t47 + 0x3c)) =  *((intOrPtr*)(_t48 + 0xc));
				if( *0x430640 != 0) {
					_t44 = _t47 + 8;
					E00411C88(_t44,  *((intOrPtr*)(_t47 + 0x30)),  *((intOrPtr*)(_t47 + 0x34)));
					_t28 =  *0x430640; // 0x4c77a8
					 *((intOrPtr*)( *_t28 + 0x28))(_t28,  *_t47, 2);
					_t45 =  *0x430640; // 0x4c77a8
					_t41 =  *((intOrPtr*)(_t47 + 0x34));
					 *((intOrPtr*)(_t48 + 0xc)) =  *_t44;
					_t31 = E00417780( *((intOrPtr*)(_t47 + 0x30)),  *_t44, _t41);
					asm("cdq");
					_t42 =  *((intOrPtr*)(_t47 + 0x3c));
					_t33 = E00417780( *((intOrPtr*)(_t47 + 0x38)),  *((intOrPtr*)(_t48 + 0xc)), _t42);
					asm("cdq");
					_t25 =  *((intOrPtr*)( *_t45 + 0x24))(_t45,  *_t47, _t33, _t42, _t31, _t41);
				}
				LeaveCriticalSection( *(_t48 - 0x10));
				return E00416BF9(_t25);
			}

0x004123c2
0x004123c9
0x004123ce
0x004123d0
0x004123d4
0x004123d7
0x004123e0
0x004123e4
0x004123e7
0x004123ea
0x004123f4
0x004123f9
0x00412401
0x00412406
0x00412412
0x00412417
0x00412420
0x00412425
0x00412428
0x00412430
0x00412432
0x00412439
0x0041243e
0x00412444
0x00412444
0x0041244a
0x00412455

APIs

__EH_prolog3.LIBCMT ref: 004123C9
EnterCriticalSection.KERNEL32(?,00000004), ref: 004123D7
LeaveCriticalSection.KERNEL32(?), ref: 0041244A

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3Leave
String ID:
API String ID: 4250467438-0
Opcode ID: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
Instruction ID: b8ab0e8a091e3454a54943d1fa2376730f801439e704a0f0635c4d72261d10eb
Opcode Fuzzy Hash: e44546212c9cd121f28e1859ac9352c8223e510be0f53fe4628133fed2ae9915
Instruction Fuzzy Hash: 4C112575200600EFCB61EF64C985AAAB7B6FF88300F50992EF95687A60C738F951CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409899, Relevance: 4.5, APIs: 3, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00409899(void* __ebx, void** __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				void* _t26;
				void** _t35;
				void* _t37;
				void* _t38;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t35 = __ecx;
				if(E00409469(__ecx) != 0) {
					_t37 = CreateFileW;
					_t22 = CreateFileW( *(_t38 + 8),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0); // executed
					 *_t35 = _t22;
					_t41 = _t22 - 0xffffffff;
					if(_t22 == 0xffffffff) {
						E0040320A(_t38 - 0x18);
						 *((intOrPtr*)(_t38 - 4)) = 0;
						_t26 = E00409876(_t41,  *(_t38 + 8), _t38 - 0x18);
						_t42 = _t26;
						if(_t26 != 0) {
							 *_t35 = CreateFileW( *(_t38 - 0x18),  *(_t38 + 0xc),  *(_t38 + 0x10), 0,  *(_t38 + 0x14),  *(_t38 + 0x18), 0);
						}
						_push( *(_t38 - 0x18));
						L00408BFB(0, _t35, _t37, _t42);
					}
					_t20 = 0 |  *_t35 != 0xffffffff;
				}
				return E00416BF9(_t20);
			}

0x00409899
0x004098a0
0x004098a5
0x004098ae
0x004098b0
0x004098c9
0x004098cb
0x004098cd
0x004098d0
0x004098d5
0x004098e1
0x004098e4
0x004098e9
0x004098eb
0x00409900
0x00409900
0x00409902
0x00409905
0x0040990a
0x00409910
0x00409910
0x00409918

APIs

__EH_prolog3.LIBCMT ref: 004098A0

Part of subcall function 00409469: FindCloseChangeNotification.KERNELBASE ref: 00409474

CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,0000000C), ref: 004098C9
CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,?), ref: 004098FE

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CreateFile$ChangeCloseFindH_prolog3Notification
String ID:
API String ID: 497171381-0
Opcode ID: cf2ddf9d4d14487d7b86455c1124a2d1594c33f963fa79a26f8bcd1e77f61e56
Instruction ID: 592200983aca7f03df924794e6f5b352c9d03a6f4c54ac32436f896c8fb0c43e
Opcode Fuzzy Hash: cf2ddf9d4d14487d7b86455c1124a2d1594c33f963fa79a26f8bcd1e77f61e56
Instruction Fuzzy Hash: 8701007240010EAFDF01AFA1CC428EE7F76EF18364F50452ABA60661E2C735DD62EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410BBB, Relevance: 4.5, APIs: 3, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00410BBB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t14;
				signed int _t15;
				int _t17;
				int _t20;
				int _t22;
				signed int _t23;
				int _t31;
				void* _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_push(0);
				_push( *(_t32 + 8));
				_t14 = E00410A7A(__ebx, __edi, __esi, _t33); // executed
				if(_t14 == 0) {
					L6:
					_t15 = 0;
					__eflags = 0;
				} else {
					_t17 = DeleteFileW( *(_t32 + 8)); // executed
					if(_t17 == 0) {
						E0040320A(_t32 - 0x18);
						 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
						_t20 = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
						_push( *((intOrPtr*)(_t32 - 0x18)));
						__eflags = _t20;
						if(__eflags == 0) {
							L00408BFB(__ebx, __edi, DeleteFileW, __eflags);
							goto L6;
						} else {
							_t22 = DeleteFileW();
							_push( *((intOrPtr*)(_t32 - 0x18)));
							_t31 = _t22;
							_t23 = L00408BFB(__ebx, __edi, _t31, __eflags);
							__eflags = _t31;
							_t15 = _t23 & 0xffffff00 | _t31 != 0x00000000;
						}
					} else {
						_t15 = 1;
					}
				}
				return E00416BF9(_t15);
			}

0x00410bbb
0x00410bbb
0x00410bc2
0x00410bc7
0x00410bc9
0x00410bcc
0x00410bd3
0x00410c21
0x00410c21
0x00410c21
0x00410bd5
0x00410bde
0x00410be2
0x00410beb
0x00410bf0
0x00410bfb
0x00410c00
0x00410c03
0x00410c05
0x00410c1b
0x00000000
0x00410c07
0x00410c07
0x00410c09
0x00410c0c
0x00410c0e
0x00410c13
0x00410c16
0x00410c16
0x00410be4
0x00410be4
0x00410be4
0x00410be2
0x00410c28

APIs

__EH_prolog3.LIBCMT ref: 00410BC2

Part of subcall function 00410A7A: __EH_prolog3.LIBCMT ref: 00410A81
Part of subcall function 00410A7A: SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92

DeleteFileW.KERNELBASE(?,0000000C), ref: 00410BDE
DeleteFileW.KERNEL32(?,?,?), ref: 00410C07

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: File$DeleteH_prolog3$Attributes
String ID:
API String ID: 1699852380-0
Opcode ID: a435bcd79d1c238b0ee163b69a9bc1bda28087c4103ccc855c8f2a46ab69a957
Instruction ID: 82b29cb7c56b73e0ed4b09c3219c5ce96762dd4778a0f313884fd1d1f183af2a
Opcode Fuzzy Hash: a435bcd79d1c238b0ee163b69a9bc1bda28087c4103ccc855c8f2a46ab69a957
Instruction Fuzzy Hash: 0BF0A431900115AACF14AFA1C802BED7F219F10354F01802BB90076192DB79D9C2AADC

Uniqueness

Uniqueness Score: -1.00%

Function 00410A7A, Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00410A7A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t16;
				signed int _t21;
				int _t23;
				signed int _t24;
				int _t31;
				void* _t32;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t16 = SetFileAttributesW( *(_t32 + 8),  *(_t32 + 0xc)); // executed
				if(_t16 == 0) {
					E0040320A(_t32 - 0x18);
					 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
					__eflags = E00409876(__eflags,  *(_t32 + 8), _t32 - 0x18);
					if(__eflags == 0) {
						_push( *(_t32 - 0x18));
						L00408BFB(__ebx, __edi, SetFileAttributesW, __eflags);
						_t21 = 0;
						__eflags = 0;
					} else {
						_t23 = SetFileAttributesW( *(_t32 - 0x18),  *(_t32 + 0xc));
						_push( *(_t32 - 0x18));
						_t31 = _t23;
						_t24 = L00408BFB(__ebx, __edi, _t31, __eflags);
						__eflags = _t31;
						_t21 = _t24 & 0xffffff00 | _t31 != 0x00000000;
					}
				} else {
					_t21 = 1;
				}
				return E00416BF9(_t21);
			}

0x00410a7a
0x00410a81
0x00410a92
0x00410a96
0x00410a9f
0x00410aa4
0x00410ab4
0x00410ab6
0x00410ad1
0x00410ad4
0x00410ad9
0x00410ad9
0x00410ab8
0x00410abe
0x00410ac0
0x00410ac3
0x00410ac5
0x00410aca
0x00410acc
0x00410acc
0x00410a98
0x00410a98
0x00410a98
0x00410ae1

APIs

__EH_prolog3.LIBCMT ref: 00410A81
SetFileAttributesW.KERNELBASE(?,?,0000000C), ref: 00410A92
SetFileAttributesW.KERNEL32(?,?,?,?), ref: 00410ABE

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AttributesFile$H_prolog3
String ID:
API String ID: 1525373243-0
Opcode ID: ba02543101a5cfa9a6052c8c64ecf50aa383b55c2d9455dca589e25abfdeb413
Instruction ID: b68339446e7912557b5547a3532edc32d3c599c184010c8767136443e2a04074
Opcode Fuzzy Hash: ba02543101a5cfa9a6052c8c64ecf50aa383b55c2d9455dca589e25abfdeb413
Instruction Fuzzy Hash: ADF09C31800219EACF00AFA1CC02AED7F31DF14354F01402BB900761A2CB79DDD2EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA23, Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040AA23(intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t14;
				void* _t19;
				struct _CRITICAL_SECTION* _t23;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t28;

				_push(4);
				E00416B21(E00421F0F, _t19, __edi, __esi);
				_t25 = __ecx;
				_t23 = __ecx + 4;
				 *(_t28 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t14 =  *_t25;
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t28 + 0xc)));
				_push( *((intOrPtr*)(_t28 + 8)));
				_push(_t14); // executed
				if( *((intOrPtr*)( *_t14 + 0x10))() == 0) {
					_t26 =  *_t25;
					_t15 =  *((intOrPtr*)( *_t26 + 0xc))(_t26,  *((intOrPtr*)(_t28 + 0x10)),  *((intOrPtr*)(_t28 + 0x14)),  *((intOrPtr*)(_t28 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				return E00416BF9(_t15);
			}

0x0040aa23
0x0040aa2a
0x0040aa2f
0x0040aa31
0x0040aa35
0x0040aa38
0x0040aa3e
0x0040aa42
0x0040aa46
0x0040aa48
0x0040aa4a
0x0040aa4d
0x0040aa50
0x0040aa56
0x0040aa6e
0x0040aa79
0x0040aa79
0x0040aa5b
0x0040aa68

APIs

__EH_prolog3.LIBCMT ref: 0040AA2A
EnterCriticalSection.KERNEL32(00000000,00000004,0040AAA2,?,?,?,?,00000000), ref: 0040AA38
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?), ref: 0040AA5B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalSection$EnterH_prolog3Leave
String ID:
API String ID: 4250467438-0
Opcode ID: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
Instruction ID: 376e6d0b6539734c182ceb4bf0422f82a57e589c454eeaae9fc2f109862d71f0
Opcode Fuzzy Hash: 4dddb49c8288610b6a72de20f540e7b07757c19d66fa8ff38042e61517f2b0a0
Instruction Fuzzy Hash: DDF06235600214EBCB219FA0CC04B9A7BB5BF08711F15445AFA11AB2A0C779E951DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00410AE4, Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00410AE4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t13;
				int _t16;
				signed int _t18;
				int _t20;
				signed int _t21;
				int _t28;
				void* _t29;

				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				_t13 = RemoveDirectoryW( *(_t29 + 8)); // executed
				if(_t13 == 0) {
					E0040320A(_t29 - 0x18);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t16 = E00409876(__eflags,  *(_t29 + 8), _t29 - 0x18);
					_push( *((intOrPtr*)(_t29 - 0x18)));
					__eflags = _t16;
					if(__eflags == 0) {
						L00408BFB(__ebx, __edi, RemoveDirectoryW, __eflags);
						_t18 = 0;
						__eflags = 0;
					} else {
						_t20 = RemoveDirectoryW();
						_push( *((intOrPtr*)(_t29 - 0x18)));
						_t28 = _t20;
						_t21 = L00408BFB(__ebx, __edi, _t28, __eflags);
						__eflags = _t28;
						_t18 = _t21 & 0xffffff00 | _t28 != 0x00000000;
					}
				} else {
					_t18 = 1;
				}
				return E00416BF9(_t18);
			}

0x00410ae4
0x00410aeb
0x00410af9
0x00410afd
0x00410b06
0x00410b0b
0x00410b16
0x00410b1b
0x00410b1e
0x00410b20
0x00410b35
0x00410b3a
0x00410b3a
0x00410b22
0x00410b22
0x00410b24
0x00410b27
0x00410b29
0x00410b2e
0x00410b30
0x00410b30
0x00410aff
0x00410aff
0x00410aff
0x00410b42

APIs

__EH_prolog3.LIBCMT ref: 00410AEB
RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9
RemoveDirectoryW.KERNEL32(?,?,?), ref: 00410B22

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: DirectoryRemove$H_prolog3
String ID:
API String ID: 3343300676-0
Opcode ID: 38ec5a7dbffa486bf102005043b2015325cd4a8d35e7a018c6e6499285184e48
Instruction ID: 710b2b3079904f10a49b21f330e3983a60d9af1bfd423f351766240e205e25f6
Opcode Fuzzy Hash: 38ec5a7dbffa486bf102005043b2015325cd4a8d35e7a018c6e6499285184e48
Instruction Fuzzy Hash: 60F0303180411996CF10ABE1C902AEE7F259F00358F15406BA9406A292CB79E9C6E6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040177A, Relevance: 4.5, APIs: 3, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040177A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t31 = __edi;
				_t23 = __ebx;
				_push(4);
				E00416B21(E00421471, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				 *(_t34 - 4) = 4;
				E00408BC5(__ecx + 0xb4);
				 *(_t34 - 4) = 3;
				E00408BC5(__ecx + 0xa0);
				 *(_t34 - 4) = 2;
				E004015E5(__ebx, __ecx + 0x8c, __edi, __ecx, _t35);
				 *(_t34 - 4) = 1;
				E00401489(_t23, _t33 + 0x78, _t31, _t33, _t35);
				 *(_t34 - 4) = 0;
				E0040B173(_t33);
				_t11 = _t34 - 4;
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				_t21 = E0040157A(_t23, _t33 + 0x14, _t31, _t33,  *_t11); // executed
				return E00416BF9(_t21);
			}

0x0040177a
0x0040177a
0x0040177a
0x0040177a
0x00401781
0x00401786
0x00401788
0x00401791
0x00401798
0x004017a3
0x004017a7
0x004017b2
0x004017b6
0x004017be
0x004017c2
0x004017c9
0x004017cd
0x004017d2
0x004017d2
0x004017d9
0x004017e3

APIs

__EH_prolog3.LIBCMT ref: 00401781
~_Task_impl.LIBCPMT ref: 004017B6

Part of subcall function 004015E5: __EH_prolog3.LIBCMT ref: 004015EC

~_Task_impl.LIBCPMT ref: 004017C2

Part of subcall function 00401489: __EH_prolog3.LIBCMT ref: 00401490

Part of subcall function 0040157A: __EH_prolog3.LIBCMT ref: 00401581

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$Task_impl
String ID:
API String ID: 2843614703-0
Opcode ID: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
Instruction ID: 013af03912305f4c448b6a7ee667699893353aed5ea99b6c000518ccc271aa3d
Opcode Fuzzy Hash: 3dfa0d9badd74e310505ad803d96c188240e82b3241b6ae798c843971600a03f
Instruction Fuzzy Hash: E1F0F070404354CAD714FBA1C1027DCBBB06F20308F4041DEA4A6232D2DF782708C62A

Uniqueness

Uniqueness Score: -1.00%

Function 0040193F, Relevance: 4.5, APIs: 3, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040193F(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t15;
				void* _t20;
				intOrPtr _t22;
				void* _t23;
				void* _t24;

				_t24 = __eflags;
				_push(4);
				E00416B21(E00420CC8, _t15, _t20, __esi);
				_t22 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *(_t23 - 4) = 1;
				E00401616(_t15, __ecx + 0x74, _t20, __ecx, _t24); // executed
				 *(_t23 - 4) = 0;
				E00401549(_t15, _t22 + 0x5c, _t20, _t22, _t24); // executed
				_t6 = _t23 - 4;
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				return E00416BF9(E004011EE(_t15, _t22 + 0xc, _t20, _t22,  *_t6));
			}

0x0040193f
0x0040193f
0x00401946
0x0040194b
0x0040194d
0x00401953
0x0040195a
0x00401962
0x00401966
0x0040196b
0x0040196b
0x0040197c

APIs

__EH_prolog3.LIBCMT ref: 00401946
~_Task_impl.LIBCPMT ref: 0040195A

Part of subcall function 00401616: __EH_prolog3.LIBCMT ref: 0040161D

~_Task_impl.LIBCPMT ref: 00401966

Part of subcall function 00401549: __EH_prolog3.LIBCMT ref: 00401550

Part of subcall function 004011EE: __EH_prolog3.LIBCMT ref: 004011F5

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$Task_impl
String ID:
API String ID: 2843614703-0
Opcode ID: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
Instruction ID: 5cdb3cf3dca08719438845c65d893accad8844cd1feecf10675d4a7ad2801eba
Opcode Fuzzy Hash: 5a36d9774e3f7b5f4d6334cd3bd70039b4e6d44ffea03344701cfbbcf185756c
Instruction Fuzzy Hash: 1FE02670804610CBC708FBE5C80238DBBE0AF00318F40435EA512672E2CFB86708C608

Uniqueness

Uniqueness Score: -1.00%

Function 00413320, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00413320(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t73;
				intOrPtr* _t82;
				intOrPtr _t83;
				void* _t85;
				void* _t89;
				intOrPtr* _t121;
				void* _t122;
				void* _t125;

				_t125 = __eflags;
				_t119 = __edi;
				_t117 = __edx;
				_push(0x58);
				E00416B21(E004220FF, __ebx, __edi, __esi);
				_t121 = __ecx;
				E0040320A(_t122 - 0x3c);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t122 - 4)) = 0;
				_t62 = E00409371(0, _t122 - 0x64, __edx, __edi, __ecx, _t125); // executed
				_t126 = _t62;
				if(_t62 != 0) {
					_t63 =  *((intOrPtr*)(_t121 + 0x1c));
					__eflags = _t63;
					if(__eflags == 0) {
						_t64 = 0;
						__eflags = 0;
					} else {
						_t64 = _t63 + 4;
					}
					 *((intOrPtr*)(_t122 - 0x28)) = 0;
					 *((intOrPtr*)(_t122 - 0x24)) = 0;
					 *((intOrPtr*)(_t122 - 0x20)) = 0;
					 *((intOrPtr*)(_t122 - 0x1c)) = 4;
					 *((intOrPtr*)(_t122 - 0x2c)) = 0x42350c;
					_push(_t64);
					_push(_t121 + 4);
					_push(0);
					_push(0);
					_push(_t122 - 0x2c);
					_push( *_t121);
					_t119 = _t121 + 0x28;
					 *((char*)(_t122 - 4)) = 1;
					 *((intOrPtr*)(_t121 + 0x60)) = E0040C59C(0, _t119, _t117, _t119, _t121, __eflags);
					 *((char*)(_t122 - 4)) = 0;
					E00408BC5(_t122 - 0x2c);
					__eflags =  *((intOrPtr*)(_t121 + 0x60));
					if( *((intOrPtr*)(_t121 + 0x60)) == 0) {
						_t102 = _t122 - 0x18;
						E00404082(_t122 - 0x18, _t122, _t121 + 0x10);
						 *((char*)(_t122 - 4)) = 2;
						E004099DF(_t122 - 0x18);
						_push( *((intOrPtr*)(_t122 - 0x18)));
						_t73 = E00410F49(0, _t119, _t121, __eflags); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401647(_t122 - 0x24, _t122, L"Default");
							 *((char*)(_t122 - 4)) = 4;
							E00412551(0,  *((intOrPtr*)(_t121 + 0x1c)), _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 2;
							L00408BFB(0, _t119, _t121, __eflags);
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4))));
							_t83 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t121 + 0x20)),  *((intOrPtr*)(_t122 - 0x24)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t119 + 0xc)) +  *(_t119 + 8) * 4 - 4)))), _t122 - 0x18, _t122 - 0x24, _t122 - 0x4c, 0);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = _t83;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
							goto L11;
						} else {
							_push(_t122 - 0x18);
							_push(9);
							_push(_t122 - 0x24);
							_t89 = E0040C997(0, _t102, _t119, _t121, __eflags);
							 *((char*)(_t122 - 4)) = 3;
							E00408639(_t121 + 0x64, _t122, _t89);
							_push( *((intOrPtr*)(_t122 - 0x24)));
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x18)));
							 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
							L00408BFB(0, _t119, _t121, __eflags);
							_push( *((intOrPtr*)(_t122 - 0x3c)));
							_t85 = L00408BFB(0, _t119, _t121, __eflags);
						}
					} else {
						E00408639(_t121 + 0x64, _t122, 0x430624);
						goto L2;
					}
				} else {
					E00408639(_t121 + 0x64, _t122, 0x430618);
					 *((intOrPtr*)(_t121 + 0x60)) = 0x80004005;
					L2:
					_push( *((intOrPtr*)(_t122 - 0x3c)));
					_t85 = L00408BFB(0, _t119, _t121, _t126);
					L11:
				}
				return E00416BF9(_t85);
			}

0x00413320
0x00413320
0x00413320
0x00413320
0x00413327
0x0041332c
0x00413331
0x00413336
0x0041333e
0x00413341
0x00413346
0x00413348
0x0041336b
0x0041336e
0x00413370
0x00413377
0x00413377
0x00413372
0x00413372
0x00413372
0x00413379
0x0041337c
0x0041337f
0x00413382
0x00413389
0x00413390
0x00413394
0x00413395
0x00413396
0x0041339a
0x0041339b
0x0041339d
0x004133a2
0x004133ae
0x004133b1
0x004133b4
0x004133b9
0x004133bc
0x004133d1
0x004133d4
0x004133dd
0x004133e1
0x004133e6
0x004133e9
0x004133ee
0x004133f0
0x0041343a
0x0041345c
0x00413460
0x00413468
0x0041346c
0x0041347f
0x00413489
0x0041348c
0x0041348f
0x00413492
0x00413497
0x0041349a
0x00000000
0x004133f2
0x004133f5
0x004133f6
0x004133fb
0x004133fc
0x00413405
0x00413409
0x0041340e
0x00413411
0x00413416
0x00413419
0x00413420
0x00413425
0x00413428
0x0041342d
0x004133be
0x004133c6
0x00000000
0x004133c6
0x0041334a
0x00413352
0x00413357
0x0041335e
0x0041335e
0x00413361
0x004134a0
0x004134a0
0x004134a6

APIs

__EH_prolog3.LIBCMT ref: 00413327

Part of subcall function 00409371: __EH_prolog3.LIBCMT ref: 00409378

Part of subcall function 00410F49: __EH_prolog3.LIBCMT ref: 00410F50

Part of subcall function 0040C997: __EH_prolog3.LIBCMT ref: 0040C99E

Strings

Default, xrefs: 00413432

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID: Default
API String ID: 431132790-753088835
Opcode ID: be458f527f3d66798507e01ce30f9e64ef4531bc7a09f7c140fcb46789926ce1
Instruction ID: 637a408ca592e427b064d91d27cf8d613e21661ac3e18e47597f74a2cd651e88
Opcode Fuzzy Hash: be458f527f3d66798507e01ce30f9e64ef4531bc7a09f7c140fcb46789926ce1
Instruction Fuzzy Hash: F84162B1800208EFCB15DF95C9819DEBBB4BF08304F10456EF59673292DF79AA45DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00412970, Relevance: 3.3, APIs: 2, Instructions: 335
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00412970() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t133;
				signed int _t134;
				signed int _t142;
				intOrPtr* _t144;
				intOrPtr _t146;
				intOrPtr* _t147;
				signed int _t148;
				intOrPtr* _t153;
				intOrPtr* _t156;
				signed int _t158;
				intOrPtr _t160;
				intOrPtr* _t179;
				intOrPtr _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				signed int _t196;
				intOrPtr* _t197;
				void* _t215;
				signed int _t216;
				signed int _t265;
				signed int _t267;
				intOrPtr* _t269;
				short* _t271;
				void* _t273;

				_t271 = _t273 - 0x68;
				_t269 =  *((intOrPtr*)(_t271 + 0x70));
				if(E00411CBC(_t269 + 0xc8) == 0) {
					E00402B01(_t269 + 0x50);
					 *(_t271 + 0x10) = 0;
					 *((short*)(_t271 + 0x12)) = 0;
					_t133 =  *((intOrPtr*)(_t269 + 0x10));
					_t134 =  *((intOrPtr*)( *_t133 + 0x18))(_t133,  *(_t271 + 0x74), 3, _t271 + 0x10, _t265, _t215);
					_t216 = 0;
					__eflags = _t134;
					if(_t134 == 0) {
						E0040320A(_t271 + 0x5c);
						__eflags =  *(_t271 + 0x10);
						if( *(_t271 + 0x10) != 0) {
							__eflags =  *(_t271 + 0x10) - 8;
							if(__eflags == 0) {
								E004090CA(_t271 + 0x5c, _t271,  *((intOrPtr*)(_t271 + 0x18)));
								goto L11;
							}
							goto L9;
						} else {
							E00408639(_t271 + 0x5c, _t271, _t269 + 0x54);
							L11:
							E00408639(_t269 + 0x20, _t271, _t271 + 0x5c);
							__eflags =  *((intOrPtr*)(_t271 + 0x7c)) - _t216;
							if(__eflags != 0) {
								 *( *(_t271 + 0x78)) = _t216;
								L42:
								_push( *((intOrPtr*)(_t271 + 0x5c)));
								L00408BFB(_t216, _t265, _t269, __eflags);
								goto L5;
							}
							 *(_t271 + 0x4c) = 0;
							 *((short*)(_t271 + 0x4e)) = 0;
							_t144 =  *((intOrPtr*)(_t269 + 0x10));
							_t267 =  *((intOrPtr*)( *_t144 + 0x18))(_t144,  *(_t271 + 0x74), 9, _t271 + 0x4c);
							__eflags = _t267 - _t216;
							if(_t267 == _t216) {
								__eflags =  *(_t271 + 0x4c) - _t216;
								if( *(_t271 + 0x4c) != _t216) {
									__eflags =  *(_t271 + 0x4c) - 0x13;
									if( *(_t271 + 0x4c) == 0x13) {
										_t146 =  *((intOrPtr*)(_t271 + 0x54));
										L19:
										 *((intOrPtr*)(_t269 + 0x48)) = _t146;
										_t147 =  *((intOrPtr*)(_t269 + 0x10));
										_t148 =  *((intOrPtr*)( *_t147 + 0x18))(_t147,  *(_t271 + 0x74), 6, _t271 + 0x4c);
										_t267 = _t148;
										__eflags = _t267 - _t216;
										if(_t267 != _t216) {
											goto L13;
										}
										__eflags =  *((intOrPtr*)(_t271 + 0x54)) - _t216;
										 *((char*)(_t269 + 0x44)) = _t148 & 0xffffff00 |  *((intOrPtr*)(_t271 + 0x54)) != _t216;
										 *_t271 = 0;
										 *((short*)(_t271 + 2)) = 0;
										_t153 =  *((intOrPtr*)(_t269 + 0x10));
										 *(_t271 + 0x73) = _t216;
										_t267 =  *((intOrPtr*)( *_t153 + 0x18))(_t153,  *(_t271 + 0x74), 0x15, _t271);
										__eflags = _t267 - _t216;
										if(_t267 == _t216) {
											__eflags =  *_t271 - 0xb;
											if( *_t271 == 0xb) {
												__eflags =  *((intOrPtr*)(_t271 + 8)) - _t216;
												_t51 = _t271 + 0x73;
												 *_t51 =  *((intOrPtr*)(_t271 + 8)) != _t216;
												__eflags =  *_t51;
											}
											E00409A4A(_t271);
											_t156 =  *((intOrPtr*)(_t269 + 0x10));
											_t264 = _t271 + 0x4c;
											_t267 =  *((intOrPtr*)( *_t156 + 0x18))(_t156,  *(_t271 + 0x74), 0xc, _t271 + 0x4c);
											__eflags = _t267 - _t216;
											if(_t267 != _t216) {
												goto L13;
											} else {
												_t158 =  *(_t271 + 0x4c) & 0x0000ffff;
												__eflags = _t158 - _t216;
												if(__eflags == 0) {
													_t265 = _t269 + 0x3c;
													 *_t265 =  *((intOrPtr*)(_t269 + 0x60));
													_t160 =  *((intOrPtr*)(_t269 + 0x64));
													L29:
													 *((intOrPtr*)(_t265 + 4)) = _t160;
													_push(_t271 + 0x2c);
													_push(_t271 + 0x5c);
													 *(_t271 + 0x30) = _t216;
													 *(_t271 + 0x34) = _t216;
													 *(_t271 + 0x38) = _t216;
													 *((intOrPtr*)(_t271 + 0x3c)) = 4;
													 *((intOrPtr*)(_t271 + 0x2c)) = 0x423798;
													E0040900B(_t216, _t264, _t265, _t269, __eflags);
													__eflags =  *(_t271 + 0x34) - _t216;
													if(__eflags != 0) {
														E00404082(_t271 + 0x20, _t271, _t271 + 0x5c);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E00408A40(_t271 + 0x2c);
														}
														__eflags =  *(_t271 + 0x34) - _t216;
														if(__eflags != 0) {
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																_push(_t271 + 0x2c);
																E00412707(_t216, _t269, _t264, _t265, _t269, __eflags); // executed
															}
														}
														_push(_t271 + 0x20);
														_push(_t269 + 0x14);
														_push(_t271 + 0x40);
														E004096A4(_t216, _t265, _t269, __eflags);
														__eflags =  *((intOrPtr*)(_t269 + 0x44)) - _t216;
														if( *((intOrPtr*)(_t269 + 0x44)) == _t216) {
															E0040320A(_t271 - 0x10);
															_push( *((intOrPtr*)(_t271 + 0x40)));
															__eflags = E00409371(_t216, _t271 - 0x38, _t264, _t265, _t269, __eflags);
															if(__eflags == 0) {
																L51:
																__eflags =  *(_t271 + 0x73) - _t216;
																if(__eflags != 0) {
																	L62:
																	E00408639(_t269 + 0x2c, _t271, _t271 + 0x40);
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L41;
																}
																_t179 = E00408BD0(_t216, _t265, __eflags, 0x18);
																__eflags = _t179 - _t216;
																if(_t179 == _t216) {
																	_t179 = 0;
																	__eflags = 0;
																} else {
																	 *(_t179 + 4) = _t216;
																	 *_t179 = 0x423eb0;
																	 *(_t179 + 8) =  *(_t179 + 8) | 0xffffffff;
																}
																 *((intOrPtr*)(_t269 + 0x4c)) = _t179;
																E0040222C(_t271 + 0x74, _t179);
																_t181 =  *((intOrPtr*)(_t269 + 0x4c));
																 *(_t181 + 0x10) = _t216;
																 *(_t181 + 0x14) = _t216;
																_t182 = E0040999D( *((intOrPtr*)(_t271 + 0x40)), 1);
																__eflags = _t182;
																if(_t182 != 0) {
																	L61:
																	_t265 =  *(_t271 + 0x74);
																	E00406200(_t269 + 0x50, _t265);
																	 *( *(_t271 + 0x78)) = _t265;
																	goto L62;
																} else {
																	__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
																	if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																		_t185 =  *0x430640; // 0x4c77a8
																		__eflags = _t185 - _t216;
																		if(_t185 != _t216) {
																			 *((intOrPtr*)( *_t185 + 0x28))(_t185,  *((intOrPtr*)(_t269 + 0x134)), 4);
																		}
																		goto L61;
																	}
																	E00408639(_t269 + 0x114, _t271, 0x4305c4);
																	_t188 =  *(_t271 + 0x74);
																	__eflags = _t188 - _t216;
																	if(__eflags != 0) {
																		 *((intOrPtr*)( *_t188 + 8))(_t188);
																	}
																	L50:
																	_push( *((intOrPtr*)(_t271 - 0x10)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x40)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	_push( *((intOrPtr*)(_t271 + 0x20)));
																	L00408BFB(_t216, _t265, _t269, __eflags);
																	goto L30;
																}
															}
															_t196 = E00410BBB(_t216, _t265, _t269, __eflags,  *((intOrPtr*)(_t271 + 0x40)));
															__eflags = _t196;
															if(_t196 != 0) {
																goto L51;
															}
															__eflags =  *((intOrPtr*)(_t269 + 0x139)) - _t216;
															if( *((intOrPtr*)(_t269 + 0x139)) == _t216) {
																_t197 =  *0x430640; // 0x4c77a8
																__eflags = _t197 - _t216;
																if(__eflags != 0) {
																	 *((intOrPtr*)( *_t197 + 0x28))(_t197,  *((intOrPtr*)(_t269 + 0x134)), 4);
																}
																 *((intOrPtr*)( *((intOrPtr*)(_t269 + 0x70)) + 4))( *0x4305b8,  *0x4305ac, _t216);
															} else {
																E00408639(_t269 + 0x114, _t271, 0x4305b8);
															}
															goto L50;
														} else {
															E00408639(_t269, _t271, _t271 + 0x40);
															__eflags =  *(_t271 + 0x73) - _t216;
															if(__eflags == 0) {
																E004109DE(_t216, _t265, _t269, __eflags,  *_t269, _t216, _t216, _t265); // executed
															} else {
																E00410AE4(_t216, _t265, _t269, __eflags,  *_t269);
															}
															_push( *((intOrPtr*)(_t271 + 0x40)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															_push( *((intOrPtr*)(_t271 + 0x20)));
															L00408BFB(_t216, _t265, _t269, __eflags);
															L41:
															E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
															E00409A4A(_t271 + 0x4c);
															goto L42;
														}
													}
													L30:
													E004085B9(_t216, _t271 + 0x2c, _t265, _t269, __eflags);
													goto L17;
												}
												__eflags = _t158 - 0x40;
												if(__eflags != 0) {
													goto L17;
												}
												_t265 = _t269 + 0x3c;
												 *_t265 =  *((intOrPtr*)(_t271 + 0x54));
												_t160 =  *((intOrPtr*)(_t271 + 0x58));
												goto L29;
											}
										}
										E00409A4A(_t271);
										goto L13;
									}
									L17:
									E00409A4A(_t271 + 0x4c);
									L9:
									_push( *((intOrPtr*)(_t271 + 0x5c)));
									L00408BFB(_t216, _t265, _t269, __eflags);
									_t216 = 0x80004005;
									goto L5;
								}
								_t146 =  *((intOrPtr*)(_t269 + 0x68));
								goto L19;
							}
							L13:
							E00409A4A(_t271 + 0x4c);
							_push( *((intOrPtr*)(_t271 + 0x5c)));
							L00408BFB(_t216, _t267, _t269, __eflags);
							_t216 = _t267;
							goto L5;
						}
					} else {
						_t216 = _t134;
						L5:
						E00409A4A(_t271 + 0x10);
						_t142 = _t216;
						goto L2;
					}
				} else {
					_t142 = 0x80004004;
					L2:
					return _t142;
				}
			}

0x00412971
0x0041297c
0x0041298c
0x004129a0
0x004129b0
0x004129b4
0x004129b8
0x004129be
0x004129c1
0x004129c3
0x004129c5
0x004129da
0x004129df
0x004129e3
0x004129f3
0x004129f8
0x00412a10
0x00000000
0x00412a10
0x00000000
0x004129e5
0x004129ec
0x00412a15
0x00412a1c
0x00412a21
0x00412a24
0x00412d67
0x00412bfe
0x00412bfe
0x00412c01
0x00000000
0x00412c06
0x00412a35
0x00412a39
0x00412a3d
0x00412a46
0x00412a48
0x00412a4a
0x00412a64
0x00412a68
0x00412a6f
0x00412a74
0x00412a83
0x00412a86
0x00412a8f
0x00412a92
0x00412a98
0x00412a9b
0x00412a9d
0x00412a9f
0x00000000
0x00000000
0x00412aa1
0x00412aac
0x00412ab6
0x00412aba
0x00412abe
0x00412ac4
0x00412aca
0x00412acc
0x00412ace
0x00412add
0x00412ae2
0x00412ae4
0x00412ae8
0x00412ae8
0x00412ae8
0x00412ae8
0x00412aef
0x00412af4
0x00412af9
0x00412b06
0x00412b08
0x00412b0a
0x00000000
0x00412b10
0x00412b10
0x00412b14
0x00412b16
0x00412b31
0x00412b34
0x00412b36
0x00412b39
0x00412b39
0x00412b3f
0x00412b43
0x00412b44
0x00412b47
0x00412b4a
0x00412b4d
0x00412b54
0x00412b5b
0x00412b60
0x00412b63
0x00412b79
0x00412b7e
0x00412b81
0x00412b86
0x00412b86
0x00412b8b
0x00412b8e
0x00412b90
0x00412b93
0x00412b98
0x00412b9b
0x00412b9b
0x00412b93
0x00412ba3
0x00412ba7
0x00412bab
0x00412bac
0x00412bb1
0x00412bb4
0x00412c0f
0x00412c14
0x00412c1f
0x00412c21
0x00412c95
0x00412c95
0x00412c98
0x00412d38
0x00412d3f
0x00412d44
0x00412d47
0x00412d4c
0x00412d4f
0x00412d54
0x00412d57
0x00000000
0x00412d5c
0x00412ca0
0x00412ca6
0x00412ca8
0x00412cb9
0x00412cb9
0x00412caa
0x00412caa
0x00412cad
0x00412cb3
0x00412cb3
0x00412cbf
0x00412cc2
0x00412cca
0x00412cd3
0x00412cd6
0x00412cd9
0x00412cde
0x00412ce0
0x00412d27
0x00412d27
0x00412d2e
0x00412d36
0x00000000
0x00412ce2
0x00412ce2
0x00412ce8
0x00412d10
0x00412d15
0x00412d17
0x00412d24
0x00412d24
0x00000000
0x00412d17
0x00412cf5
0x00412cfa
0x00412cfd
0x00412cff
0x00412d08
0x00412d08
0x00412c75
0x00412c75
0x00412c78
0x00412c7d
0x00412c80
0x00412c85
0x00412c88
0x00000000
0x00412c8d
0x00412ce0
0x00412c26
0x00412c2b
0x00412c2d
0x00000000
0x00000000
0x00412c2f
0x00412c35
0x00412c49
0x00412c4e
0x00412c50
0x00412c5d
0x00412c5d
0x00412c72
0x00412c37
0x00412c42
0x00412c42
0x00000000
0x00412bb6
0x00412bbf
0x00412bc4
0x00412bc7
0x00412bd7
0x00412bc9
0x00412bcb
0x00412bcb
0x00412bdc
0x00412bdf
0x00412be4
0x00412be7
0x00412bee
0x00412bf1
0x00412bf9
0x00000000
0x00412bf9
0x00412bb4
0x00412b65
0x00412b68
0x00000000
0x00412b68
0x00412b18
0x00412b1b
0x00000000
0x00000000
0x00412b24
0x00412b27
0x00412b29
0x00000000
0x00412b29
0x00412b0a
0x00412ad3
0x00000000
0x00412ad3
0x00412a76
0x00412a79
0x004129fa
0x004129fa
0x004129fd
0x00412a03
0x00000000
0x00412a03
0x00412a6a
0x00000000
0x00412a6a
0x00412a4c
0x00412a4f
0x00412a54
0x00412a57
0x00412a5d
0x00000000
0x00412a5d
0x004129c7
0x004129c7
0x004129c9
0x004129cc
0x004129d2
0x00000000
0x004129d4
0x0041298e
0x0041298e
0x00412993
0x00412998
0x00412998

APIs

Part of subcall function 00411CBC: EnterCriticalSection.KERNEL32(?), ref: 00411CC5
Part of subcall function 00411CBC: LeaveCriticalSection.KERNEL32(?), ref: 00411CCF

~_Task_impl.LIBCPMT ref: 00412B68
~_Task_impl.LIBCPMT ref: 00412BF1

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalSectionTask_impl$EnterLeave
String ID:
API String ID: 780354280-0
Opcode ID: d6b8e02eb3010e90d508443ffbff749d1883634f3a6c81403fd61b898c431b3d
Instruction ID: f3c787646c1c79f05cba076eed6d765f51bab2c113c252654ac499985378fac1
Opcode Fuzzy Hash: d6b8e02eb3010e90d508443ffbff749d1883634f3a6c81403fd61b898c431b3d
Instruction Fuzzy Hash: 4AD18C71100248DFCF24EF65CA909EE37B5BF08304B10452EF956972A2EB79ED95DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00410F49, Relevance: 3.1, APIs: 2, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410F49(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				signed int _t56;
				long _t57;
				signed int _t59;
				intOrPtr* _t67;
				signed char _t68;
				signed int _t72;
				void* _t81;
				signed int _t89;
				signed int _t107;
				intOrPtr _t109;
				intOrPtr _t112;
				signed int _t114;
				void* _t116;

				_t86 = __ebx;
				_push(0x5c);
				E00416B21(E00421D1D, __ebx, __edi, __esi);
				E00401647(_t116 - 0x18, _t116,  *((intOrPtr*)(_t116 + 8)));
				 *(_t116 - 4) =  *(_t116 - 4) & 0x00000000;
				_t53 = E004099B4(_t116 - 0x18, 0x5c);
				if(_t53 <= 0) {
					L6:
					E00404082(_t116 - 0x24, _t116, _t116 - 0x18);
					_t114 =  *(_t116 - 0x14);
					 *(_t116 - 4) = 1;
					while(1) {
						_t112 =  *((intOrPtr*)(_t116 - 0x18));
						_t56 = E00410B45(_t86, _t112, _t114, __eflags, _t112); // executed
						__eflags = _t56;
						if(_t56 != 0) {
							break;
						}
						_t57 = GetLastError();
						__eflags = _t57 - 0xb7;
						if(_t57 == 0xb7) {
							E0040320A(_t116 - 0x40);
							_push(_t112);
							 *(_t116 - 4) = 2;
							_t59 = E00409371(_t86, _t116 - 0x68, _t110, _t112, _t114, __eflags); // executed
							__eflags = _t59;
							if(__eflags != 0) {
								__eflags =  *(_t116 - 0x48) >> 0x00000004 & 0x00000001;
								if(__eflags != 0) {
									_push( *((intOrPtr*)(_t116 - 0x40)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									L21:
									E00408639(_t116 - 0x18, _t116, _t116 - 0x24);
									while(1) {
										__eflags = _t114 -  *(_t116 - 0x14);
										if(__eflags >= 0) {
											break;
										}
										_t114 = E00406E0F(_t116 - 0x18, 0x5c, _t114 + 1);
										__eflags = _t114;
										if(_t114 < 0) {
											_t114 =  *(_t116 - 0x14);
										}
										_t67 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
										 *(_t116 - 4) = 4;
										_t68 = E00410B45(_t86, _t112, _t114, __eflags,  *_t67);
										_push( *((intOrPtr*)(_t116 - 0x30)));
										asm("sbb bl, bl");
										_t86 =  ~_t68 + 1;
										 *(_t116 - 4) = 1;
										L00408BFB(_t86, _t112, _t114, __eflags);
										__eflags = _t86;
										if(__eflags != 0) {
											goto L27;
										} else {
											continue;
										}
										goto L29;
									}
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t86, _t112, _t114, __eflags);
									_t72 = 1;
								} else {
									_t89 = 0;
									goto L16;
								}
							} else {
								_t89 = 1;
								L16:
								_push( *((intOrPtr*)(_t116 - 0x40)));
								L00408BFB(_t89, _t112, _t114, __eflags);
								goto L17;
							}
						} else {
							_t114 = E004099B4(_t116 - 0x18, 0x5c);
							__eflags = _t114;
							if(__eflags < 0 || __eflags == 0) {
								_push( *((intOrPtr*)(_t116 - 0x24)));
								L00408BFB(_t86, _t112, _t114, __eflags);
								_push(_t112);
								L00408BFB(_t86, _t112, _t114, __eflags);
								_t72 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((short*)(_t112 + _t114 * 2 - 2)) - 0x3a;
								if(__eflags == 0) {
									L27:
									_t89 = 0;
									L17:
									_push( *((intOrPtr*)(_t116 - 0x24)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_push( *((intOrPtr*)(_t116 - 0x18)));
									L00408BFB(_t89, _t112, _t114, __eflags);
									_t72 = _t89;
								} else {
									_t81 = E00408730(_t116 - 0x18, _t116 - 0x30, _t114);
									 *(_t116 - 4) = 3;
									E00408639(_t116 - 0x18, _t116, _t81);
									_push( *((intOrPtr*)(_t116 - 0x30)));
									 *(_t116 - 4) = 1;
									L00408BFB(_t86, _t112, _t114, __eflags);
									continue;
								}
							}
						}
						L29:
						goto L30;
					}
					goto L21;
				} else {
					_t107 =  *(_t116 - 0x14);
					_t110 = _t107 - 1;
					if(_t53 != _t107 - 1) {
						goto L6;
					} else {
						if(_t107 != 3) {
							L5:
							E00406DDA(_t116 - 0x18, _t53, 1);
							goto L6;
						} else {
							_t109 =  *((intOrPtr*)(_t116 - 0x18));
							_t121 =  *((short*)(_t109 + 2)) - 0x3a;
							if( *((short*)(_t109 + 2)) != 0x3a) {
								goto L5;
							} else {
								_push(_t109);
								L00408BFB(__ebx, __edi, __esi, _t121);
								_t72 = 1;
							}
						}
					}
				}
				L30:
				return E00416BF9(_t72);
			}

0x00410f49
0x00410f49
0x00410f50
0x00410f5b
0x00410f60
0x00410f69
0x00410f70
0x00410fa3
0x00410faa
0x00410faf
0x00410fb2
0x00411012
0x00411012
0x00411016
0x0041101b
0x0041101d
0x00000000
0x00000000
0x00410fb8
0x00410fbe
0x00410fc3
0x00411024
0x00411029
0x0041102d
0x00411031
0x00411036
0x00411038
0x00411062
0x00411064
0x0041106a
0x0041106d
0x00411071
0x00411077
0x0041107e
0x004110cb
0x004110cb
0x004110ce
0x00000000
0x00000000
0x00411091
0x00411093
0x00411095
0x00411097
0x00411097
0x004110a2
0x004110a9
0x004110ad
0x004110b2
0x004110b9
0x004110bb
0x004110bd
0x004110c1
0x004110c7
0x004110c9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004110c9
0x004110d0
0x004110d3
0x004110d8
0x004110db
0x004110e0
0x00411066
0x00411066
0x00000000
0x00411066
0x0041103a
0x0041103a
0x0041103c
0x0041103c
0x0041103f
0x00000000
0x00411044
0x00410fc5
0x00410fcf
0x00410fd1
0x00410fd3
0x004110eb
0x004110ee
0x004110f3
0x004110f4
0x004110f9
0x004110f9
0x00410fdf
0x00410fdf
0x00410fe5
0x004110e4
0x004110e4
0x00411045
0x00411045
0x00411048
0x0041104d
0x00411050
0x00411055
0x00410feb
0x00410ff3
0x00410ffc
0x00411000
0x00411005
0x00411008
0x0041100c
0x00000000
0x00411011
0x00410fe5
0x00410fd3
0x004110fb
0x00000000
0x004110fb
0x00000000
0x00410f72
0x00410f72
0x00410f75
0x00410f7a
0x00000000
0x00410f7c
0x00410f7f
0x00410f98
0x00410f9e
0x00000000
0x00410f81
0x00410f81
0x00410f84
0x00410f89
0x00000000
0x00410f8b
0x00410f8b
0x00410f8c
0x00410f91
0x00410f91
0x00410f89
0x00410f7f
0x00410f7a
0x004110fc
0x00411102

APIs

__EH_prolog3.LIBCMT ref: 00410F50
GetLastError.KERNEL32(?,?,0000005C), ref: 00410FB8

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID:
API String ID: 685212868-0
Opcode ID: 4774bcfd5b3d230c1cab38592780545ae7e7adab008589aab1010c6057eb4a87
Instruction ID: 2b8b99b76f60da9ec8f06de1b1a7b26d76a5bde200671efe753bb86a2765d737
Opcode Fuzzy Hash: 4774bcfd5b3d230c1cab38592780545ae7e7adab008589aab1010c6057eb4a87
Instruction Fuzzy Hash: 8151B131C04149DACF11E791C992AEEBB749F15308F10406FF281731E3CE7A69C6EAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE0, Relevance: 3.1, APIs: 2, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00413CE0(void* __ecx, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t54;
				intOrPtr* _t56;
				char _t64;
				char _t68;
				void* _t69;
				char _t75;
				char _t77;
				char _t78;
				signed int _t82;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t98;
				char _t99;
				char _t102;
				intOrPtr _t103;
				void* _t104;
				signed int _t105;
				void* _t107;
				void* _t108;

				_t95 = __edx;
				_t105 = _t107 - 0x1004;
				E00417EA0(0x1004);
				_push(0xffffffff);
				_push(E00422276);
				_push( *[fs:0x0]);
				_t108 = _t107 - 0x2c;
				_t53 = M0042D330; // 0xdf8f31de
				_t54 = _t53 ^ _t105;
				 *(_t105 + 0x1000) = _t54;
				_push(_t54);
				 *[fs:0x0] = _t105 - 0xc;
				_t56 =  *((intOrPtr*)(_t105 + 0x1010));
				_t97 =  *((intOrPtr*)(_t105 + 0x100c));
				 *((intOrPtr*)(_t56 + 4)) = 0;
				 *((intOrPtr*)(_t105 - 0x28)) = _t56;
				 *((char*)( *_t56)) = 0;
				 *(_t105 - 0x18) =  *(_t105 - 0x18) | 0xffffffff;
				 *((intOrPtr*)(_t105 - 0x34)) = __edx;
				 *((intOrPtr*)(_t105 - 0x30)) =  *((intOrPtr*)(_t105 + 0x100c));
				 *(_t105 - 4) = 0;
				if(E0040995B(__ecx) != 0) {
					 *((intOrPtr*)(_t105 - 0x14)) = E00408C55(__edx);
					 *((intOrPtr*)(_t105 - 0x24)) = E00408C55(_t97);
					_t102 = 0;
					__eflags = 0;
					 *((char*)(_t105 - 0xd)) = 0;
					 *((intOrPtr*)(_t105 - 0x20)) = 0;
					 *((intOrPtr*)(_t105 - 0x1c)) = 0;
					while(1) {
						L4:
						_t64 = E00409578(_t105 - 0x18, _t105 + _t102, 0x1000 - _t102, _t105 - 0x2c); // executed
						__eflags = _t64;
						if(_t64 == 0) {
							goto L1;
						}
						_t68 =  *((intOrPtr*)(_t105 - 0x2c));
						__eflags = _t68;
						if(_t68 == 0) {
							L19:
							_t82 = 1;
						} else {
							_t104 = _t102 + _t68;
							_t99 = 0;
							__eflags = 0;
							_t84 = _t105;
							while(1) {
								__eflags =  *((char*)(_t105 - 0xd));
								_t69 = _t104;
								if( *((char*)(_t105 - 0xd)) != 0) {
								}
								L8:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x24));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x24))) {
									L16:
									_t102 = _t104 - _t99;
									 *((intOrPtr*)(_t105 - 0x20)) =  *((intOrPtr*)(_t105 - 0x20)) + _t99;
									asm("adc dword [ebp-0x1c], 0x0");
									E00416C30(_t84, _t99, _t102, _t105, _t105 + _t99, _t102);
									_t108 = _t108 + 0xc;
									__eflags =  *((intOrPtr*)(_t105 - 0x1c));
									if( *((intOrPtr*)(_t105 - 0x1c)) > 0) {
										L18:
										__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4));
										_t82 = _t84 & 0xffffff00 |  *((intOrPtr*)( *((intOrPtr*)(_t105 - 0x28)) + 4)) == 0x00000000;
									} else {
										__eflags =  *((intOrPtr*)(_t105 - 0x20)) - 0x100000;
										if( *((intOrPtr*)(_t105 - 0x20)) <= 0x100000) {
											goto L4;
										} else {
											goto L18;
										}
									}
								} else {
									_t77 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x30)),  *((intOrPtr*)(_t105 - 0x24)));
									_t108 = _t108 + 0xc;
									__eflags = _t77;
									if(_t77 == 0) {
										goto L19;
									} else {
										_t78 =  *_t84;
										 *((char*)(_t105 - 0x38)) = _t78;
										__eflags = _t78;
										if(__eflags == 0) {
											goto L1;
										} else {
											E00408D38( *((intOrPtr*)(_t105 - 0x28)), _t95, __eflags,  *((intOrPtr*)(_t105 - 0x38)));
											L12:
											_t99 = _t99 + 1;
											_t84 = _t84 + 1;
											while(1) {
												__eflags =  *((char*)(_t105 - 0xd));
												_t69 = _t104;
												if( *((char*)(_t105 - 0xd)) != 0) {
												}
												goto L13;
											}
											goto L8;
										}
									}
								}
								goto L2;
								L13:
								__eflags = _t99 - _t69 -  *((intOrPtr*)(_t105 - 0x14));
								if(_t99 > _t69 -  *((intOrPtr*)(_t105 - 0x14))) {
									goto L16;
								} else {
									_t75 = E00415060(_t84,  *((intOrPtr*)(_t105 - 0x34)),  *((intOrPtr*)(_t105 - 0x14)));
									_t108 = _t108 + 0xc;
									__eflags = _t75;
									if(_t75 != 0) {
										goto L12;
									} else {
										_t99 = _t99 +  *((intOrPtr*)(_t105 - 0x14));
										_t84 = _t84 +  *((intOrPtr*)(_t105 - 0x14));
										 *((char*)(_t105 - 0xd)) = 1;
									}
									continue;
								}
								goto L2;
							}
						}
						goto L2;
					}
					goto L1;
				} else {
					L1:
					_t82 = 0;
				}
				L2:
				 *(_t105 - 4) =  *(_t105 - 4) | 0xffffffff;
				L0040969F(_t105 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t105 - 0xc));
				_pop(_t98);
				_pop(_t103);
				_pop(_t83);
				return E00416B12(_t82, _t83,  *(_t105 + 0x1000) ^ _t105, _t95, _t98, _t103);
			}

0x00413ce0
0x00413ce1
0x00413ced
0x00413cf2
0x00413cf4
0x00413cff
0x00413d00
0x00413d03
0x00413d08
0x00413d0a
0x00413d13
0x00413d17
0x00413d1d
0x00413d23
0x00413d2b
0x00413d2e
0x00413d35
0x00413d37
0x00413d3b
0x00413d3e
0x00413d45
0x00413d4f
0x00413d8d
0x00413d95
0x00413d98
0x00413d98
0x00413d9a
0x00413d9e
0x00413da1
0x00413da4
0x00413da4
0x00413db8
0x00413dbd
0x00413dbf
0x00000000
0x00000000
0x00413dc1
0x00413dc4
0x00413dc6
0x00413e74
0x00413e74
0x00413dcc
0x00413dcc
0x00413dce
0x00413dce
0x00413dd0
0x00413dd3
0x00413dd3
0x00413dd7
0x00413dd9
0x00413dd9
0x00413ddb
0x00413dde
0x00413de0
0x00413e37
0x00413e37
0x00413e39
0x00413e41
0x00413e4a
0x00413e4f
0x00413e52
0x00413e56
0x00413e65
0x00413e68
0x00413e6c
0x00413e58
0x00413e58
0x00413e5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00413e5f
0x00413de2
0x00413de9
0x00413dee
0x00413df1
0x00413df3
0x00000000
0x00413df5
0x00413df5
0x00413df7
0x00413dfa
0x00413dfc
0x00000000
0x00413e02
0x00413e08
0x00413e0d
0x00413e0d
0x00413e0e
0x00413dd3
0x00413dd3
0x00413dd7
0x00413dd9
0x00413dd9
0x00000000
0x00413dd9
0x00000000
0x00413dd3
0x00413dfc
0x00413df3
0x00000000
0x00413e11
0x00413e14
0x00413e16
0x00000000
0x00413e18
0x00413e1f
0x00413e24
0x00413e27
0x00413e29
0x00000000
0x00413e2b
0x00413e2b
0x00413e2e
0x00413e31
0x00413e31
0x00000000
0x00413e29
0x00000000
0x00413e16
0x00413dd3
0x00000000
0x00413dc6
0x00000000
0x00413d51
0x00413d51
0x00413d51
0x00413d51
0x00413d53
0x00413d53
0x00413d5a
0x00413d64
0x00413d6c
0x00413d6d
0x00413d6e
0x00413d83

APIs

_memcmp.LIBCMT ref: 00413DE9
_memcmp.LIBCMT ref: 00413E1F

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
Instruction ID: 9072c5b9033ec645a03ce027045230414212cc1cb81a3bdc800e690e571dd37c
Opcode Fuzzy Hash: 78ef38fa871b7c9593758ba90e846cda18cf4e2d7fe881e8a5c084f9524df316
Instruction Fuzzy Hash: D5519072D002489FCF21DFA9D980BDEBBB4FF08355F14416AE855B3291D7389A84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040C093, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040C093(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				long _t29;
				intOrPtr* _t30;
				intOrPtr* _t36;
				intOrPtr* _t43;
				void* _t56;
				long _t60;
				void* _t61;

				_t59 = __esi;
				_t56 = __edx;
				_push(0xc);
				E00416B21(E00421A6F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t61 - 0x18)) = __ecx;
				 *((intOrPtr*)(_t61 - 0x10)) = 0;
				_t58 = 0;
				 *(_t61 - 4) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *(_t61 - 4) = 1;
				_t63 =  *((intOrPtr*)(_t61 + 0x10));
				if( *((intOrPtr*)(_t61 + 0x10)) == 0) {
					__eflags =  *((intOrPtr*)(_t61 + 0x14));
					if(__eflags != 0) {
						L12:
						_t29 = E0040BD49(0,  *((intOrPtr*)(_t61 - 0x18)), _t56, _t58, _t59, _t64,  *((intOrPtr*)(_t61 + 8)),  *((intOrPtr*)(_t61 + 0xc)),  *((intOrPtr*)(_t61 + 0x14)), _t58,  *((intOrPtr*)(_t61 + 0x18))); // executed
						_t60 = _t29;
						 *(_t61 - 4) = 0;
						if(_t58 != 0) {
							 *((intOrPtr*)( *_t58 + 8))(_t58);
						}
						L14:
						_t30 =  *((intOrPtr*)(_t61 - 0x10));
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						if(_t30 != 0) {
							 *((intOrPtr*)( *_t30 + 8))(_t30);
						}
						return E00416BF9(_t60);
					}
					_t36 = E00408BD0(0, 0, __eflags, 0x10);
					__eflags = _t36;
					if(_t36 == 0) {
						_t59 = 0;
						__eflags = 0;
					} else {
						_t59 = E0040B3F7(_t36);
					}
					E00406200(_t61 - 0x10, _t59);
					__eflags = E00409D98(_t59,  *((intOrPtr*)( *((intOrPtr*)(_t61 - 0x18)) + 4)));
					if(__eflags != 0) {
						 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 - 0x10));
						goto L12;
					} else {
						_t60 = GetLastError();
						goto L14;
					}
				}
				_t43 = E00408BD0(0, 0, _t63, 8);
				_t64 = _t43;
				if(_t43 == 0) {
					_t43 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t43 + 4)) = 0;
					 *_t43 = 0x4239fc;
				}
				E00406200(_t61 - 0x14, _t43);
				_t58 =  *((intOrPtr*)(_t61 - 0x14));
				goto L12;
			}

0x0040c093
0x0040c093
0x0040c093
0x0040c09a
0x0040c09f
0x0040c0a4
0x0040c0a7
0x0040c0a9
0x0040c0ac
0x0040c0af
0x0040c0b3
0x0040c0b6
0x0040c0df
0x0040c0e2
0x0040c127
0x0040c137
0x0040c13c
0x0040c13e
0x0040c143
0x0040c148
0x0040c148
0x0040c14b
0x0040c14b
0x0040c14e
0x0040c154
0x0040c159
0x0040c159
0x0040c163
0x0040c163
0x0040c0e6
0x0040c0ec
0x0040c0ee
0x0040c0fb
0x0040c0fb
0x0040c0f0
0x0040c0f7
0x0040c0f7
0x0040c101
0x0040c113
0x0040c115
0x0040c124
0x00000000
0x0040c117
0x0040c11d
0x00000000
0x0040c11d
0x0040c115
0x0040c0ba
0x0040c0c0
0x0040c0c2
0x0040c0cf
0x0040c0cf
0x0040c0c4
0x0040c0c4
0x0040c0c7
0x0040c0c7
0x0040c0d5
0x0040c0da
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0040C09A
GetLastError.KERNEL32(?,00000000,0000000C), ref: 0040C117

Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ErrorException@8H_prolog3LastThrow_malloc
String ID:
API String ID: 699586071-0
Opcode ID: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
Instruction ID: a1ba42dc0e2565b842cce3423af7a9164aaecf9ecffcd2708a80ee49d7a1a354
Opcode Fuzzy Hash: 6f71e3ce7b022161a9afa57649c5e0132424b33a35054e030d14f24926955252
Instruction Fuzzy Hash: E7217E71900256DFCB10EFE5C8818AFBBB1AF44310F11417EE501BB292CB388E51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411356, Relevance: 3.0, APIs: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00411356(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t27;
				long _t28;
				void* _t32;
				void* _t34;
				intOrPtr* _t37;
				void* _t38;
				void* _t39;
				signed int _t41;

				_t39 = __eflags;
				_t35 = __edi;
				_t34 = __edx;
				_t29 = __ebx;
				_push(0x10);
				E00416B21(E00421DA7, __ebx, __edi, __esi);
				 *((char*)(_t38 - 0x1c)) = 0;
				E0040320A(_t38 - 0x18);
				_t37 =  *((intOrPtr*)(_t38 + 0xc));
				while(1) {
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					_push(_t37);
					_push( *((intOrPtr*)(_t38 + 8)));
					_t19 = E004112DF(_t29, _t38 - 0x1c, _t35, _t37, _t39); // executed
					_t32 = _t38 - 0x1c;
					if(_t19 == 0) {
						break;
					}
					_t20 = E00410ED7(_t32);
					 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
					_t32 = _t38 - 0x1c;
					__eflags = _t20;
					if(__eflags == 0) {
						L8:
						E00410EFB(_t29, _t32, _t35, _t37, _t41);
						goto L9;
					} else {
						E00410EFB(_t29, _t32, _t35, _t37, __eflags);
						_push( *_t37);
						__eflags = E004093A5(_t29, _t34, _t35, _t37, __eflags);
						if(__eflags != 0) {
							L5:
							 *((char*)(_t38 - 0x1c)) = 0;
							E0040320A(_t38 - 0x18);
							continue;
						} else {
							_t27 = E00410B45(_t29, _t35, _t37, __eflags,  *_t37); // executed
							__eflags = _t27;
							if(_t27 != 0) {
								_t22 = 1;
							} else {
								_t28 = GetLastError();
								__eflags = _t28 - 0xb7;
								if(_t28 != 0xb7) {
									L9:
									_t22 = 0;
								} else {
									goto L5;
								}
							}
						}
					}
					return E00416BF9(_t22);
				}
				_t14 = _t38 - 4;
				 *_t14 =  *(_t38 - 4) | 0xffffffff;
				_t41 =  *_t14;
				goto L8;
			}

0x00411356
0x00411356
0x00411356
0x00411356
0x00411356
0x0041135d
0x00411365
0x00411369
0x0041136e
0x004113b7
0x004113b7
0x004113bb
0x004113bc
0x004113c2
0x004113c7
0x004113cc
0x00000000
0x00000000
0x00411373
0x00411378
0x0041137c
0x0041137f
0x00411381
0x004113d2
0x004113d2
0x00000000
0x00411383
0x00411383
0x00411388
0x0041138f
0x00411391
0x004113ab
0x004113ae
0x004113b2
0x00000000
0x00411393
0x00411395
0x0041139a
0x0041139c
0x004113e1
0x0041139e
0x0041139e
0x004113a4
0x004113a9
0x004113d7
0x004113d7
0x00000000
0x00000000
0x00000000
0x004113a9
0x0041139c
0x00411391
0x004113de
0x004113de
0x004113ce
0x004113ce
0x004113ce
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00000010), ref: 0041139E
__EH_prolog3.LIBCMT ref: 0041135D

Part of subcall function 004112DF: __EH_prolog3.LIBCMT ref: 004112E6

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$ErrorLast
String ID:
API String ID: 1123136255-0
Opcode ID: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
Instruction ID: 4d74e45737cbc16d5ab25d606c96acb1679b630d10f22d458e1cb79225f15e9c
Opcode Fuzzy Hash: 96578f8bff04cf8a7b456c39c0e24a1343eb24f2b3f1e351b7eec449cc7ada3b
Instruction Fuzzy Hash: D0016130804209D6EF10EFA2C4127EE7B30AF21318F50455EE9B5725E6CB7D5ACA9A2D

Uniqueness

Uniqueness Score: -1.00%

Function 004094D4, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004094D4(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}

0x004094d7
0x004094d8
0x004094df
0x004094e2
0x004094ec
0x004094ef
0x004094f5
0x004094fb
0x0040950b
0x00409511
0x00409516
0x00000000
0x00409507
0x00000000
0x00409507

APIs

SetFilePointer.KERNELBASE(?,?,?,?), ref: 004094EF
GetLastError.KERNEL32(?,?,?,?), ref: 004094FD

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
Instruction ID: fbd6efd8cf4175c4798840f9bed2d540fd355ead534814f07e711e1958e42c6f
Opcode Fuzzy Hash: fa3f465384efa713828032d14a6a94ea8478530fef4b6e82bf37657b339afb13
Instruction Fuzzy Hash: 73F03AB9A00208FFCF05CFA4D8848AE7BB4EF89310B108569F815A7395C734DE41EB64

Uniqueness

Uniqueness Score: -1.00%

Function 004179F7, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004179F7(void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				E00417B6C(_t12, __edi, __esi);
				_t8 = E00418908(_t12, __edx, __edi, _t21);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				E004179BA( *((intOrPtr*)(_t8 + 0x54))( *((intOrPtr*)(_t8 + 0x58)), 0x42a4b0, 0xc)); // executed
				 *((intOrPtr*)(_t20 - 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14))))));
				return E0041B09E(_t12,  *(_t20 - 4),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t20 - 0x14)))))),  *((intOrPtr*)(_t20 - 0x14)));
			}

0x004179f7
0x004179fe
0x00417a03
0x00417a08
0x00417a13
0x00417a1f
0x00417a2b

APIs

__getptd.LIBCMT ref: 00417A03

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

Part of subcall function 004179BA: __IsNonwritableInCurrentImage.LIBCMT ref: 004179CD
Part of subcall function 004179BA: __getptd_noexit.LIBCMT ref: 004179DD
Part of subcall function 004179BA: __freeptd.LIBCMT ref: 004179E7
Part of subcall function 004179BA: ExitThread.KERNEL32 ref: 004179F0

__XcptFilter.LIBCMT ref: 00417A24

Part of subcall function 0041B09E: __getptd_noexit.LIBCMT ref: 0041B0A6

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
String ID:
API String ID: 393088965-0
Opcode ID: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
Instruction ID: 73bea7e35d643c5b26081d1ecd72eb0c33755df2b749e5cd7e68a975cd858d27
Opcode Fuzzy Hash: 6215b15f5c09947322d8b88f687601d361d4533a62d598d40856043c2456a924
Instruction Fuzzy Hash: E7E0ECB1E146049FE718BBA1CD46FBE7775EF44309F21404EF1016B2A2CB7DAD849A29

Uniqueness

Uniqueness Score: -1.00%

Function 00408BD0, Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00408BD0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v5;
				void* _t6;
				void* _t13;

				_t6 = E00417414(__ebx, _t13, __edi, _a4); // executed
				if(_t6 == 0) {
					asm("stosb");
					return E004166E0( &_v5, 0x429378);
				}
				return _t6;
			}

0x00408bd7
0x00408bdf
0x00408be4
0x00000000
0x00408bf4
0x00408bfa

APIs

_malloc.LIBCMT ref: 00408BD7

Part of subcall function 00417414: __FF_MSGBANNER.LIBCMT ref: 00417437
Part of subcall function 00417414: __NMSG_WRITE.LIBCMT ref: 0041743E
Part of subcall function 00417414: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C,00419EC2), ref: 0041748B

__CxxThrowException@8.LIBCMT ref: 00408BF4

Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_malloc
String ID:
API String ID: 2732643326-0
Opcode ID: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
Instruction ID: 04aa4d66bcb8eae7d744240562f1434118ced274b530ac757c2cc185b7e384fe
Opcode Fuzzy Hash: d4306bca08c0742015f8dd9fb624f9e6256735586e9571db0372f55418b293d0
Instruction Fuzzy Hash: A0D05E3490834979CF01EBA5D802AEE7F7C4945298B4004EAE84062243DA7AE64F9668

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA52, Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041AA52(int _a4) {

				E0041AA27(_a4);
				ExitProcess(_a4);
			}

0x0041aa5a
0x0041aa63

APIs

___crtCorExitProcess.LIBCMT ref: 0041AA5A

Part of subcall function 0041AA27: GetModuleHandleW.KERNEL32(mscoree.dll,?,0041AA5F,?,?,0041744D,000000FF,0000001E,?,0041ADD9,?,00000001,?,?,00419E31,00000018), ref: 0041AA31
Part of subcall function 0041AA27: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041AA41

ExitProcess.KERNEL32 ref: 0041AA63

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
Instruction ID: 4374e543243410c85885a680b655107df52ba2b40df2f57ce153712b46731692
Opcode Fuzzy Hash: cdf78dcfc99b7c62e93538ae0455f7e7501f9fd1b3385d9253a2e476e9fb477e
Instruction Fuzzy Hash: EEB09231100148BBCB112F12DC0A8993F2AEF817A6B508026F91809031DF76EEB2DA99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C166, Relevance: 1.9, APIs: 1, Instructions: 363
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040C166(void* __ebx, intOrPtr __ecx, signed int __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t164;
				signed int _t168;
				signed int _t170;
				intOrPtr* _t173;
				signed int _t174;
				intOrPtr* _t176;
				intOrPtr* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t183;
				signed int _t184;
				signed int _t188;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t198;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t207;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t235;
				intOrPtr _t243;
				signed int _t245;
				intOrPtr* _t246;
				signed int _t248;
				void* _t253;
				signed int _t300;
				intOrPtr _t304;
				intOrPtr* _t306;
				signed int _t307;
				intOrPtr* _t308;

				_t300 = __edi;
				_push(0x78);
				_t164 = E00416B21(E00421AC5, __ebx, __edi, __esi);
				_t243 = __ecx;
				 *((intOrPtr*)(_t308 + 0x18)) = __ecx;
				E0040B772(_t164, __ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t308 + 0x38)) + 8)) < 0x20) {
					while(1) {
						_t304 =  *((intOrPtr*)(_t308 + 0x38));
						_t168 =  *(_t304 + 8);
						_t248 =  *(_t243 + 8);
						_t300 = _t300 | 0xffffffff;
						__eflags = _t168 - 1;
						 *(_t308 + 0x14) = _t300;
						if(_t168 < 1) {
							goto L6;
						}
						L4:
						__eflags = _t248 - _t168;
						if(_t248 >= _t168) {
							L53:
							__eflags =  *(_t243 + 8);
							 *((char*)(_t243 + 0x30)) = _t168 & 0xffffff00 |  *(_t243 + 8) != 0x00000000;
							_t170 = 0;
							__eflags = 0;
							goto L54;
						} else {
							 *(_t308 + 0x14) =  *(_t304 + (_t168 - _t248) * 4 - 4);
							L7:
							__eflags = _t248;
							if(__eflags != 0) {
								_t306 =  *((intOrPtr*)( *((intOrPtr*)(_t243 + 0xc)) + _t248 * 4 - 4));
								 *((short*)(_t308 + 4)) = 0;
								 *((short*)(_t308 + 6)) = 0;
								_t173 =  *_t306;
								 *(_t308 - 4) = 1;
								_t174 =  *((intOrPtr*)( *_t173 + 0x20))(_t173, 1, _t308 + 4);
								__eflags = _t174;
								if(_t174 != 0) {
									L36:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									_t307 = _t174;
									E00409A4A(_t308 + 4);
									L35:
									_t170 = _t307;
									goto L54;
								}
								__eflags =  *((short*)(_t308 + 4)) - 0x13;
								if( *((short*)(_t308 + 4)) != 0x13) {
									_t160 = _t308 - 4;
									 *_t160 =  *(_t308 - 4) | 0xffffffff;
									__eflags =  *_t160;
									_t253 = _t308 + 4;
									L75:
									_t168 = E00409A4A(_t253);
									goto L53;
								}
								_t176 =  *_t306;
								_t300 =  *(_t308 + 0xc);
								_t174 =  *((intOrPtr*)( *_t176 + 0x14))(_t176, _t308);
								__eflags = _t174;
								if(_t174 != 0) {
									goto L36;
								}
								 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
								_t253 = _t308 + 4;
								__eflags = _t300 -  *_t308;
								if(_t300 >=  *_t308) {
									goto L75;
								}
								E00409A4A(_t253);
								 *(_t308 + 0x28) =  *(_t308 + 0x28) & 0x00000000;
								_t178 =  *_t306;
								 *(_t308 - 4) = 2;
								_t179 =  *((intOrPtr*)( *_t178))(_t178, 0x424104, _t308 + 0x28);
								__eflags = _t179;
								_t168 =  *(_t308 + 0x28);
								if(_t179 != 0) {
									L72:
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									goto L53;
								}
								__eflags = _t168;
								if(_t168 == 0) {
									goto L72;
								}
								 *(_t308 + 0x20) =  *(_t308 + 0x20) & 0x00000000;
								 *(_t308 - 4) = 3;
								_t180 =  *((intOrPtr*)( *_t168 + 0xc))(_t168, _t300, _t308 + 0x20);
								__eflags = _t180;
								_t181 =  *(_t308 + 0x20);
								if(_t180 != 0) {
									L68:
									__eflags = _t181;
									L69:
									 *(_t308 - 4) = 2;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t181 + 8))(_t181);
									}
									_t168 =  *(_t308 + 0x28);
									goto L72;
								}
								__eflags = _t181;
								if(__eflags == 0) {
									goto L69;
								}
								 *(_t308 + 0x24) =  *(_t308 + 0x24) & 0x00000000;
								_t299 = _t308 + 0x24;
								 *(_t308 - 4) = 4;
								_t183 =  *((intOrPtr*)( *_t181))(_t181, 0x424004, _t308 + 0x24);
								__eflags = _t183;
								_t184 =  *(_t308 + 0x24);
								if(_t183 != 0) {
									L65:
									 *(_t308 - 4) = 3;
									__eflags = _t184;
									if(_t184 != 0) {
										 *((intOrPtr*)( *_t184 + 8))(_t184);
									}
									_t181 =  *(_t308 + 0x20);
									goto L68;
								}
								__eflags = _t184;
								if(__eflags == 0) {
									goto L65;
								}
								E0040B9D7(_t243, _t308 - 0x48, _t300, _t306, __eflags);
								_push(_t308 - 0x44);
								_push(_t300);
								 *(_t308 - 4) = 5;
								_t188 = E0040BA1B(_t243, _t306, _t300, _t306, __eflags);
								_t245 = _t188;
								__eflags = _t245;
								if(__eflags != 0) {
									L37:
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t190 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t190;
									if(_t190 != 0) {
										 *((intOrPtr*)( *_t190 + 8))(_t190);
									}
									_t191 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t191;
									if(_t191 != 0) {
										 *((intOrPtr*)( *_t191 + 8))(_t191);
									}
									_t192 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t192;
									if(_t192 != 0) {
										 *((intOrPtr*)( *_t192 + 8))(_t192);
									}
									_t170 = _t245;
									goto L54;
								}
								 *(_t308 + 0x1c) =  *(_t308 + 0x1c) & _t188;
								_t246 =  *((intOrPtr*)(_t308 + 0x48));
								 *(_t308 - 4) = 6;
								 *((intOrPtr*)( *_t246))(_t246, 0x424114, _t308 + 0x1c);
								_t198 =  *(_t308 + 0x1c);
								__eflags = _t198;
								if(__eflags != 0) {
									 *((intOrPtr*)( *_t198 + 0xc))(_t198,  *((intOrPtr*)(_t308 - 0x44)));
								}
								 *(_t308 - 0x28) = _t300;
								_t245 = E0040BD49(_t246, _t308 - 0x48, _t299, _t300, _t306, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *(_t308 + 0x24), 0, _t246);
								__eflags = _t245 - 1;
								if(_t245 == 1) {
									_t200 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t200;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t200 + 8))(_t200);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t202 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t202;
									if(_t202 != 0) {
										 *((intOrPtr*)( *_t202 + 8))(_t202);
									}
									_t203 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t203;
									if(_t203 != 0) {
										 *((intOrPtr*)( *_t203 + 8))(_t203);
									}
									_t168 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t168;
									if(_t168 != 0) {
										_t168 =  *((intOrPtr*)( *_t168 + 8))(_t168);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									goto L53;
								} else {
									__eflags = _t245;
									if(__eflags != 0) {
										_t207 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t207;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t207 + 8))(_t207);
										}
										goto L37;
									}
									_t307 = E0040B7A3(_t245, _t306, _t300, _t306, __eflags, _t300, _t308 - 0x24, _t308 - 0x1c);
									__eflags = _t307;
									if(__eflags != 0) {
										_t212 =  *(_t308 + 0x1c);
										 *(_t308 - 4) = 5;
										__eflags = _t212;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t212 + 8))(_t212);
										}
										 *(_t308 - 4) = 4;
										E0040B864(_t308 - 0x48, __eflags);
										_t214 =  *(_t308 + 0x24);
										 *(_t308 - 4) = 3;
										__eflags = _t214;
										if(_t214 != 0) {
											 *((intOrPtr*)( *_t214 + 8))(_t214);
										}
										_t215 =  *(_t308 + 0x20);
										 *(_t308 - 4) = 2;
										__eflags = _t215;
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 8))(_t215);
										}
										_t216 =  *(_t308 + 0x28);
										 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
										__eflags = _t216;
										if(_t216 != 0) {
											 *((intOrPtr*)( *_t216 + 8))(_t216);
										}
										goto L35;
									}
									_push(_t308 - 0x48);
									E0040BB33(_t245,  *((intOrPtr*)(_t308 + 0x18)), _t300, _t307, __eflags);
									_t223 =  *(_t308 + 0x1c);
									 *(_t308 - 4) = 5;
									__eflags = _t223;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t223 + 8))(_t223);
									}
									 *(_t308 - 4) = 4;
									E0040B864(_t308 - 0x48, __eflags);
									_t225 =  *(_t308 + 0x24);
									 *(_t308 - 4) = 3;
									__eflags = _t225;
									if(_t225 != 0) {
										 *((intOrPtr*)( *_t225 + 8))(_t225);
									}
									_t226 =  *(_t308 + 0x20);
									 *(_t308 - 4) = 2;
									__eflags = _t226;
									if(_t226 != 0) {
										 *((intOrPtr*)( *_t226 + 8))(_t226);
									}
									_t227 =  *(_t308 + 0x28);
									 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
									__eflags = _t227;
									if(_t227 != 0) {
										 *((intOrPtr*)( *_t227 + 8))(_t227);
									}
									_t243 =  *((intOrPtr*)(_t308 + 0x18));
									while(1) {
										_t304 =  *((intOrPtr*)(_t308 + 0x38));
										_t168 =  *(_t304 + 8);
										_t248 =  *(_t243 + 8);
										_t300 = _t300 | 0xffffffff;
										__eflags = _t168 - 1;
										 *(_t308 + 0x14) = _t300;
										if(_t168 < 1) {
											goto L6;
										}
										goto L4;
									}
								}
							}
							E0040B9D7(_t243, _t308 - 0x84, _t300, _t304, __eflags);
							 *(_t308 - 4) =  *(_t308 - 4) & 0x00000000;
							E00408639(_t308 - 0x80, _t308,  *((intOrPtr*)(_t308 + 0x44)));
							 *(_t308 - 0x64) = _t300;
							_t235 = E0040C093(_t243, _t308 - 0x84, 1, _t300, _t304, __eflags,  *((intOrPtr*)(_t308 + 0x34)),  *(_t308 + 0x14),  *((intOrPtr*)(_t308 + 0x3c)),  *((intOrPtr*)(_t308 + 0x40)),  *((intOrPtr*)(_t308 + 0x48))); // executed
							_t307 = _t235;
							__eflags = _t307;
							if(__eflags != 0) {
								 *(_t308 - 4) = _t300;
								E0040B864(_t308 - 0x84, __eflags);
								goto L35;
							}
							_push(_t308 - 0x84);
							E0040BB33(_t243, _t243, _t300, _t307, __eflags);
							 *(_t308 - 4) = _t300;
							E0040B864(_t308 - 0x84, __eflags);
							continue;
						}
						L6:
						__eflags = _t248 - 0x20;
						if(_t248 >= 0x20) {
							goto L53;
						}
						goto L7;
					}
				} else {
					_t170 = 0x80004001;
					L54:
					 *[fs:0x0] =  *((intOrPtr*)(_t308 - 0xc));
					return _t170;
				}
			}

0x0040c166
0x0040c16a
0x0040c171
0x0040c176
0x0040c178
0x0040c17b
0x0040c189
0x0040c198
0x0040c198
0x0040c19b
0x0040c19e
0x0040c1a3
0x0040c1a7
0x0040c1a9
0x0040c1ac
0x00000000
0x00000000
0x0040c1ae
0x0040c1ae
0x0040c1b0
0x0040c4be
0x0040c4be
0x0040c4c5
0x0040c4c8
0x0040c4c8
0x00000000
0x0040c1b6
0x0040c1bf
0x0040c1cd
0x0040c1cd
0x0040c1cf
0x0040c236
0x0040c23c
0x0040c240
0x0040c244
0x0040c24e
0x0040c251
0x0040c254
0x0040c256
0x0040c418
0x0040c418
0x0040c41f
0x0040c421
0x0040c411
0x0040c411
0x00000000
0x0040c411
0x0040c25c
0x0040c261
0x0040c58b
0x0040c58b
0x0040c58b
0x0040c58f
0x0040c592
0x0040c592
0x00000000
0x0040c592
0x0040c267
0x0040c26b
0x0040c273
0x0040c276
0x0040c278
0x00000000
0x00000000
0x0040c27e
0x0040c282
0x0040c285
0x0040c288
0x00000000
0x00000000
0x0040c28e
0x0040c293
0x0040c297
0x0040c2a5
0x0040c2ac
0x0040c2ae
0x0040c2b0
0x0040c2b3
0x0040c574
0x0040c574
0x0040c578
0x0040c57a
0x0040c583
0x0040c583
0x00000000
0x0040c57a
0x0040c2b9
0x0040c2bb
0x00000000
0x00000000
0x0040c2c1
0x0040c2cd
0x0040c2d1
0x0040c2d4
0x0040c2d6
0x0040c2d9
0x0040c563
0x0040c563
0x0040c565
0x0040c565
0x0040c569
0x0040c56e
0x0040c56e
0x0040c571
0x00000000
0x0040c571
0x0040c2df
0x0040c2e1
0x00000000
0x00000000
0x0040c2e7
0x0040c2ed
0x0040c2f7
0x0040c2fb
0x0040c2fd
0x0040c2ff
0x0040c302
0x0040c552
0x0040c552
0x0040c556
0x0040c558
0x0040c55d
0x0040c55d
0x0040c560
0x00000000
0x0040c560
0x0040c308
0x0040c30a
0x00000000
0x00000000
0x0040c313
0x0040c31b
0x0040c31c
0x0040c31f
0x0040c323
0x0040c328
0x0040c32a
0x0040c32c
0x0040c428
0x0040c42b
0x0040c42f
0x0040c434
0x0040c437
0x0040c43b
0x0040c43d
0x0040c442
0x0040c442
0x0040c445
0x0040c448
0x0040c44c
0x0040c44e
0x0040c453
0x0040c453
0x0040c456
0x0040c459
0x0040c45d
0x0040c45f
0x0040c464
0x0040c464
0x0040c467
0x00000000
0x0040c467
0x0040c332
0x0040c335
0x0040c344
0x0040c348
0x0040c34a
0x0040c34d
0x0040c34f
0x0040c357
0x0040c357
0x0040c366
0x0040c371
0x0040c373
0x0040c376
0x0040c46b
0x0040c46e
0x0040c472
0x0040c474
0x0040c479
0x0040c479
0x0040c47f
0x0040c483
0x0040c488
0x0040c48b
0x0040c48f
0x0040c491
0x0040c496
0x0040c496
0x0040c499
0x0040c49c
0x0040c4a0
0x0040c4a2
0x0040c4a7
0x0040c4a7
0x0040c4aa
0x0040c4ad
0x0040c4b1
0x0040c4b3
0x0040c4b8
0x0040c4b8
0x0040c4bb
0x00000000
0x0040c37c
0x0040c37c
0x0040c37e
0x0040c4df
0x0040c4e2
0x0040c4e6
0x0040c4e8
0x0040c4f1
0x0040c4f1
0x00000000
0x0040c4e8
0x0040c394
0x0040c396
0x0040c398
0x0040c4f9
0x0040c4fc
0x0040c500
0x0040c502
0x0040c507
0x0040c507
0x0040c50d
0x0040c511
0x0040c516
0x0040c519
0x0040c51d
0x0040c51f
0x0040c524
0x0040c524
0x0040c527
0x0040c52a
0x0040c52e
0x0040c530
0x0040c535
0x0040c535
0x0040c538
0x0040c53b
0x0040c53f
0x0040c541
0x0040c54a
0x0040c54a
0x00000000
0x0040c541
0x0040c3a4
0x0040c3a5
0x0040c3aa
0x0040c3ad
0x0040c3b1
0x0040c3b3
0x0040c3b8
0x0040c3b8
0x0040c3be
0x0040c3c2
0x0040c3c7
0x0040c3ca
0x0040c3ce
0x0040c3d0
0x0040c3d5
0x0040c3d5
0x0040c3d8
0x0040c3db
0x0040c3df
0x0040c3e1
0x0040c3e6
0x0040c3e6
0x0040c3e9
0x0040c3ec
0x0040c3f0
0x0040c3f2
0x0040c3fb
0x0040c3fb
0x0040c195
0x0040c198
0x0040c198
0x0040c19b
0x0040c19e
0x0040c1a3
0x0040c1a7
0x0040c1a9
0x0040c1ac
0x00000000
0x00000000
0x00000000
0x0040c1ac
0x0040c198
0x0040c376
0x0040c1d7
0x0040c1df
0x0040c1e6
0x0040c1f7
0x0040c203
0x0040c208
0x0040c20a
0x0040c20c
0x0040c409
0x0040c40c
0x00000000
0x0040c40c
0x0040c218
0x0040c21b
0x0040c226
0x0040c229
0x00000000
0x0040c229
0x0040c1c4
0x0040c1c4
0x0040c1c7
0x00000000
0x00000000
0x00000000
0x0040c1c7
0x0040c18b
0x0040c18b
0x0040c4ca
0x0040c4cd
0x0040c4dc
0x0040c4dc

APIs

__EH_prolog3.LIBCMT ref: 0040C171

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
Instruction ID: 9fa23c60ed07d988f1f076026fc7253265bc66fd5dd24872ef19871adf6ac9e0
Opcode Fuzzy Hash: a745c68587d3e0408f990b5190218730a2044fcf4f7c6a4de919d18e6539e845
Instruction Fuzzy Hash: 9FE16F30600249DFDF04DFA5C994AAE7BB8AF49318F1482A9E845EB3D1D738DE01DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00407148, Relevance: 1.7, APIs: 1, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407148(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t100;
				signed int _t101;
				signed int _t104;
				intOrPtr _t105;
				void* _t108;
				unsigned int _t110;
				signed int _t112;
				intOrPtr _t126;
				void* _t146;
				intOrPtr _t158;
				signed int _t163;
				unsigned int _t166;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t177;

				_t158 = __edx;
				_push(0x10);
				E00416B21(E00421509, __ebx, __edi, __esi);
				_t126 = __ecx;
				if( *((intOrPtr*)(_t177 + 0x10)) != 4 ||  *((intOrPtr*)(_t177 + 0x1c)) != 1) {
					_t78 = 0x80070057;
				} else {
					if(E0040A8CF(__ecx + 0x10,  *((intOrPtr*)(__ecx + 0x4c8))) != 0) {
						_t81 = E0040A8CF(__ecx + 0x30,  *((intOrPtr*)(__ecx + 0x4cc)));
						__eflags = _t81;
						if(_t81 == 0) {
							goto L3;
						} else {
							_t82 = E0040A8CF(__ecx + 0x50,  *((intOrPtr*)(__ecx + 0x4d0)));
							__eflags = _t82;
							if(_t82 == 0) {
								goto L3;
							} else {
								_t160 = __ecx + 0x70;
								_t84 = E0040A8CF(__ecx + 0x70,  *((intOrPtr*)(__ecx + 0x4d4)));
								__eflags = _t84;
								if(_t84 == 0) {
									goto L3;
								} else {
									_t85 = E0040AB0A(__ecx + 0x4a0,  *((intOrPtr*)(__ecx + 0x4d8)));
									__eflags = _t85;
									if(_t85 == 0) {
										goto L3;
									} else {
										 *((intOrPtr*)(_t177 - 0x14)) = __ecx;
										_t169 =  *(_t177 + 8);
										 *(_t177 - 4) =  *(_t177 - 4) & 0x00000000;
										E0040A90A(__ecx + 0x10,  *( *(_t177 + 8)));
										E0040A90A(__ecx + 0x30,  *( *(_t177 + 8) + 4));
										E0040A90A(__ecx + 0x50,  *((intOrPtr*)( *(_t177 + 8) + 8)));
										E0040A90A(_t160,  *((intOrPtr*)(_t169 + 0xc)));
										E0040AB43(__ecx + 0x4a0,  *((intOrPtr*)( *((intOrPtr*)(_t177 + 0x14)))));
										E0040A8A8(__ecx + 0x10);
										E0040A8A8(__ecx + 0x30);
										E0040A8A8(__ecx + 0x50);
										E00406F37(_t160, __eflags);
										E0040AAC9(__ecx + 0x4a0);
										_t28 = _t177 + 8;
										 *_t28 =  *(_t177 + 8) & 0x00000000;
										__eflags =  *_t28;
										memset(__ecx + 0x98, 0x400, 0x102 << 2);
										 *((char*)(_t177 + 0x14)) = 0;
										while(1) {
											L9:
											__eflags =  *(_t177 + 8) - 0x100000;
											if( *(_t177 + 8) < 0x100000) {
												goto L13;
											}
											L10:
											_t173 =  *(_t177 + 0x20);
											__eflags = _t173;
											if(_t173 == 0) {
												goto L13;
											} else {
												_t105 = E0040AAE1(_t126 + 0x4a0);
												 *((intOrPtr*)(_t177 - 0x1c)) = _t105;
												 *((intOrPtr*)(_t177 - 0x18)) = _t158;
												_t101 =  *((intOrPtr*)( *_t173 + 0xc))(_t173, 0, _t177 - 0x1c);
												__eflags = _t101;
												if(_t101 != 0) {
													L26:
													_t172 = _t101;
												} else {
													_t40 = _t177 + 8;
													 *_t40 =  *(_t177 + 8) & _t101;
													__eflags =  *_t40;
													goto L13;
												}
											}
											L27:
											 *(_t177 - 4) =  *(_t177 - 4) | 0xffffffff;
											E0040710D(_t126);
											_t78 = _t172;
											goto L31;
											L13:
											 *((char*)(_t177 + 0x1c)) = 0;
											_t171 = 0;
											__eflags = 0;
											while(1) {
												_t100 = E00406EF1(_t126 + 0x10, _t177 + 0x1c);
												_t146 = _t126 + 0x4a0;
												__eflags = _t100;
												if(_t100 == 0) {
													break;
												}
												E00406F16(_t126, _t146,  *((intOrPtr*)(_t177 + 0x1c)));
												_t104 = E00406F8F( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c)));
												__eflags = _t104;
												if(_t104 != 0) {
													L17:
													 *(_t177 + 8) =  *(_t177 + 8) + _t171;
													__eflags = _t171 - 0x40000;
													if(_t171 == 0x40000) {
														L9:
														__eflags =  *(_t177 + 8) - 0x100000;
														if( *(_t177 + 8) < 0x100000) {
															goto L13;
														}
													} else {
														L18:
														_t108 = E00406FFF(_t126 + 0x98 + E00406FB4( *((intOrPtr*)(_t177 + 0x14)),  *((intOrPtr*)(_t177 + 0x1c))) * 4, _t126 + 0x70);
														__eflags = _t108 - 1;
														if(_t108 != 1) {
															 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
															do {
																goto L9;
															} while (_t171 == 0x40000);
															goto L18;
														} else {
															_t163 = 0;
															__eflags =  *((char*)(_t177 + 0x1c)) - 0xe8;
															_t110 = _t126 + 0x30;
															if( *((char*)(_t177 + 0x1c)) != 0xe8) {
																_t110 = _t126 + 0x50;
															}
															 *(_t177 - 0x10) = _t110;
															_t174 = 0;
															__eflags = 0;
															while(1) {
																_t112 = E00406EF1( *(_t177 - 0x10), _t177 + 0x13);
																__eflags = _t112;
																if(_t112 == 0) {
																	break;
																}
																_t163 = _t163 << 0x00000008 |  *(_t177 + 0x13) & 0x000000ff;
																_t174 = _t174 + 1;
																__eflags = _t174 - 4;
																if(_t174 < 4) {
																	continue;
																} else {
																	_t176 = _t126 + 0x4a0;
																	_t166 = _t163 - E0040AAE1(_t126 + 0x4a0) - 4;
																	E00406F16(_t126, _t126 + 0x4a0, _t166);
																	E00406F16(_t126, _t126 + 0x4a0, _t166 >> 8);
																	E00406F16(_t126, _t176, _t166 >> 0x10);
																	 *(_t177 - 0x10) = _t166 >> 0x18;
																	E00406F16(_t126, _t176, _t166 >> 0x18);
																	 *(_t177 + 8) =  *(_t177 + 8) + 4;
																	 *((char*)(_t177 + 0x14)) =  *(_t177 - 0x10);
																	while(1) {
																		L9:
																		__eflags =  *(_t177 + 8) - 0x100000;
																		if( *(_t177 + 8) < 0x100000) {
																			goto L13;
																		}
																		goto L10;
																	}
																}
																goto L27;
															}
															_t172 = 1;
														}
													}
												} else {
													_t171 = _t171 + 1;
													 *((char*)(_t177 + 0x14)) =  *((intOrPtr*)(_t177 + 0x1c));
													__eflags = _t171 - 0x40000;
													if(_t171 < 0x40000) {
														continue;
													} else {
														goto L17;
													}
												}
												goto L27;
											}
											_t101 = E0040ABDB(_t146);
											goto L26;
										}
									}
								}
							}
						}
					} else {
						L3:
						_t78 = 0x8007000e;
					}
				}
				L31:
				return E00416BF9(_t78);
			}

0x00407148
0x00407148
0x0040714f
0x00407154
0x0040715a
0x004073ba
0x0040716a
0x0040717a
0x0040718f
0x00407194
0x00407196
0x00000000
0x00407198
0x004071a1
0x004071a6
0x004071a8
0x00000000
0x004071aa
0x004071b0
0x004071b6
0x004071bb
0x004071bd
0x00000000
0x004071bf
0x004071cb
0x004071d0
0x004071d2
0x00000000
0x004071d4
0x004071d4
0x004071d7
0x004071dc
0x004071e3
0x004071ee
0x004071f9
0x00407203
0x00407215
0x0040721d
0x00407225
0x0040722d
0x00407234
0x0040723b
0x00407240
0x00407240
0x00407240
0x00407254
0x00407256
0x0040725a
0x0040725a
0x0040725a
0x00407261
0x00000000
0x00000000
0x00407263
0x00407263
0x00407266
0x00407268
0x00000000
0x0040726a
0x00407270
0x0040727b
0x00407281
0x00407284
0x00407287
0x00407289
0x0040739d
0x0040739d
0x0040728f
0x0040728f
0x0040728f
0x0040728f
0x00000000
0x0040728f
0x00407289
0x0040739f
0x0040739f
0x004073a5
0x004073aa
0x00000000
0x00407292
0x00407292
0x00407296
0x00407296
0x00407298
0x0040729f
0x004072a4
0x004072aa
0x004072ac
0x00000000
0x00000000
0x004072b5
0x004072c0
0x004072c5
0x004072c7
0x004072d8
0x004072d8
0x004072db
0x004072e1
0x0040725a
0x0040725a
0x00407261
0x00000000
0x00000000
0x004072e7
0x004072e7
0x004072fd
0x00407302
0x00407305
0x00407395
0x0040725a
0x00000000
0x00000000
0x00000000
0x0040730b
0x0040730b
0x0040730d
0x00407311
0x00407314
0x00407316
0x00407316
0x00407319
0x0040731c
0x0040731c
0x0040731e
0x00407325
0x0040732a
0x0040732c
0x00000000
0x00000000
0x00407339
0x0040733b
0x0040733c
0x0040733f
0x00000000
0x00407341
0x00407341
0x00407350
0x00407356
0x00407363
0x00407370
0x0040737b
0x0040737e
0x00407386
0x0040738a
0x0040725a
0x0040725a
0x0040725a
0x00407261
0x00000000
0x00000000
0x00000000
0x00407261
0x0040725a
0x00000000
0x0040733f
0x004073b7
0x004073b7
0x00407305
0x004072c9
0x004072cc
0x004072cd
0x004072d0
0x004072d6
0x00000000
0x00000000
0x00000000
0x00000000
0x004072d6
0x00000000
0x004072c7
0x004073ae
0x00000000
0x004073ae
0x0040725a
0x004071d2
0x004071bd
0x004071a8
0x0040717c
0x0040717c
0x0040717c
0x0040717c
0x0040717a
0x004073bf
0x004073c4

APIs

__EH_prolog3.LIBCMT ref: 0040714F

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
Instruction ID: 7191734e02ba6b0490eaad6bba1f0a6d97c017ddc93a550bea6bd24f0e2c9c2a
Opcode Fuzzy Hash: 094f822e556a98e56eb2db85d0f01294e4a17ea916421102d3e624c15ae0b408
Instruction Fuzzy Hash: 8061C2319002068BCF05EF25C881AAE3765AF50308F04407EFD567B2D3DB3CA926DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004135E5, Relevance: 1.7, APIs: 1, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004135E5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t74;
				void* _t78;
				void* _t82;
				void* _t86;
				intOrPtr _t93;
				intOrPtr _t110;
				void* _t113;
				void* _t129;
				void* _t131;
				void* _t133;
				intOrPtr _t139;
				void* _t156;
				char* _t158;
				intOrPtr _t161;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr* _t165;
				void* _t170;

				_t170 = __eflags;
				_t160 = __esi;
				_t156 = __edx;
				_push(0x70);
				E00416B21(E0042220A, __ebx, __edi, __esi);
				_t158 =  *((intOrPtr*)(_t165 + 0x30));
				 *_t158 = 0;
				E004134F7(0, _t165 - 0x7c, _t158, __esi, _t170);
				 *(_t165 - 4) = 0;
				_t74 = E0040C825(_t165 - 0x7c, _t165 + 0xc, 0xa);
				 *(_t165 - 4) = 1;
				E00408639(0x43060c, _t165, _t74);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t129);
				_t78 = E0040C825(_t129, _t165 + 0xc, 0x18);
				 *(_t165 - 4) = 2;
				E00408639(0x430618, _t165, _t78);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, __esi, _t170);
				_pop(_t131);
				_t82 = E0040C825(_t131, _t165 + 0xc, 0x19);
				 *(_t165 - 4) = 3;
				E00408639(0x430624, _t165, _t82);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				_pop(_t133);
				_t86 = E0040C825(_t133, _t165 + 0xc, 0x1a);
				 *(_t165 - 4) = 4;
				E00408639(0x430630, _t165, _t86);
				_push( *((intOrPtr*)(_t165 + 0xc)));
				 *(_t165 - 4) = 0;
				L00408BFB(0, _t158, _t160, _t170);
				 *((intOrPtr*)(_t165 - 0x7c)) =  *((intOrPtr*)(_t165 + 0x20));
				E00408639(_t165 - 0x78, _t165,  *((intOrPtr*)(_t165 + 0x24)));
				E00408639(_t165 - 0x6c, _t165,  *((intOrPtr*)(_t165 + 0x28)));
				_t139 = E00408BD0(0, _t158, _t170, 0x140);
				 *((intOrPtr*)(_t165 + 0x30)) = _t139;
				 *(_t165 - 4) = 5;
				_t171 = _t139;
				if(_t139 == 0) {
					_t93 = 0;
					__eflags = 0;
				} else {
					_t93 = E0041310D(0, _t139, _t158, _t160, _t171);
				}
				 *(_t165 - 4) = 0;
				 *((intOrPtr*)(_t165 - 0x60)) = _t93;
				E00406200(_t165 - 0x5c, _t93);
				_t161 =  *((intOrPtr*)(_t165 + 0x3c));
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x120)) = E00408639( *((intOrPtr*)(_t165 - 0x60)) + 0x124, _t165, _t161) & 0xffffff00 |  *((intOrPtr*)(_t161 + 4)) != 0x00000000;
				 *((char*)( *((intOrPtr*)(_t165 - 0x60)) + 0x139)) =  *((intOrPtr*)(_t165 + 0x40));
				if( *((intOrPtr*)(_t165 + 0x2c)) == 0) {
					E00413320(0, _t165 - 0x7c, _t156, _t158, _t161, __eflags);
					goto L9;
				} else {
					 *((intOrPtr*)(_t165 + 0x40)) = 0;
					 *(_t165 - 4) = 6;
					_t110 = E0040FC50(_t156, _t161, _t165 + 0x40, E004134E9, _t165 - 0x7c); // executed
					_t163 = _t110;
					_t174 = _t163;
					if(_t163 == 0) {
						E0040320A(_t165 + 0xc);
						 *(_t165 - 4) = 7;
						_t113 = E0040C825(_t165 + 0xc, _t165, 0x45);
						 *(_t165 - 4) = 8;
						E00408639(_t165 + 0xc, _t165, _t113);
						_push( *_t165);
						 *(_t165 - 4) = 7;
						L00408BFB(0, _t158, _t163, __eflags);
						E004130B7(0,  *((intOrPtr*)(_t165 - 0x60)), _t158, __eflags, _t165 + 0xc, _t165 + 0x40); // executed
						_push( *((intOrPtr*)(_t165 + 0xc)));
						L00408BFB(0, _t158, _t163, __eflags);
						 *(_t165 - 4) = 0;
						E0040FC1B(_t165 + 0x40);
						L9:
						_t162 =  *((intOrPtr*)(_t165 + 0x34));
						E00408639(_t162, _t165, _t165 - 0x18);
						__eflags =  *((intOrPtr*)(_t162 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t165 - 0x60)) + 0x114;
							E00408639(_t162, _t165,  *((intOrPtr*)(_t165 - 0x60)) + 0x114);
						}
						_t163 =  *((intOrPtr*)(_t165 - 0x1c));
						 *_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t165 - 0x60)) + 0x110));
						L6:
						 *(_t165 - 4) =  *(_t165 - 4) | 0xffffffff;
						E0041353C(_t165 - 0x7c, _t163, _t174); // executed
						 *[fs:0x0] =  *((intOrPtr*)(_t165 - 0xc));
						return _t163;
					}
					E0040FC1B(_t165 + 0x40);
					goto L6;
				}
			}

0x004135e5
0x004135e5
0x004135e5
0x004135e9
0x004135f0
0x004135f5
0x004135fd
0x004135ff
0x0041360a
0x0041360d
0x00413618
0x0041361c
0x00413621
0x00413624
0x00413627
0x0041362c
0x00413633
0x0041363e
0x00413642
0x00413647
0x0041364a
0x0041364d
0x00413652
0x00413659
0x00413664
0x00413668
0x0041366d
0x00413670
0x00413673
0x00413678
0x0041367f
0x0041368a
0x0041368e
0x00413693
0x00413696
0x00413699
0x004136a8
0x004136ab
0x004136b6
0x004136c6
0x004136c8
0x004136cb
0x004136cf
0x004136d1
0x004136da
0x004136da
0x004136d3
0x004136d3
0x004136d3
0x004136e0
0x004136e3
0x004136e6
0x004136ee
0x00413706
0x00413712
0x0041371b
0x004137c7
0x00000000
0x00413721
0x00413721
0x00413731
0x00413735
0x0041373a
0x0041373c
0x0041373e
0x0041376f
0x0041377a
0x0041377e
0x00413787
0x0041378b
0x00413790
0x00413793
0x00413797
0x004137a8
0x004137ad
0x004137b0
0x004137ba
0x004137bd
0x004137cc
0x004137cc
0x004137d5
0x004137da
0x004137dd
0x004137e2
0x004137ea
0x004137ea
0x004137f8
0x004137fb
0x00413749
0x00413749
0x00413750
0x0041375a
0x00413769
0x00413769
0x00413744
0x00000000
0x00413744

APIs

__EH_prolog3.LIBCMT ref: 004135F0

Part of subcall function 004134F7: __EH_prolog3.LIBCMT ref: 004134FE

Part of subcall function 00408BD0: _malloc.LIBCMT ref: 00408BD7
Part of subcall function 00408BD0: __CxxThrowException@8.LIBCMT ref: 00408BF4

Part of subcall function 0041310D: __EH_prolog3.LIBCMT ref: 00413114

Part of subcall function 004130B7: ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100

Part of subcall function 0040FC1B: FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$ChangeCloseException@8FindNotificationShowThrowWindow_malloc
String ID:
API String ID: 3148577082-0
Opcode ID: ab8ddb423270678bcc60340bba0906f196b5aedbda3bce4bd2de49d63347edab
Instruction ID: 32821a47a4495b02cd0ca02b977b7952fd0f103a46899cb1509da0f48fa3398e
Opcode Fuzzy Hash: ab8ddb423270678bcc60340bba0906f196b5aedbda3bce4bd2de49d63347edab
Instruction Fuzzy Hash: 6261C37190028CEFCF01EFA4C856ADD7BB4AF19314F14806FF954A7282DA3C9A09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00403975, Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403975(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t69;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t93;
				intOrPtr _t96;
				char* _t119;
				intOrPtr* _t121;
				void* _t122;

				E00416BC0(E00421040, __ebx, __edi, __esi);
				_t121 =  *((intOrPtr*)(_t122 + 8));
				_t96 =  *((intOrPtr*)(_t122 + 0x14));
				 *((intOrPtr*)(_t122 - 0x70)) =  *((intOrPtr*)(_t122 + 0xc));
				 *((intOrPtr*)(_t122 - 0x74)) =  *((intOrPtr*)(_t122 + 0x10));
				_t118 = 0;
				 *((intOrPtr*)(_t122 - 0x78)) = _t121;
				 *((intOrPtr*)(_t122 - 4)) = 0;
				 *((intOrPtr*)( *_t121 + 0x10))(_t121, 0x78);
				 *((char*)(_t122 - 4)) = 1;
				E0040222C(_t122 - 0x6c, _t96);
				 *((intOrPtr*)(_t122 - 0x68)) = 0;
				 *((char*)(_t122 - 4)) = 3;
				_t124 = _t96;
				if(_t96 != 0) {
					_t93 =  *((intOrPtr*)(_t122 - 0x6c));
					_t116 = _t122 - 0x68;
					 *((intOrPtr*)( *_t93))(_t93, 0x424174, _t122 - 0x68);
				}
				 *((intOrPtr*)(_t122 - 0x64)) = _t118;
				 *((intOrPtr*)(_t122 - 0x5c)) = _t118;
				 *((intOrPtr*)(_t122 - 0x58)) = _t118;
				 *((intOrPtr*)(_t122 - 0x54)) = _t118;
				 *((intOrPtr*)(_t122 - 0x50)) = 4;
				 *((intOrPtr*)(_t122 - 0x60)) = 0x4234bc;
				_push( *((intOrPtr*)(_t122 - 0x74)));
				 *((char*)(_t122 - 4)) = 4;
				_t97 = E0040469F(_t96, _t122 - 0x64, _t122, _t124,  *((intOrPtr*)(_t122 - 0x70)));
				_t125 = _t97 - _t118;
				if(_t97 == _t118) {
					_t119 = _t121 + 0x1e0;
					 *_t119 = 0;
					E0040320A(_t122 - 0x84);
					_push(_t119);
					_push( *((intOrPtr*)(_t122 - 0x68)));
					_t97 = _t121 + 0x10;
					_push(_t121 + 0x10);
					 *((char*)(_t122 - 4)) = 5;
					_t69 = E004060EC(_t122 - 0x64, __eflags); // executed
					_t118 = _t69;
					__eflags = _t69;
					if(__eflags == 0) {
						E0040309E(_t97, _t97, _t116, __eflags);
						E00406200(_t121 + 8,  *((intOrPtr*)(_t122 - 0x70)));
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t74 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t74;
						if(_t74 != 0) {
							 *((intOrPtr*)( *_t74 + 8))(_t74);
						}
						_t75 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t75;
						if(_t75 != 0) {
							 *((intOrPtr*)( *_t75 + 8))(_t75);
						}
					} else {
						_push( *((intOrPtr*)(_t122 - 0x84)));
						L00408BFB(_t97, _t118, _t121, __eflags);
						 *((char*)(_t122 - 4)) = 3;
						E004037B0(_t122 - 0x64, _t121, __eflags);
						_t82 =  *((intOrPtr*)(_t122 - 0x68));
						 *((char*)(_t122 - 4)) = 2;
						__eflags = _t82;
						if(_t82 != 0) {
							 *((intOrPtr*)( *_t82 + 8))(_t82);
						}
						_t83 =  *((intOrPtr*)(_t122 - 0x6c));
						 *((char*)(_t122 - 4)) = 1;
						__eflags = _t83;
						if(_t83 != 0) {
							 *((intOrPtr*)( *_t83 + 8))(_t83);
						}
					}
				} else {
					 *((char*)(_t122 - 4)) = 3;
					E004037B0(_t122 - 0x64, _t121, _t125);
					_t88 =  *((intOrPtr*)(_t122 - 0x68));
					 *((char*)(_t122 - 4)) = 2;
					if(_t88 != _t118) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					_t89 =  *((intOrPtr*)(_t122 - 0x6c));
					 *((char*)(_t122 - 4)) = 1;
					if(_t89 != _t118) {
						 *((intOrPtr*)( *_t89 + 8))(_t89);
					}
				}
				return E00416C1C(_t97, _t118, _t121);
			}

0x0040397c
0x00403984
0x00403987
0x0040398a
0x00403990
0x00403995
0x00403998
0x0040399b
0x0040399e
0x004039a5
0x004039a9
0x004039ae
0x004039b1
0x004039b5
0x004039b7
0x004039b9
0x004039be
0x004039c8
0x004039c8
0x004039ca
0x004039cd
0x004039d0
0x004039d3
0x004039d6
0x004039dd
0x004039e4
0x004039ed
0x004039f6
0x004039f8
0x004039fa
0x00403a31
0x00403a3d
0x00403a40
0x00403a45
0x00403a46
0x00403a49
0x00403a4c
0x00403a50
0x00403a54
0x00403a59
0x00403a5b
0x00403a5d
0x00403a9f
0x00403aaa
0x00403aaf
0x00403ab5
0x00403abe
0x00403ac2
0x00403ac7
0x00403aca
0x00403ace
0x00403ad0
0x00403ad5
0x00403ad5
0x00403ad8
0x00403adb
0x00403adf
0x00403ae1
0x00403ae6
0x00403ae6
0x00403a5f
0x00403a5f
0x00403a65
0x00403a6e
0x00403a72
0x00403a77
0x00403a7a
0x00403a7e
0x00403a80
0x00403a85
0x00403a85
0x00403a88
0x00403a8b
0x00403a8f
0x00403a91
0x00403a96
0x00403a96
0x00403a99
0x004039fc
0x004039ff
0x00403a03
0x00403a08
0x00403a0b
0x00403a11
0x00403a16
0x00403a16
0x00403a19
0x00403a1c
0x00403a22
0x00403a27
0x00403a27
0x00403a2a
0x00403b11

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0040397C

Part of subcall function 004060EC: __EH_prolog3_catch.LIBCMT ref: 004060F3

Part of subcall function 004037B0: __EH_prolog3.LIBCMT ref: 004037B7
Part of subcall function 004037B0: ~_Task_impl.LIBCPMT ref: 004037C8

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3H_prolog3_catchH_prolog3_catch_Task_impl
String ID:
API String ID: 3316410470-0
Opcode ID: 3b0044870fd4bd5b5e8f24b6bd8842cd15a2c437710c0e60a707c05435f831c7
Instruction ID: 0df43bebe7c24eb3054dd4c9a2fea3a8a503b60659171841bb980735a1a66d0f
Opcode Fuzzy Hash: 3b0044870fd4bd5b5e8f24b6bd8842cd15a2c437710c0e60a707c05435f831c7
Instruction Fuzzy Hash: FB516D70A00349DFDB01DFE5C548A9DBFB8AF55308F24409EE44ABB382DB799A45CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00410C9B, Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00410C9B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t38;
				void* _t42;
				intOrPtr _t47;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t57;
				void* _t75;
				intOrPtr _t76;
				void* _t77;

				_t77 = __eflags;
				_t72 = __edi;
				_t71 = __edx;
				_push(0x60);
				E00416B21(E00421CDA, __ebx, __edi, __esi);
				E0040320A(_t75 - 0x44);
				_t74 =  *((intOrPtr*)(_t75 + 8));
				_push(0x5c);
				_push( *((intOrPtr*)(_t75 + 8)));
				_t57 = 0;
				_push(_t75 - 0x18);
				 *((intOrPtr*)(_t75 - 4)) = 0;
				E00410931(0, __edx, __edi, _t74, _t77);
				_push(0x2a);
				_push(_t75 - 0x18);
				_push(_t75 - 0x24);
				 *((char*)(_t75 - 4)) = 1;
				_push(E00410931(0, __edx, _t72, _t74, _t77));
				 *((char*)(_t75 - 4)) = 2;
				E00410971(0, _t75 - 0x34, _t72, _t74, _t77);
				_push( *((intOrPtr*)(_t75 - 0x24)));
				 *((char*)(_t75 - 4)) = 4;
				L00408BFB(0, _t72, _t74, _t77);
				while(1) {
					_t38 = E004093F7(_t75 - 0x34, _t75, _t75 - 0x6c);
					_t78 = _t38;
					if(_t38 == 0) {
						break;
					}
					_push(_t75 - 0x6c);
					_t76 = _t76 - 0xc;
					 *((intOrPtr*)(_t75 + 8)) = _t76;
					E00404082(_t76, _t75, _t75 - 0x18); // executed
					_t42 = E00410C2B(_t57, _t71, __eflags); // executed
					__eflags = _t42 - _t57;
					if(__eflags == 0) {
						_push( *((intOrPtr*)(_t75 - 0x30)));
						 *((char*)(_t75 - 4)) = 1;
						L00408BFB(_t57, _t72, _t74, __eflags);
						E004091A4(_t75 - 0x34);
						_push( *((intOrPtr*)(_t75 - 0x18)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_push( *((intOrPtr*)(_t75 - 0x44)));
						L00408BFB(_t57, _t72, _t74, __eflags);
						_t47 = 0;
					} else {
						continue;
					}
					L5:
					return E00416BF9(_t47);
				}
				_push( *((intOrPtr*)(_t75 - 0x30)));
				 *((char*)(_t75 - 4)) = 1;
				L00408BFB(_t57, _t72, _t74, _t78);
				E004091A4(_t75 - 0x34);
				_t52 = E00410A7A(_t57, _t72, _t74, _t78,  *_t74, _t57); // executed
				_t79 = _t52;
				if(_t52 != 0) {
					_t53 = E00410AE4(_t57, _t72, _t74, __eflags,  *_t74); // executed
					_t57 = _t53;
				}
				_push( *((intOrPtr*)(_t75 - 0x18)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_push( *((intOrPtr*)(_t75 - 0x44)));
				L00408BFB(_t57, _t72, _t74, _t79);
				_t47 = _t57;
				goto L5;
			}

0x00410c9b
0x00410c9b
0x00410c9b
0x00410c9b
0x00410ca2
0x00410caa
0x00410caf
0x00410cb2
0x00410cb4
0x00410cb8
0x00410cba
0x00410cbb
0x00410cbe
0x00410cc3
0x00410cc8
0x00410ccc
0x00410ccd
0x00410cd6
0x00410cda
0x00410cde
0x00410ce3
0x00410ce6
0x00410cea
0x00410d10
0x00410d17
0x00410d1c
0x00410d1e
0x00000000
0x00000000
0x00410cf5
0x00410cf6
0x00410cfe
0x00410d02
0x00410d07
0x00410d0c
0x00410d0e
0x00410d5e
0x00410d61
0x00410d65
0x00410d6e
0x00410d73
0x00410d76
0x00410d7b
0x00410d7e
0x00410d85
0x00000000
0x00000000
0x00000000
0x00410d56
0x00410d5b
0x00410d5b
0x00410d20
0x00410d23
0x00410d27
0x00410d30
0x00410d39
0x00410d3e
0x00410d40
0x00410d8b
0x00410d90
0x00410d90
0x00410d42
0x00410d45
0x00410d4a
0x00410d4d
0x00410d54
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00410CA2

Part of subcall function 00410931: __EH_prolog3.LIBCMT ref: 00410938

Part of subcall function 00410971: __EH_prolog3.LIBCMT ref: 00410978

Part of subcall function 004091A4: FindClose.KERNELBASE ref: 004091AF

Part of subcall function 00410AE4: __EH_prolog3.LIBCMT ref: 00410AEB
Part of subcall function 00410AE4: RemoveDirectoryW.KERNELBASE(?,0000000C), ref: 00410AF9

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$CloseDirectoryFindRemove
String ID:
API String ID: 1902238476-0
Opcode ID: 92857905ac07267ff72435b12b878da609423ae1d4aa5fd680341179c6d8a001
Instruction ID: a3cc244adccf2e4cac89145f1c327d215d4d92245b22a372655b58a5773b09a4
Opcode Fuzzy Hash: 92857905ac07267ff72435b12b878da609423ae1d4aa5fd680341179c6d8a001
Instruction Fuzzy Hash: E52181B1804108AEDF00FBE5DA52ADE7BB89F14318F10406FF580771D3DEB96AC59A69

Uniqueness

Uniqueness Score: -1.00%

Function 00411EC8, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411EC8(void* __ecx, void* __edx) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _t25;
				signed int _t27;
				void* _t35;
				signed int _t37;
				void* _t39;

				_t35 = __edx;
				_t39 = __ecx;
				_t36 = __ecx + 0x58;
				if(E00411CFC(__ecx + 0x58) == 0) {
					E00411E99(__ecx);
					E00411D6E(_t36,  &_v20,  &_v12);
					_t37 = _v20;
					_t27 = _v16;
					if(_t37 !=  *((intOrPtr*)(__ecx + 0x40)) || _t27 !=  *((intOrPtr*)(__ecx + 0x44))) {
						E00411DDF(_t39, _t37, _t27);
					}
					E00411E2A(_t39, _v12, _v8); // executed
					if((_t37 | _t27) == 0) {
						_t37 = 1;
						_t27 = 0;
					}
					_t25 = E00417E00(E004176B0(_v12, _v8, 0x64, 0), _t35, _t37, _t27);
					if(_t25 !=  *((intOrPtr*)(_t39 + 0x4c))) {
						 *((intOrPtr*)(_t39 + 0x4c)) = _t25;
					}
				}
				return 1;
			}

0x00411ec8
0x00411ecf
0x00411ed2
0x00411ede
0x00411ee3
0x00411ef2
0x00411ef7
0x00411efa
0x00411f00
0x00411f0b
0x00411f0b
0x00411f18
0x00411f21
0x00411f25
0x00411f26
0x00411f26
0x00411f3b
0x00411f44
0x00411f46
0x00411f46
0x00411f44
0x00411f4e

APIs

Part of subcall function 00411CFC: EnterCriticalSection.KERNEL32(?,?,?,?,00411EDC), ref: 00411D05
Part of subcall function 00411CFC: LeaveCriticalSection.KERNEL32(?,?,?,00411EDC), ref: 00411D0F

Part of subcall function 00411E99: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00411EAE

Part of subcall function 00411D6E: EnterCriticalSection.KERNEL32(?,?,?,00411EF7,?,?), ref: 00411D76
Part of subcall function 00411D6E: LeaveCriticalSection.KERNEL32(?,?,00411EF7,?,?), ref: 00411D9B

__aulldiv.LIBCMT ref: 00411F3B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CriticalSection$EnterLeave$MessagePost__aulldiv
String ID:
API String ID: 3743465594-0
Opcode ID: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
Instruction ID: 519ab6dd52a514ac1fada1918d288c045c626b422648050e404c23596e31d368
Opcode Fuzzy Hash: a8577b5923c133be84352f7fc4ff1d46fad0c7c12c13c5344a69fe3690ba1475
Instruction Fuzzy Hash: A8016175700214ABDB21AB968C819FFB7BEAB84714F00045BF642A3661D779BD828668

Uniqueness

Uniqueness Score: -1.00%

Function 0040A912, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A912(intOrPtr* __ecx, void* __edi) {
				char _v8;
				char _v12;
				intOrPtr* _t21;
				char _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t39;

				_push(__ecx);
				_push(__ecx);
				_t39 = __ecx;
				if( *((char*)(__ecx + 0x1c)) == 0) {
					_t30 =  *((intOrPtr*)(__ecx + 8));
					asm("cdq");
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) +  *__ecx - _t30;
					_t21 =  *((intOrPtr*)(__ecx + 0xc));
					asm("adc [esi+0x14], edx");
					_t22 =  *((intOrPtr*)( *_t21 + 0xc))(_t21, _t30,  *((intOrPtr*)(__ecx + 0x18)),  &_v12, __edi);
					if(_t22 != 0) {
						_v8 = _t22;
						E004166E0( &_v8, 0x4295d4);
					}
					_t23 =  *((intOrPtr*)(_t39 + 8));
					_t31 = _v12;
					 *_t39 = _t23;
					_t24 = _t23 + _t31;
					 *(_t39 + 4) = _t24;
					_t25 = _t24 & 0xffffff00 | _t31 == 0x00000000;
					 *(_t39 + 0x1c) = _t25;
					_t26 = 0 | _t25 == 0x00000000;
				} else {
					_t26 = 0;
				}
				return _t26;
			}

0x0040a915
0x0040a916
0x0040a918
0x0040a91e
0x0040a924
0x0040a92c
0x0040a92d
0x0040a930
0x0040a936
0x0040a941
0x0040a947
0x0040a949
0x0040a955
0x0040a955
0x0040a95a
0x0040a95d
0x0040a960
0x0040a962
0x0040a966
0x0040a969
0x0040a973
0x0040a976
0x0040a920
0x0040a920
0x0040a920
0x0040a97a

APIs

__CxxThrowException@8.LIBCMT ref: 0040A955

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
Instruction ID: 50af47bc67f8884ff376a5bab392e23a2d223ecb1341b9976338e81d63542ba6
Opcode Fuzzy Hash: 9a5bb656170a8548dc9b28687d5c3d08d929b8bddbdff51618608348ab6e88b3
Instruction Fuzzy Hash: 520171B1600701AFCB28CF69C80599BBBF8EF453547048A6EA4C6D3651D774F945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00410C2B, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00410C2B(void* __ebx, void* __edx, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t21;
				void* _t22;
				void* _t28;
				signed char _t32;
				void* _t36;
				void* _t37;
				void* _t38;

				_t29 = __ebx;
				_push(0x18);
				E00416B21(E00421C9F, __ebx, _t36, _t37);
				_t17 =  *((intOrPtr*)(_t38 + 0x14));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_push(_t17 + 0x28);
				_t32 =  *(_t17 + 0x20) >> 4;
				_push(_t38 + 8);
				_t40 = _t32 & 0x00000001;
				if((_t32 & 0x00000001) == 0) {
					_push(_t38 - 0x24);
					_t21 = E004096A4(__ebx, _t36, _t37, __eflags);
					 *(_t38 - 4) = 2;
					_t22 = E00410BBB(_t29, _t36, _t37, __eflags,  *_t21); // executed
					_push( *((intOrPtr*)(_t38 - 0x24)));
				} else {
					_push(_t38 - 0x18);
					_t28 = E004096A4(__ebx, _t36, _t37, _t40);
					 *(_t38 - 4) = 1;
					_t22 = E00410C9B(_t29, __edx, _t36, _t37, _t40, _t28); // executed
					_push( *((intOrPtr*)(_t38 - 0x18)));
				}
				_t30 = _t22;
				L00408BFB(_t22, _t36, _t37, _t40);
				_push( *((intOrPtr*)(_t38 + 8)));
				L00408BFB(_t30, _t36, _t37, _t40);
				return E00416BF9(_t30);
			}

0x00410c2b
0x00410c2b
0x00410c32
0x00410c37
0x00410c3d
0x00410c44
0x00410c45
0x00410c4b
0x00410c4c
0x00410c4f
0x00410c85
0x00410c86
0x00410c8d
0x00410c91
0x00410c96
0x00410c51
0x00410c54
0x00410c55
0x00410c5b
0x00410c5f
0x00410c64
0x00410c64
0x00410c67
0x00410c69
0x00410c6f
0x00410c72
0x00410c7f

APIs

__EH_prolog3.LIBCMT ref: 00410C32

Part of subcall function 004096A4: __EH_prolog3.LIBCMT ref: 004096AB

Part of subcall function 00410C9B: __EH_prolog3.LIBCMT ref: 00410CA2

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 4d4e0dcfe11b06af6a436e5975cd8dc8da7dc430d953ff75daa15a87d4c36061
Instruction ID: 06cb761f1f525b4146118a468f0d354c53039bfffbfcc7a97c900ac5a6a9224e
Opcode Fuzzy Hash: 4d4e0dcfe11b06af6a436e5975cd8dc8da7dc430d953ff75daa15a87d4c36061
Instruction Fuzzy Hash: DCF06D75400108AEDB05EB95C946FDD3BA8AF19308F00045EF540A72A3DABDEAD4AA6C

Uniqueness

Uniqueness Score: -1.00%

Function 004130B7, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E004130B7(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				struct HWND__** _t23;
				void* _t24;

				_t25 = __eflags;
				_push(0);
				 *((char*)(__ecx + 0x88)) =  *((intOrPtr*)(__ecx + 0x139));
				E00413069(__ecx + 0x70, _t24, __eflags, _a4, _a8);
				_t11 = E0040C825(__ecx + 0x70,  &_v16, 0x45);
				_t23 = __ecx + 0x74;
				E00411A09(_t23,  *_t11);
				_push(_v16);
				L00408BFB(__ebx, __edi, _t23, _t25);
				ShowWindow( *_t23, 1); // executed
				return 0;
			}

0x004130b7
0x004130be
0x004130d1
0x004130d7
0x004130e2
0x004130e9
0x004130ee
0x004130f3
0x004130f6
0x00413100
0x0041310a

APIs

Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F

ShowWindow.USER32(?,00000001,00000000,?,?,00000000), ref: 00413100

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Window$ShowText
String ID:
API String ID: 1551406749-0
Opcode ID: 1d723ac78e123607468227b77314dfeb5bfc8c16ff1377d6652a3ddb02af6c3b
Instruction ID: 35af53d8c1d0c1f4d98bec84655a3a64350064d86e18da663c696bb970858594
Opcode Fuzzy Hash: 1d723ac78e123607468227b77314dfeb5bfc8c16ff1377d6652a3ddb02af6c3b
Instruction Fuzzy Hash: 9CF0E235500204BBCF11BB74DC06EC97FA4AF08314F00442EF999661A2DE75A614D788

Uniqueness

Uniqueness Score: -1.00%

Function 00412707, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00412707(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t31;
				intOrPtr _t33;
				void* _t34;

				_t22 = __ebx;
				_push(0xc);
				E00416B21(E00421D84, __ebx, __edi, __esi);
				E00404082(_t34 - 0x18, _t34, __ecx + 0x14);
				_t33 =  *((intOrPtr*)(_t34 + 8));
				_t31 = 0;
				_t36 =  *((intOrPtr*)(_t33 + 8));
				 *((intOrPtr*)(_t34 - 4)) = 0;
				if( *((intOrPtr*)(_t33 + 8)) > 0) {
					do {
						E00408FDE(_t34 - 0x18, _t36,  *((intOrPtr*)( *((intOrPtr*)(_t33 + 0xc)) + _t31 * 4)));
						E00410B45(__ebx, _t31, _t33, _t36,  *((intOrPtr*)(_t34 - 0x18))); // executed
						E00408670(_t34 - 0x18, __edx, _t36, 0x5c);
						_t31 = _t31 + 1;
						_t37 = _t31 -  *((intOrPtr*)(_t33 + 8));
					} while (_t31 <  *((intOrPtr*)(_t33 + 8)));
				}
				_push( *((intOrPtr*)(_t34 - 0x18)));
				return E00416BF9(L00408BFB(_t22, _t31, _t33, _t37));
			}

0x00412707
0x00412707
0x0041270e
0x0041271a
0x0041271f
0x00412722
0x00412724
0x00412727
0x0041272a
0x0041272c
0x00412735
0x0041273d
0x00412747
0x0041274c
0x0041274d
0x0041274d
0x0041272c
0x00412752
0x00412760

APIs

__EH_prolog3.LIBCMT ref: 0041270E

Part of subcall function 00410B45: __EH_prolog3.LIBCMT ref: 00410B4C
Part of subcall function 00410B45: CreateDirectoryW.KERNELBASE(?,00000000,0000000C), ref: 00410B5C

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3$CreateDirectory
String ID:
API String ID: 2028411195-0
Opcode ID: 680fc5b7399a9a7d36ef100d09777f1b627b696937855766d1482f4967b77199
Instruction ID: 7158408a5ca7f67ee087e461847e5e65f72557397dec4d11aca8ef9227536058
Opcode Fuzzy Hash: 680fc5b7399a9a7d36ef100d09777f1b627b696937855766d1482f4967b77199
Instruction Fuzzy Hash: C5F030714005069ECB01AB96CD42DAEBB71BF50308F42403EA295764E2DE79B9C29B88

Uniqueness

Uniqueness Score: -1.00%

Function 00409322, Relevance: 1.5, APIs: 1, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00409322(void** __ecx, intOrPtr __edi, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t8;
				int _t11;
				signed int _t16;
				signed int _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_t23 = __edi;
				_t8 = M0042D330; // 0xdf8f31de
				_v8 = _t8 ^ _t25;
				_t24 = _a4;
				_t11 = FindNextFileW( *__ecx,  &_v600); // executed
				_t17 = _t16 & 0xffffff00 | _t11 != 0x00000000;
				_t27 = _t17;
				if(_t17 != 0) {
					E00409208( &_v600, _t22, _t24, _t27);
				}
				return E00416B12(_t17, _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x00409322
0x0040932b
0x00409332
0x00409337
0x00409345
0x0040934d
0x00409350
0x00409352
0x0040935a
0x0040935a
0x0040936e

APIs

FindNextFileW.KERNELBASE(?,?), ref: 00409345

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
Instruction ID: 50a54b88040d337bb30b5fd9b7dd6588afd92b3ccd64aa48da0fe6d42f572788
Opcode Fuzzy Hash: ba9aaa0b6fb6c2b9981656ad43bb8ff57261fbd588c33b01968ce32a112db831
Instruction Fuzzy Hash: D4F06531B11118ABC710EF64DD459EEB7B8AB49309B4400BBA801E7291EA34AE489B58

Uniqueness

Uniqueness Score: -1.00%

Function 00410D94, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00410D94(intOrPtr* _a8) {
				WCHAR* _v0;
				signed int _t9;
				intOrPtr _t16;
				intOrPtr* _t17;

				_t17 = _a8;
				GetShortPathNameW(_v0, E00403FA3(_t17, 0x105), 0x105); // executed
				_t16 =  *_t17;
				_t9 = E0040116F(_t16);
				 *((short*)(_t16 + _t9 * 2)) = 0;
				 *(_t17 + 4) = _t9;
				asm("sbb eax, eax");
				return 0x103;
			}

0x00410d96
0x00410dae
0x00410db4
0x00410db9
0x00410dc0
0x00410dc4
0x00410dd0
0x00410dd5

APIs

GetShortPathNameW.KERNEL32 ref: 00410DAE

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: NamePathShort
String ID:
API String ID: 1295925010-0
Opcode ID: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
Instruction ID: a71ba42fb66b3bcab4a07320303146cf8ca67d7ce159cff85be98903d7b5ab96
Opcode Fuzzy Hash: 6fae0eace9c53e5ecf934df93bf2eb8d8b54f1cf5e6833b2f46910c6f4da1c54
Instruction Fuzzy Hash: 3DE09A712096106FE710AF6CEC4886BE2EDEFA8710B00083FF482D32A0DA689D518664

Uniqueness

Uniqueness Score: -1.00%

Function 00410E98, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410E98(WCHAR* _a4, intOrPtr* _a12) {
				WCHAR* _v0;
				int _t8;
				signed int _t9;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t15 = _a12;
				_t8 = GetTempFileNameW(_v0, _a4, 0, E00403FA3(_t15, 0x105)); // executed
				_t14 =  *_t15;
				_t9 = E0040116F(_t14);
				 *((short*)(_t14 + _t9 * 2)) = 0;
				 *(_t15 + 4) = _t9;
				return _t8;
			}

0x00410e9a
0x00410eb6
0x00410ebc
0x00410ec1
0x00410ec8
0x00410ecd
0x00410ed4

APIs

GetTempFileNameW.KERNELBASE(?,?,00000000,00000000,00000105), ref: 00410EB6

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
Instruction ID: 1256aeead1201c2553e3fa3d07c8bf1e1a978611c619f05f4f725b231cb39a67
Opcode Fuzzy Hash: 89ee732e139718721cb7d2bd7b42053a77cea1bfb762c2ad0debfd8e99515b9f
Instruction Fuzzy Hash: B5E01A72209711AFD7109F69AC05A5BB7EDEF88B10F10442FB581A32A0C6B569158B69

Uniqueness

Uniqueness Score: -1.00%

Function 00407512, Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00407512(intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t19;
				void* _t21;
				void* _t28;
				void* _t31;
				void* _t32;

				_t32 = __eflags;
				_push(4);
				E00416B21(E0042156B, _t21, _t28, __esi);
				 *((intOrPtr*)(_t31 - 0x10)) = __ecx;
				 *(_t31 - 4) = 3;
				E004070DC(_t21, __ecx + 0x4a0, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 2;
				E004070AB(_t21, __ecx + 0x70, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 1;
				E004070AB(_t21, __ecx + 0x50, _t28, __ecx, _t32); // executed
				 *(_t31 - 4) = 0;
				E004070AB(_t21, __ecx + 0x30, _t28, __ecx, _t32); // executed
				_t10 = _t31 - 4;
				 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
				_t19 = E004070AB(_t21, __ecx + 0x10, _t28, __ecx,  *_t10); // executed
				return E00416BF9(_t19);
			}

0x00407512
0x00407512
0x00407519
0x00407520
0x00407529
0x00407530
0x00407538
0x0040753c
0x00407544
0x00407548
0x00407550
0x00407554
0x00407559
0x00407559
0x00407560
0x0040756a

APIs

__EH_prolog3.LIBCMT ref: 00407519

Part of subcall function 004070DC: __EH_prolog3.LIBCMT ref: 004070E3

Part of subcall function 004070AB: __EH_prolog3.LIBCMT ref: 004070B2

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
Instruction ID: df91484ffcd8d91b4707bd9d7c24a84f0edf961155dc25835aee18bb5dbfda0e
Opcode Fuzzy Hash: a2dfb0107afbf5b9dcd330f123fec27b88cc5bbc74443d789a3f71815f2b0a93
Instruction Fuzzy Hash: EDF05EB0808750DAD714EBB1D50639EBBA06F14308F90469DD452232C2CB7C7709C65B

Uniqueness

Uniqueness Score: -1.00%

Function 004095E8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004095E8(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42cb34; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}

0x004095e8
0x004095eb
0x004095ec
0x004095f4
0x004095f6
0x004095f6
0x004095f9
0x0040960b
0x00409619
0x0040961f

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040960B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
Instruction ID: ce6839aeb588f27f8867698078c1af3c3476177279ac19fcad85c05ab0eaab47
Opcode Fuzzy Hash: b78c8f0ccf31d0e04b92ae2b446c5026141f050a122207180bcc39ec2181ce27
Instruction Fuzzy Hash: B0E0C275640208FBCB11CF95D941B9E7BBAAB08755F50C069F9149A260D339AA10EF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A99E, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A99E(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x430e7c = _t6;
				if(_t6 != 0) {
					 *0x4342d8 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0041a9b3
0x0041a9b9
0x0041a9c0
0x0041a9c7
0x0041a9cd
0x0041a9c3
0x0041a9c3
0x0041a9c3

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041A9B3

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
Instruction ID: ad416ea7c8b49a8563809eaa466955e11c78e76269a931f48dce1fda58f8df30
Opcode Fuzzy Hash: 6705fbeee63e26d030e15f6d43d3b95a5db92502f44a05acec2408635e691eb1
Instruction Fuzzy Hash: E7D05E726503046ADB109FB16C097723BDC9384795F144836B81CC62A0E578D5A0CA08

Uniqueness

Uniqueness Score: -1.00%

Function 00409535, Relevance: 1.5, APIs: 1, Instructions: 18
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409535(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}

0x00409538
0x00409539
0x0040954b
0x00409559
0x0040955f

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0040954B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
Instruction ID: a2cd3b8a2ea8a0c7dfc18a42d7b41d56f9abded95085a1eabc97c81f7edaf72b
Opcode Fuzzy Hash: 5d9282babb6fcf3e00ba45c1f4ba6be9a1073a78d6b2a9e96cfd0fa35014f32c
Instruction Fuzzy Hash: 7AE0EC75201208FFDB01CF90CC01F9E7BBDEB49755F208058E90496164C7759A14EB64

Uniqueness

Uniqueness Score: -1.00%

Function 004131B8, Relevance: 1.5, APIs: 1, Instructions: 17
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004131B8(struct HWND__** __ecx) {
				struct HWND__* _t3;
				signed int _t4;
				signed int _t5;
				signed int* _t8;

				_t8 = __ecx;
				_t3 =  *__ecx;
				if(_t3 != 0) {
					_t4 = DestroyWindow(_t3); // executed
					_t5 = _t4 & 0xffffff00 | _t4 != 0x00000000;
					if(_t5 != 0) {
						 *_t8 =  *_t8 & 0x00000000;
						return _t5;
					}
					return _t5;
				} else {
					return 1;
				}
			}

0x004131b9
0x004131bb
0x004131bf
0x004131c6
0x004131ce
0x004131d3
0x004131d5
0x00000000
0x004131d5
0x004131d9
0x004131c1
0x004131c4
0x004131c4

APIs

DestroyWindow.USER32 ref: 004131C6

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
Instruction ID: 7298449ebcc8be9521e5c8a9423c1ed6b15aaaa6b217507720e11277dd58528e
Opcode Fuzzy Hash: 53a8ea379b7d00479024dc1505115ad1629d640bb62f35358d3f99fe7c566f6c
Instruction Fuzzy Hash: EAD01231714211A7DB705E2DB8447D633DD5F11723B15445AFC80CB240DB68DDC35A58

Uniqueness

Uniqueness Score: -1.00%

Function 00412E93, Relevance: 1.5, APIs: 1, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412E93(void* __ecx) {
				int _t7;

				E0040FC41( *((intOrPtr*)(__ecx + 0x54)));
				if( *((intOrPtr*)(__ecx + 0x50)) == 0) {
					 *((char*)(__ecx + 0x51)) = 1;
					return 0;
				} else {
					_t7 = PostMessageW( *(__ecx + 4), 0x8000, 0, 0); // executed
					return _t7;
				}
			}

0x00412e99
0x00412ea3
0x00412eb7
0x00412ebc
0x00412ea5
0x00412eaf
0x00412eb6
0x00412eb6

APIs

Part of subcall function 0040FC41: WaitForSingleObject.KERNEL32(?,000000FF,0040B19F,00000000,?,?,?,004017D2,00000004,00401A97,?,?,?), ref: 0040FC47

PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: MessageObjectPostSingleWait
String ID:
API String ID: 1869837590-0
Opcode ID: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
Instruction ID: edc2d39b9b95d8753d24a0c99186f72b6eb965518e6ef86668453d206e3306f5
Opcode Fuzzy Hash: 54403d254d6dece21fdd30bf551ef77a2a7b988ed31ba3920b28ef320dc540f1
Instruction Fuzzy Hash: 2FD0A7314187A0AEE771A734BD06AE77BD9AB00304B0C08BEB4C291D55C7E5BC959764

Uniqueness

Uniqueness Score: -1.00%

Function 004091A4, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004091A4(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x004091a5
0x004091a7
0x004091ac
0x004091c0
0x004091c3
0x004091ae
0x004091af
0x004091b7
0x004091bd
0x00000000
0x004091b9
0x004091bc
0x004091bc
0x004091b7

APIs

FindClose.KERNELBASE ref: 004091AF

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
Instruction ID: e6f65a1a3ae19892a9c0185e9ae34a5b8dc5a998896a5f52585ecf58a904d7a6
Opcode Fuzzy Hash: ceed599eb068a9b020e5a439002c9ac0e64598cc8ca2fb7ebb587fd943f36f4f
Instruction Fuzzy Hash: D6D0127121412286DE745E3C78485C273D95B06370325076AF0B0D73E5D378DC835668

Uniqueness

Uniqueness Score: -1.00%

Function 004073C7, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004073C7(void* __edx, void* __eflags) {
				void* _t13;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_push(0xc);
				E00416B54(E00421524, _t15, _t18, _t19);
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t13 = E00407148(_t15,  *((intOrPtr*)(_t20 + 8)), __edx, _t18, _t19, _t21,  *((intOrPtr*)(_t20 + 0xc)),  *((intOrPtr*)(_t20 + 0x10)),  *((intOrPtr*)(_t20 + 0x14)),  *((intOrPtr*)(_t20 + 0x18)),  *((intOrPtr*)(_t20 + 0x1c)),  *((intOrPtr*)(_t20 + 0x20)),  *((intOrPtr*)(_t20 + 0x24))); // executed
				return E00416BF9(_t13);
			}

0x004073c7
0x004073c7
0x004073ce
0x004073dc
0x004073ef
0x00407425

APIs

__EH_prolog3_catch.LIBCMT ref: 004073CE

Part of subcall function 00407148: __EH_prolog3.LIBCMT ref: 0040714F

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID:
API String ID: 1882928916-0
Opcode ID: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
Instruction ID: 84ce1d22dcfe6e103ce055f2b8b6750ac12f05c8568533fdb2c5d1bbdb3a852e
Opcode Fuzzy Hash: 28e09e3b734dcda83a9779a142a1a0cda2b6bb65c50fddb9d581310a60e990cb
Instruction Fuzzy Hash: F2E0B632504109EBDF02AF80CC01EDD3F62BF48308F11815ABA04291A1C73AD9B1AB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00409469, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409469(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x0040946a
0x0040946c
0x00409471
0x00409485
0x00409488
0x00409473
0x00409474
0x0040947c
0x00409482
0x00000000
0x0040947e
0x00409481
0x00409481
0x0040947c

APIs

FindCloseChangeNotification.KERNELBASE ref: 00409474

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
Instruction ID: b4a90a00154391669b7363a51cf89b3e9318aaf3395dcee91c52b1fe365849fc
Opcode Fuzzy Hash: a6ad88fce9d677adcfcb3cedd9ab2708af14cbe569ef0bba0bbf37a308d24c96
Instruction Fuzzy Hash: E9D0123150812146CA749E3C7C489C733D85B8637432107AAF8B4D32E5D774CC835664

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC1B, Relevance: 1.5, APIs: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040FC1B(signed int* _a4) {
				void* _t2;
				int _t4;
				signed int* _t6;

				_t6 = _a4;
				_t2 =  *_t6;
				if(_t2 == 0) {
					L3:
					 *_t6 =  *_t6 & 0x00000000;
					return 0;
				}
				_t4 = FindCloseChangeNotification(_t2); // executed
				if(_t4 != 0) {
					goto L3;
				}
				return E0040FBFF();
			}

0x0040fc1c
0x0040fc20
0x0040fc24
0x0040fc38
0x0040fc38
0x00000000
0x0040fc3b
0x0040fc27
0x0040fc2f
0x00000000
0x00000000
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00401769,?,?,00401A40,?,?,?), ref: 0040FC27

Part of subcall function 0040FBFF: GetLastError.KERNEL32(0040FC36,?,00401769,?,?,00401A40,?,?,?), ref: 0040FBFF

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
Instruction ID: 1a5018943eef3921d8683e0e76473e6435a4a7453b84e3265ad686b3c7f8bf41
Opcode Fuzzy Hash: 154228df2ff763398198bb62a8d67d4fc733a41ee82627f3fea0a20968ac3d13
Instruction Fuzzy Hash: BAD0C77261821987E7709E75D80575773E87F64391F11483BBC81E26C4DA3CDC468669

Uniqueness

Uniqueness Score: -1.00%

Function 004134A7, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004134A7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;

				_push(0xc);
				E00416B54(E00422122, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t20 - 0x14)) = __ecx;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_t19 =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *((intOrPtr*)(_t20 - 0x18)) =  *((intOrPtr*)(__ecx + 0x1c)) + 0x70;
				 *(_t20 - 4) = 1;
				E00413320(__ebx, __ecx, __edx, __edi,  *((intOrPtr*)(__ecx + 0x1c)) + 0x70, _t19); // executed
				return E00416BF9(E00412E93(_t19));
			}

0x004134a7
0x004134ae
0x004134b3
0x004134b9
0x004134bd
0x004134c0
0x004134c3
0x004134c7
0x004134d8

APIs

__EH_prolog3_catch.LIBCMT ref: 004134AE

Part of subcall function 00413320: __EH_prolog3.LIBCMT ref: 00413327

Part of subcall function 00412E93: PostMessageW.USER32(?,00008000,00000000,00000000), ref: 00412EAF

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3H_prolog3_catchMessagePost
String ID:
API String ID: 2353938149-0
Opcode ID: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
Instruction ID: 37150bc996be07024e23407f5ffd0e30b920fa78c3a9b78fcff4c7f849eb0ef8
Opcode Fuzzy Hash: a2f85cf47bc91e1651615562e7d259fc2dd1f942ff68663c9af53319ea72f271
Instruction Fuzzy Hash: 6CD05E71E052348BEF05FB9591023DD77615F10309F65409FA504AB282CBBD9F9687DE

Uniqueness

Uniqueness Score: -1.00%

Function 00417657, Relevance: 1.5, APIs: 1, Instructions: 14
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00417657(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x42a470);
				E00417B6C(__ebx, __edi, __esi);
				E0041AA6A();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E0041756C(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E0041768D();
				return E00417BB1( *((intOrPtr*)(_t18 - 0x1c)));
			}

0x00417657
0x00417659
0x0041765e
0x00417663
0x00417668
0x0041766f
0x00417675
0x00417678
0x0041767f
0x0041768c

APIs

Part of subcall function 0041AA6A: __lock.LIBCMT ref: 0041AA6C

__onexit_nolock.LIBCMT ref: 0041766F

Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041757B
Part of subcall function 0041756C: __decode_pointer.LIBCMT ref: 0041758B
Part of subcall function 0041756C: __msize.LIBCMT ref: 004175A9
Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175CD
Part of subcall function 0041756C: __realloc_crt.LIBCMT ref: 004175E3
Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 004175F5
Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 00417603
Part of subcall function 0041756C: __encode_pointer.LIBCMT ref: 0041760E

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
Instruction ID: 50652295d12e053d6e041c28fa09360bfde02633ad2c970896e797852022faa4
Opcode Fuzzy Hash: f62d3a009e41f3d1527246ed07ccb787376bfc05c42d54a329812c2034400765
Instruction Fuzzy Hash: 36D01730D49208AACB00FBA6DC027DD76706F00328F60428AB024661D2CB7C6A918A1D

Uniqueness

Uniqueness Score: -1.00%

Function 004060EC, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004060EC(void* __ecx, void* __eflags) {
				void* _t8;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t15 = __eflags;
				_push(4);
				E00416B54(E004212DE, _t10, _t12, _t13);
				 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
				_t8 = E00405E50(_t10, __ecx, _t12, _t13, _t15,  *((intOrPtr*)(_t14 + 8)),  *((intOrPtr*)(_t14 + 0xc)),  *((intOrPtr*)(_t14 + 0x10))); // executed
				return E00416BF9(_t8);
			}

0x004060ec
0x004060ec
0x004060f3
0x004060fb
0x00406105
0x0040611a

APIs

__EH_prolog3_catch.LIBCMT ref: 004060F3

Part of subcall function 00405E50: __EH_prolog3.LIBCMT ref: 00405E57

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID:
API String ID: 1882928916-0
Opcode ID: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
Instruction ID: 66fb4eb1dd9ef290f0d14366853655bb72eb87facac39e3ebcd306175ee87c76
Opcode Fuzzy Hash: c4f1c16b8a69300ef20dc63a60a8572890e109b9ba60d17ba3b8912923893270
Instruction Fuzzy Hash: 0ED0C971204154E6DF017F51CC02B8D7722AB50308F51806EB610AD0A2C6399665AA2D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC6E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E0041AC6E(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E0041AB42(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x0041ac73
0x0041ac75
0x0041ac77
0x0041ac7a
0x0041ac83

APIs

_doexit.LIBCMT ref: 0041AC7A

Part of subcall function 0041AB42: __lock.LIBCMT ref: 0041AB50
Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB87
Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041AB9C
Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABC6
Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABDC
Part of subcall function 0041AB42: __decode_pointer.LIBCMT ref: 0041ABE9
Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC18
Part of subcall function 0041AB42: __initterm.LIBCMT ref: 0041AC28

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 32703e2425d6837e09d77f142ee0d03d1aa3b2b2739c8778ca234f578448a184
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: CAB0923258424833DA202942EC03F467A0A87D0BA4F240021BB0C191A1A9A6B9A1919A

Uniqueness

Uniqueness Score: -1.00%

Function 004095BB, Relevance: 1.5, APIs: 1, Instructions: 9
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004095BB(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}

0x004095c9
0x004095d1
0x004095d5

APIs

SetFileTime.KERNELBASE(?,?,?,?), ref: 004095C9

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FileTime
String ID:
API String ID: 1425588814-0
Opcode ID: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
Instruction ID: 57fa52493768e88d4c675f4e3ff19f9e09c23c003b41dcdd424065fe4b098c63
Opcode Fuzzy Hash: 7c264c662d17f6748a7a7cd915a901ef6f14879ae262d0762ce06c4027b9e3d8
Instruction Fuzzy Hash: A4C04C36158105FF8F124F70CC04C1ABBB2AB99312F10C918B155C4074C7328424EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0040D84E, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D84E(intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;

				if(_a4 != 0) {
					_t3 = E00417414(_t5, _t7, _t8, _a4); // executed
					return _t3;
				}
				return 0;
			}

0x0040d853
0x0040d85d
0x00000000
0x0040d862
0x00000000

APIs

_malloc.LIBCMT ref: 0040D85D

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
Instruction ID: 9fa39186f6ac70ea71dad3f96ae6bbd7c0e55b847be20752fb22e855cafe7a70
Opcode Fuzzy Hash: 20394390867618d9d500dbe07c14ad3570cdce1b0b705a712d1a182bf64edd08
Instruction Fuzzy Hash: 30B09232809200E9C6007AA1E90571BA6A05BA0765F24CC3FF05A62091C73898A8FA2A

Uniqueness

Uniqueness Score: -1.00%

Function 00410729, Relevance: 1.5, APIs: 1, Instructions: 7
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410729(void* __ecx) {

				SendMessageW( *(__ecx + 4), 0x80, 1, 0); // executed
				return 1;
			}

0x00410735
0x0041073d

APIs

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
Instruction ID: a4c26e9a3c29e24c211aff4f89e05bb1a464a78c4738ab71fc5642a945c5313b
Opcode Fuzzy Hash: 350c799ee5a2866a2e4a90e4137b8a2d5ebde71f238ef18c267c58f946dbb223
Instruction Fuzzy Hash: 2AB012383C0200B6E9300F00DE07F407A317700F02FD080D0F2842D1E186D754079A38

Uniqueness

Uniqueness Score: -1.00%

Function 0041079E, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041079E(long __ecx, WCHAR* _a4, struct HWND__* _a8) {
				int _t3;

				_t3 = DialogBoxParamW( *0x43063c, _a4, _a8, E004106BD, __ecx); // executed
				return _t3;
			}

0x004107b2
0x004107b8

APIs

DialogBoxParamW.USER32(?,?,004106BD,?,0041083C), ref: 004107B2

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: DialogParam
String ID:
API String ID: 665744214-0
Opcode ID: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
Instruction ID: 4304025832de87dfc64906559080df533071c10b9fbf0e2d02038323627bd0c9
Opcode Fuzzy Hash: 83a23e5f2a5779a97fcb816a9719aacd6dba0e44b669cde2decfec3171c3a416
Instruction Fuzzy Hash: 7DC09B71244341EFCB01DF40DD05D1A7A71FBD4301B144D5DF19011034D3654475DB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00411A09, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00411A09(struct HWND__** __ecx, WCHAR* _a4) {
				signed int _t2;

				_t2 = SetWindowTextW( *__ecx, _a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00411a0f
0x00411a17
0x00411a1b

APIs

SetWindowTextW.USER32(?,?), ref: 00411A0F

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
Instruction ID: 7285ec3e8b14015ba41abaafd2aaf9d1c9e421011ef37e859ac2b5d579ac4960
Opcode Fuzzy Hash: 0cac3e49e0ef37c63cf37dc2c3e09d3ba3e0a8b2ccbe1e6d84387eabad972059
Instruction Fuzzy Hash: E5B012312941079B8F110F30CC09C257AB1ABA6707B10C634B202C40B0DB328434FB05

Uniqueness

Uniqueness Score: -1.00%

Function 00411C72, Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411C72(struct HWND__** __ecx, int _a4) {
				long _t2;

				_t2 = SendMessageW( *__ecx, 0x402, _a4, 0); // executed
				return _t2;
			}

0x00411c7f
0x00411c85

APIs

SendMessageW.USER32(?,00000402,?,00000000), ref: 00411C7F

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
Instruction ID: 069d68a9e1231b4b556b08c56050ac7aef345419fd7f8c3e29ec79a0a001832b
Opcode Fuzzy Hash: bfb020d162c2876dd643ce5794c777644e35f7b7a7e62491d4677c709d91e7d4
Instruction Fuzzy Hash: E9B012B1380201FBDA114F50CF0AF05BE71AB50701F50C064B348280F1C2B20821DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00411EBA, Relevance: 1.5, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411EBA(void* __ecx) {

				EndDialog( *(__ecx + 4), 0); // executed
				return 1;
			}

0x00411ebf
0x00411ec7

APIs

EndDialog.USER32 ref: 00411EBF

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Dialog
String ID:
API String ID: 1120787796-0
Opcode ID: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
Instruction ID: bc8bd401b0eefbe877630cbd04d9267ddc83d6f7ecd5b816f849047cd02cc86e
Opcode Fuzzy Hash: 101327961ffd129499788fe345791a6db2a53a88b219c9f9f512ba42817a1e78
Instruction Fuzzy Hash: 28A0223C200300ABCA200F00EC0BB003F30BB20B0BFE080E0F000082B0C3AB8023EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00418676, Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00418676() {
				void* _t1;

				_t1 = E00418604(0); // executed
				return _t1;
			}

0x00418678
0x0041867e

APIs

__encode_pointer.LIBCMT ref: 00418678

Part of subcall function 00418604: TlsGetValue.KERNEL32(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 00418616
Part of subcall function 00418604: TlsGetValue.KERNEL32(00000005,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041862D
Part of subcall function 00418604: RtlEncodePointer.NTDLL(00000000,?,0041867D,00000000,0041C3DC,004306C8,00000000,00000314,?,0041858F,004306C8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041866B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 5a5505d646162c0910025cdbf4f2e43bfc302516613f7e24b8ec1ce389676881
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040D873, Relevance: 1.3, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D873(long _a4) {
				void* _t3;

				if(_a4 != 0) {
					_t3 = VirtualAlloc(0, _a4, 0x1000, 4); // executed
					return _t3;
				}
				return 0;
			}

0x0040d878
0x0040d88b
0x00000000
0x0040d88b
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,0040A80C,00020000,00000008,00409D26,00000000,00409D7B,?,?,00000000,00000000,?,?), ref: 0040D88B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
Instruction ID: 1dee39851da255e603c81e70ab06536354d94f21e9d906fbcb05ba4b28f21589
Opcode Fuzzy Hash: 5e2b473792147291d41c654fde43e170c2ab6d884310398fcc52e1e8375520d5
Instruction Fuzzy Hash: 69C08C72A8C301BEEB215A908C09F06B2A06B54B92F20C835B3A9740D8C2B88004DA2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D894, Relevance: 1.3, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D894(void* _a4) {
				void* _t3;
				int _t4;

				if(_a4 != 0) {
					_t4 = VirtualFree(_a4, 0, 0x8000); // executed
					return _t4;
				}
				return _t3;
			}

0x0040d899
0x0040d8a6
0x00000000
0x0040d8a6
0x0040d8ac

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040A8A2,?,?,004070C5,00000004), ref: 0040D8A6

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
Instruction ID: 0a782922268e19acd864cb2e137f5d939f388066cb3675ff771b179204057813
Opcode Fuzzy Hash: 6cb800e3b21292d7a01e8d915fab6851819cbdd43799a7b69ebaca4b63cd47eb
Instruction Fuzzy Hash: 5FC09B71744300BEE7216F04DD09B07B6606B50701F10C4357254340E847785414DE1D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00416B12, Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00416B12(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				signed int _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 - M0042D330; // 0xdf8f31de
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x430b08 = _t6;
				 *0x430b04 = _t22;
				 *0x430b00 = _t25;
				 *0x430afc = _t21;
				 *0x430af8 = _t27;
				 *0x430af4 = _t26;
				 *0x430b20 = ss;
				 *0x430b14 = cs;
				 *0x430af0 = ds;
				 *0x430aec = es;
				 *0x430ae8 = fs;
				 *0x430ae4 = gs;
				asm("pushfd");
				_pop( *0x430b18);
				 *0x430b0c =  *_t31;
				 *0x430b10 = _v0;
				 *0x430b1c =  &_a4;
				 *0x430a58 = 0x10001;
				_t11 =  *0x430b10; // 0x0
				 *0x430a0c = _t11;
				 *0x430a00 = 0xc0000409;
				 *0x430a04 = 1;
				_t12 = M0042D330; // 0xdf8f31de
				_v812 = _t12;
				_t13 =  *0x42d334; // 0x2070ce21
				_v808 = _t13;
				 *0x430a50 = IsDebuggerPresent();
				_push(1);
				E0041D30F(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x424afc);
				if( *0x430a50 == 0) {
					_push(1);
					E0041D30F(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00416b12
0x00416b12
0x00416b12
0x00416b12
0x00416b12
0x00416b12
0x00416b12
0x00416b18
0x00416b1a
0x00416b1a
0x00419a07
0x00419a0c
0x00419a12
0x00419a18
0x00419a1e
0x00419a24
0x00419a2a
0x00419a31
0x00419a38
0x00419a3f
0x00419a46
0x00419a4d
0x00419a54
0x00419a55
0x00419a5e
0x00419a66
0x00419a6e
0x00419a79
0x00419a83
0x00419a88
0x00419a8d
0x00419a97
0x00419aa1
0x00419aa6
0x00419aac
0x00419ab1
0x00419abd
0x00419ac2
0x00419ac4
0x00419acc
0x00419ad7
0x00419ae4
0x00419ae6
0x00419ae8
0x00419aed
0x00419b01

APIs

IsDebuggerPresent.KERNEL32 ref: 00419AB7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00419ACC
UnhandledExceptionFilter.KERNEL32(00424AFC), ref: 00419AD7
GetCurrentProcess.KERNEL32(C0000409), ref: 00419AF3
TerminateProcess.KERNEL32(00000000), ref: 00419AFA

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
Instruction ID: a3ae943e02b669ff2a6498971f269fac364f055245c94165238cd76a69923d3c
Opcode Fuzzy Hash: a918bf17ed6755c8c93a3fec57836d41ced2a735aa7a5f4a8140f49a9c0783ae
Instruction Fuzzy Hash: B92103B4A103089FC750EF55FD64A54BBB4BB18305F50623AE41883B60E7B8A981CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B945, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041B945() {

				SetUnhandledExceptionFilter(E0041B903);
				return 0;
			}

0x0041b94a
0x0041b952

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001B903), ref: 0041B94A

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 48d45a271a940ca4e2f88f0b5105577f0641e264a5b2adf435378eee180a1776
Instruction ID: f9ebc1ffc639d90b74befdcaa34d6ee0320cc7816fc40c15477a0d87825db997
Opcode Fuzzy Hash: 48d45a271a940ca4e2f88f0b5105577f0641e264a5b2adf435378eee180a1776
Instruction Fuzzy Hash: 649002B03655096A66101B705C4D75A25A4AA5C6077910565A101C4154DB584157655D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F949, Relevance: 1.4, Strings: 1, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E0040F949(void* _a4) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v28;
				intOrPtr _v32;
				void _v64;
				char _v128;
				signed int _t87;
				void* _t88;
				signed int _t110;
				signed int _t114;
				signed int _t116;
				intOrPtr* _t123;
				intOrPtr* _t127;
				void* _t129;
				intOrPtr* _t130;
				void* _t144;
				signed int _t171;
				void* _t183;

				_v8 = _v8 & 0x00000000;
				_t110 = 8;
				_v32 = memcpy( &_v64, _a4, _t110 << 2) -  &_v128;
				do {
					_t114 = 1;
					_t130 =  &_v128;
					_v20 = 1;
					_t87 = 0xfffffffc;
					_v24 = _t130;
					_v12 = 0x423aa0 + _v8 * 4;
					_v28 = 0x10;
					do {
						if(_v8 == 0) {
							_t116 =  *((intOrPtr*)(_v32 + _t130));
							 *_t130 = _t116;
						} else {
							_t17 = _t114 - 1; // 0x0
							_v16 = _t183 + (_t17 & 0x0000000f) * 4 - 0x7c;
							_t25 = _t114 - 3; // -2
							asm("ror edi, 0x12");
							asm("ror ebx, 0x7");
							asm("ror esi, 0x13");
							asm("ror ebx, 0x11");
							_t127 = _v16;
							 *_t127 =  *_t127 + ( *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t114 & 0x0000000f) * 4 - 0x7c) >> 0x00000003) + ( *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) ^  *(_t183 + (_t25 & 0x0000000f) * 4 - 0x7c) >> 0x0000000a) +  *((intOrPtr*)(_t183 + (_t114 + 0xfffffff8 & 0x0000000f) * 4 - 0x7c));
							_t116 =  *_t127;
						}
						_v16 = _t116;
						_t39 = _t87 + 2; // 0xfe
						_t43 = _t87 + 3; // 0xff
						asm("ror edi, 0x19");
						asm("ror ebx, 0xb");
						asm("ror ebx, 0x6");
						_t45 = _t87 + 1; // 0xfd
						_t123 = _t183 + (_t43 & 0x00000007) * 4 - 0x3c;
						 *_t123 =  *_t123 + (( *(_t183 + (_t45 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t39 & 0x00000007) * 4 - 0x3c)) &  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t39 & 0x00000007) * 4 - 0x3c)) + ( *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t87 & 0x00000007) * 4 - 0x3c)) + _v16 +  *_v12;
						_t53 = _t87 - 1; // 0xfb
						 *((intOrPtr*)(_t183 + (_t53 & 0x00000007) * 4 - 0x3c)) =  *((intOrPtr*)(_t183 + (_t53 & 0x00000007) * 4 - 0x3c)) +  *_t123;
						_t57 = _t87 - 4; // 0xf8
						_v12 = _v12 + 4;
						_t63 = _t87 - 3; // 0xf9
						_t171 =  *(_t183 + (_t63 & 0x00000007) * 4 - 0x3c);
						asm("ror edi, 0x16");
						asm("ror ebx, 0xd");
						asm("ror ebx, 0x2");
						_t67 = _t87 - 2; // 0xfa
						_v16 = _t171;
						 *_t123 =  *_t123 + ( *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c) ^  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c)) + ( *(_t183 + (_t67 & 0x00000007) * 4 - 0x3c) & (_t171 |  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c)) | _v16 &  *(_t183 + (_t57 & 0x00000007) * 4 - 0x3c));
						_t114 = _v20 + 1;
						_t130 = _v24 + 4;
						_t87 = _t87 - 1;
						_t75 =  &_v28;
						 *_t75 = _v28 - 1;
						_v20 = _t114;
						_v24 = _t130;
					} while ( *_t75 != 0);
					_v8 = _v8 + 0x10;
				} while (_v8 < 0x40);
				_t88 = _a4;
				_t144 = 8;
				_t129 =  &_v64 - _t88;
				do {
					 *_t88 =  *_t88 +  *((intOrPtr*)(_t129 + _t88));
					_t88 = _t88 + 4;
					_t144 = _t144 - 1;
				} while (_t144 != 0);
				return _t88;
			}

0x0040f94f
0x0040f95a
0x0040f965
0x0040f969
0x0040f96e
0x0040f971
0x0040f97b
0x0040f97e
0x0040f97f
0x0040f982
0x0040f985
0x0040f98c
0x0040f990
0x0040f9ec
0x0040f9ef
0x0040f992
0x0040f992
0x0040f9a5
0x0040f9a8
0x0040f9b4
0x0040f9b9
0x0040f9c5
0x0040f9ca
0x0040f9e0
0x0040f9e3
0x0040f9e5
0x0040f9e5
0x0040f9f1
0x0040fa01
0x0040fa0b
0x0040fa11
0x0040fa14
0x0040fa1b
0x0040fa23
0x0040fa3a
0x0040fa3e
0x0040fa42
0x0040fa4c
0x0040fa4e
0x0040fa58
0x0040fa5c
0x0040fa62
0x0040fa68
0x0040fa6d
0x0040fa74
0x0040fa79
0x0040fa83
0x0040fa96
0x0040fa9b
0x0040fa9c
0x0040fa9f
0x0040faa0
0x0040faa0
0x0040faa3
0x0040faa6
0x0040faa6
0x0040faaf
0x0040fab3
0x0040fabd
0x0040fac5
0x0040fac6
0x0040fac9
0x0040facc
0x0040face
0x0040fad1
0x0040fad1
0x0040fad7

Strings

@, xrefs: 0040FAB3

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 87d56cd6be4157368c5d66f6abcfc78e7b74221c1421a602161ec958c702e92e
Instruction ID: cb0a4cd02ad45149a2b8ae115c8f8f0a59dbe70f5b8a0e844d152124576e4919
Opcode Fuzzy Hash: 87d56cd6be4157368c5d66f6abcfc78e7b74221c1421a602161ec958c702e92e
Instruction Fuzzy Hash: 02516EB3D003199FCB14CFD5D8846DDB3B2EF88318F6A8169D9257B651D7702A46CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE50, Relevance: .5, Instructions: 501
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040EE50(signed int* __eax, signed char* _a4, signed char* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int* _t243;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				unsigned int _t257;
				void* _t259;
				void* _t260;
				signed int _t261;
				void* _t268;
				void* _t269;
				signed int _t270;
				signed char* _t276;
				signed int _t280;
				signed char* _t281;
				signed int _t283;
				signed char* _t284;
				signed char* _t286;
				signed char* _t291;
				signed char* _t293;
				void* _t298;
				signed char* _t300;
				signed char* _t302;
				signed char* _t304;
				signed int _t311;
				signed int _t315;
				signed char* _t316;
				signed int _t318;
				void* _t319;
				unsigned int _t337;
				signed int _t342;
				signed short* _t346;
				signed short* _t347;
				unsigned int _t353;
				signed char _t356;
				void* _t357;
				void* _t358;
				signed int _t363;
				signed int _t380;
				void* _t381;
				signed int _t385;
				unsigned int _t391;
				signed char* _t392;
				void* _t395;
				void* _t396;
				signed char* _t397;
				signed int _t405;
				unsigned int _t408;
				signed char* _t409;
				signed int _t411;
				void* _t416;
				signed int _t431;
				void* _t433;
				signed int _t434;
				signed int _t435;
				signed int _t442;
				signed int _t461;
				signed int _t462;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				unsigned int _t476;
				signed int _t477;
				unsigned int _t478;

				_t243 = __eax;
				_v8 = __eax[8];
				_a8 =  &(_a4[_a8]);
				_t318 = __eax[4];
				_t470 = __eax[7];
				_t435 = __eax[0xd];
				_t405 = (1 << __eax[2]) - 0x00000001 & __eax[0xb];
				_v12 = _t318;
				_v24 =  *(_t318 + ((_t435 << 4) + 1) * 2) & 0x0000ffff;
				if(_t470 >= 0x1000000) {
					L4:
					_t337 = (_t470 >> 0xb) * _v24;
					if(_v8 >= _t337) {
						_v8 = _v8 - _t337;
						_t471 = _t470 - _t337;
						_t319 = 0x1000000;
						if(_t471 >= 0x1000000) {
							L35:
							_t246 = (_t471 >> 0xb) * ( *(_v12 + 0x180 + _t435 * 2) & 0x0000ffff);
							if(_v8 >= _t246) {
								_v8 = _v8 - _t246;
								_t472 = _t471 - _t246;
								_v20 = 3;
								if(_t472 >= _t319) {
									L40:
									_t342 = (_t472 >> 0xb) * ( *(_v12 + 0x198 + _t435 * 2) & 0x0000ffff);
									if(_v8 >= _t342) {
										_v8 = _v8 - _t342;
										_t473 = _t472 - _t342;
										if(_t473 >= _t319) {
											L51:
											_t251 = (_t473 >> 0xb) * ( *(_v12 + 0x1b0 + _t435 * 2) & 0x0000ffff);
											if(_v8 < _t251) {
												L56:
												_t474 = _t251;
												L58:
												_v28 = 0xc;
												_t346 = _v12 + 0xa68;
												L59:
												if(_t474 >= _t319) {
													L62:
													_t254 = (_t474 >> 0xb) * ( *_t346 & 0x0000ffff);
													if(_v8 >= _t254) {
														_v8 = _v8 - _t254;
														_t475 = _t474 - _t254;
														if(_t475 >= _t319) {
															L67:
															_t257 = (_t475 >> 0xb) * (_t346[1] & 0x0000ffff);
															if(_v8 >= _t257) {
																_v8 = _v8 - _t257;
																_t476 = _t475 - _t257;
																_t347 =  &(_t346[0x102]);
																_v24 = 0x10;
																_v16 = 0x100;
															} else {
																_t476 = _t257;
																_t283 = 8;
																_t347 =  &(_t346[0x82]) + (_t405 << 4);
																_v24 = _t283;
																_v16 = _t283;
															}
															L70:
															_t259 = 1;
															do {
																_t260 = _t259 + _t259;
																if(_t476 >= _t319) {
																	goto L74;
																}
																_t409 = _a4;
																if(_t409 >= _a8) {
																	L2:
																	return 0;
																}
																_t476 = _t476 << 8;
																_a4 =  &(_a4[1]);
																_v8 = _v8 << 0x00000008 |  *_t409 & 0x000000ff;
																L74:
																_t408 = (_t476 >> 0xb) * ( *(_t260 + _t347) & 0x0000ffff);
																if(_v8 >= _t408) {
																	_v8 = _v8 - _t408;
																	_t476 = _t476 - _t408;
																	_t259 = _t260 + 1;
																} else {
																	_t476 = _t408;
																}
															} while (_t259 < _v16);
															_t261 = _t259 + _v24 - _v16;
															if(_v28 >= 4) {
																L106:
																if(_t476 >= _t319 || _a4 < _a8) {
																	return _v20;
																} else {
																	goto L2;
																}
															}
															if(_t261 >= 4) {
																_t261 = 3;
															}
															_t442 = _v12;
															_v16 = (_t261 << 7) + _t442 + 0x360;
															_t268 = 1;
															do {
																_t269 = _t268 + _t268;
																_t411 =  *(_t269 + _v16) & 0x0000ffff;
																if(_t476 >= _t319) {
																	goto L85;
																}
																if(_a4 >= _a8) {
																	goto L2;
																}
																_t442 = _v12;
																_t476 = _t476 << 8;
																_a4 =  &(_a4[1]);
																_v8 = _v8 << 0x00000008 |  *_a4 & 0x000000ff;
																L85:
																_t353 = (_t476 >> 0xb) * _t411;
																if(_v8 >= _t353) {
																	_v8 = _v8 - _t353;
																	_t476 = _t476 - _t353;
																	_t268 = _t269 + 1;
																} else {
																	_t476 = _t353;
																}
															} while (_t268 < 0x40);
															_t270 = _t268 - 0x40;
															if(_t270 < 4) {
																goto L106;
															}
															_t356 = (_t270 >> 1) - 1;
															_v24 = _t356;
															if(_t270 >= 0xe) {
																_t357 = _t356 - 4;
																do {
																	if(_t476 >= _t319) {
																		goto L96;
																	}
																	_t276 = _a4;
																	if(_t276 >= _a8) {
																		goto L2;
																	}
																	_t476 = _t476 << 8;
																	_a4 =  &(_a4[1]);
																	_v8 = _v8 << 0x00000008 |  *_t276 & 0x000000ff;
																	L96:
																	_t476 = _t476 >> 1;
																	_v8 = _v8 - ((_v8 - _t476 >> 0x0000001f) - 0x00000001 & _t476);
																	_t357 = _t357 - 1;
																} while (_t357 != 0);
																_t226 = _t442 + 0x644; // 0x644
																_t358 = _t226;
																_v24 = 4;
																L98:
																_t416 = 1;
																do {
																	_t416 = _t416 + _t416;
																	if(_t476 >= _t319) {
																		goto L102;
																	}
																	_t281 = _a4;
																	if(_t281 >= _a8) {
																		goto L2;
																	}
																	_t476 = _t476 << 8;
																	_a4 =  &(_a4[1]);
																	_v8 = _v8 << 0x00000008 |  *_t281 & 0x000000ff;
																	L102:
																	_t280 = (_t476 >> 0xb) * ( *(_t416 + _t358) & 0x0000ffff);
																	if(_v8 >= _t280) {
																		_v8 = _v8 - _t280;
																		_t476 = _t476 - _t280;
																		_t416 = _t416 + 1;
																	} else {
																		_t476 = _t280;
																	}
																	_t238 =  &_v24;
																	 *_t238 = _v24 - 1;
																} while ( *_t238 != 0);
																goto L106;
															}
															_t215 = (((_t270 & 0x00000001 | 0x00000002) << _t356) - _t270) * 2; // 0x55e
															_t358 = _t442 + _t215 + 0x55e;
															goto L98;
														}
														_t284 = _a4;
														if(_t284 >= _a8) {
															goto L2;
														}
														_t475 = _t475 << 8;
														_a4 =  &(_a4[1]);
														_v8 = _v8 << 0x00000008 |  *_t284 & 0x000000ff;
														goto L67;
													}
													_v24 = _v24 & 0x00000000;
													_t476 = _t254;
													_t347 =  &(_t346[2]) + (_t405 << 4);
													_v16 = 8;
													goto L70;
												}
												_t286 = _a4;
												if(_t286 >= _a8) {
													goto L2;
												}
												_t474 = _t474 << 8;
												_a4 =  &(_a4[1]);
												_v8 = _v8 << 0x00000008 |  *_t286 & 0x000000ff;
												goto L62;
											}
											_v8 = _v8 - _t251;
											_t477 = _t473 - _t251;
											_t363 =  *(_v12 + 0x1c8 + _t435 * 2) & 0x0000ffff;
											if(_t477 >= _t319) {
												L55:
												_t251 = (_t477 >> 0xb) * _t363;
												if(_v8 >= _t251) {
													L57:
													_t474 = _t477 - _t251;
													_v8 = _v8 - _t251;
													goto L58;
												}
												goto L56;
											}
											_t291 = _a4;
											if(_t291 >= _a8) {
												goto L2;
											}
											_t477 = _t477 << 8;
											_a4 =  &(_a4[1]);
											_v8 = _v8 << 0x00000008 |  *_t291 & 0x000000ff;
											goto L55;
										}
										_t293 = _a4;
										if(_t293 >= _a8) {
											goto L2;
										}
										_t473 = _t473 << 8;
										_a4 =  &(_a4[1]);
										_v8 = _v8 << 0x00000008 |  *_t293 & 0x000000ff;
										goto L51;
									}
									_t461 =  *(_v12 + ((_t435 + 0xf << 4) + _t405) * 2) & 0x0000ffff;
									_t477 = _t342;
									if(_t342 >= _t319) {
										L44:
										_t251 = (_t477 >> 0xb) * _t461;
										if(_v8 >= _t251) {
											goto L57;
										}
										if(_t251 >= _t319 || _a4 < _a8) {
											_t298 = 3;
											return _t298;
										} else {
											goto L2;
										}
									}
									_t300 = _a4;
									if(_t300 >= _a8) {
										goto L2;
									}
									_t477 = _t342 << 8;
									_a4 =  &(_a4[1]);
									_v8 = _v8 << 0x00000008 |  *_t300 & 0x000000ff;
									goto L44;
								}
								_t302 = _a4;
								if(_t302 >= _a8) {
									goto L2;
								}
								_t472 = _t472 << 8;
								_a4 =  &(_a4[1]);
								_v8 = _v8 << 0x00000008 |  *_t302 & 0x000000ff;
								goto L40;
							}
							_v28 = _v28 & 0x00000000;
							_t474 = _t246;
							_t346 = _v12 + 0x664;
							_v20 = 2;
							goto L59;
						}
						_t304 = _a4;
						if(_t304 >= _a8) {
							goto L2;
						}
						_t471 = _t471 << 8;
						_a4 =  &(_a4[1]);
						_v8 = _v8 << 0x00000008 |  *_t304 & 0x000000ff;
						goto L35;
					}
					_t478 = _t337;
					_v16 = _v12 + 0xe6c;
					if(_t243[0xc] != 0 || _t243[0xb] != 0) {
						_t380 = _t243[9];
						if(_t380 == 0) {
							_t380 = _t243[0xa];
						}
						_t381 = 8;
						_v16 = _v16 + ((( *(_t243[5] + _t380 - 1) & 0x000000ff) >> _t381 -  *_t243) + (((1 << _t243[1]) - 0x00000001 & _t243[0xb]) <<  *_t243)) * 0x600;
					}
					if(_t435 >= 7) {
						_t431 = _t243[9];
						_t462 = _t243[0xe];
						if(_t431 >= _t462) {
							_t385 = 0;
						} else {
							_t385 = _t243[0xa];
						}
						_v20 =  *(_t243[5] - _t462 + _t431 + _t385) & 0x000000ff;
						_v12 = 0x100;
						_t433 = 1;
						_t319 = 0x1000000;
						do {
							_v20 = _v20 << 1;
							_t311 = _v12 & _v20;
							_v24 =  *(_v16 + (_t311 + _t433 + _v12) * 2) & 0x0000ffff;
							if(_t478 >= _t319) {
								goto L27;
							}
							_t392 = _a4;
							if(_t392 >= _a8) {
								goto L2;
							}
							_t478 = _t478 << 8;
							_a4 =  &(_a4[1]);
							_v8 = _v8 << 0x00000008 |  *_t392 & 0x000000ff;
							L27:
							_t391 = (_t478 >> 0xb) * _v24;
							if(_v8 >= _t391) {
								_t478 = _t478 - _t391;
								_v8 = _v8 - _t391;
								_t433 = _t433 + _t433 + 1;
							} else {
								_t478 = _t391;
								_t433 = _t433 + _t433;
								_t311 =  !_t311;
							}
							_v12 = _v12 & _t311;
						} while (_t433 < 0x100);
						goto L31;
					} else {
						_t395 = 1;
						_t319 = 0x1000000;
						do {
							_t396 = _t395 + _t395;
							_t434 =  *(_t396 + _v16) & 0x0000ffff;
							if(_t478 >= _t319) {
								goto L15;
							}
							_t316 = _a4;
							if(_t316 >= _a8) {
								goto L2;
							}
							_t478 = _t478 << 8;
							_a4 =  &(_a4[1]);
							_v8 = _v8 << 0x00000008 |  *_t316 & 0x000000ff;
							L15:
							_t315 = (_t478 >> 0xb) * _t434;
							if(_v8 >= _t315) {
								_v8 = _v8 - _t315;
								_t478 = _t478 - _t315;
								_t395 = _t396 + 1;
							} else {
								_t478 = _t315;
							}
						} while (_t395 < 0x100);
						L31:
						_v20 = 1;
						goto L106;
					}
				}
				_t397 = _a4;
				if(_t397 < _a8) {
					_t470 = _t470 << 8;
					_a4 =  &(_a4[1]);
					_v8 = _v8 << 0x00000008 |  *_t397 & 0x000000ff;
					goto L4;
				}
				goto L2;
			}

0x0040ee50
0x0040ee5c
0x0040ee67
0x0040ee70
0x0040ee74
0x0040ee78
0x0040ee7c
0x0040ee8a
0x0040ee8d
0x0040ee96
0x0040eebb
0x0040eec0
0x0040eec7
0x0040f01c
0x0040f01f
0x0040f021
0x0040f028
0x0040f04a
0x0040f05a
0x0040f060
0x0040f07d
0x0040f080
0x0040f082
0x0040f08b
0x0040f0ad
0x0040f0bd
0x0040f0c3
0x0040f125
0x0040f128
0x0040f12c
0x0040f14e
0x0040f15e
0x0040f164
0x0040f1a7
0x0040f1a7
0x0040f1b0
0x0040f1b3
0x0040f1ba
0x0040f1c0
0x0040f1c2
0x0040f1e4
0x0040f1ec
0x0040f1f2
0x0040f20a
0x0040f20d
0x0040f211
0x0040f233
0x0040f23c
0x0040f242
0x0040f25b
0x0040f25e
0x0040f260
0x0040f266
0x0040f26d
0x0040f244
0x0040f246
0x0040f248
0x0040f24c
0x0040f253
0x0040f256
0x0040f256
0x0040f274
0x0040f276
0x0040f277
0x0040f277
0x0040f27b
0x00000000
0x00000000
0x0040f27d
0x0040f283
0x0040eea0
0x00000000
0x0040eea0
0x0040f294
0x0040f297
0x0040f29a
0x0040f29d
0x0040f2a6
0x0040f2ac
0x0040f2b2
0x0040f2b5
0x0040f2b7
0x0040f2ae
0x0040f2ae
0x0040f2ae
0x0040f2b8
0x0040f2c3
0x0040f2c9
0x0040f3f7
0x0040f3f9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f3f9
0x0040f2d2
0x0040f2d6
0x0040f2d6
0x0040f2d7
0x0040f2e4
0x0040f2e9
0x0040f2ea
0x0040f2ed
0x0040f2ef
0x0040f2f5
0x00000000
0x00000000
0x0040f2fd
0x00000000
0x00000000
0x0040f311
0x0040f314
0x0040f317
0x0040f31a
0x0040f31d
0x0040f322
0x0040f328
0x0040f32e
0x0040f331
0x0040f333
0x0040f32a
0x0040f32a
0x0040f32a
0x0040f334
0x0040f339
0x0040f33f
0x00000000
0x00000000
0x0040f349
0x0040f34a
0x0040f350
0x0040f367
0x0040f36a
0x0040f36c
0x00000000
0x00000000
0x0040f36e
0x0040f374
0x00000000
0x00000000
0x0040f385
0x0040f388
0x0040f38b
0x0040f38e
0x0040f391
0x0040f39b
0x0040f39e
0x0040f39e
0x0040f3a1
0x0040f3a1
0x0040f3a7
0x0040f3ae
0x0040f3b0
0x0040f3b1
0x0040f3b1
0x0040f3b5
0x00000000
0x00000000
0x0040f3b7
0x0040f3bd
0x00000000
0x00000000
0x0040f3ce
0x0040f3d1
0x0040f3d4
0x0040f3d7
0x0040f3e0
0x0040f3e6
0x0040f3ec
0x0040f3ef
0x0040f3f1
0x0040f3e8
0x0040f3e8
0x0040f3e8
0x0040f3f2
0x0040f3f2
0x0040f3f2
0x00000000
0x0040f3b1
0x0040f35e
0x0040f35e
0x00000000
0x0040f35e
0x0040f213
0x0040f219
0x00000000
0x00000000
0x0040f22a
0x0040f22d
0x0040f230
0x00000000
0x0040f230
0x0040f1f7
0x0040f1fb
0x0040f1fd
0x0040f201
0x00000000
0x0040f201
0x0040f1c4
0x0040f1ca
0x00000000
0x00000000
0x0040f1db
0x0040f1de
0x0040f1e1
0x00000000
0x0040f1e1
0x0040f166
0x0040f169
0x0040f16e
0x0040f178
0x0040f19a
0x0040f19f
0x0040f1a5
0x0040f1ab
0x0040f1ab
0x0040f1ad
0x00000000
0x0040f1ad
0x00000000
0x0040f1a5
0x0040f17a
0x0040f180
0x00000000
0x00000000
0x0040f191
0x0040f194
0x0040f197
0x00000000
0x0040f197
0x0040f12e
0x0040f134
0x00000000
0x00000000
0x0040f145
0x0040f148
0x0040f14b
0x00000000
0x0040f14b
0x0040f0d0
0x0040f0d4
0x0040f0d8
0x0040f0fc
0x0040f101
0x0040f107
0x00000000
0x00000000
0x0040f10f
0x0040f11f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f10f
0x0040f0da
0x0040f0e0
0x00000000
0x00000000
0x0040f0ec
0x0040f0f6
0x0040f0f9
0x00000000
0x0040f0f9
0x0040f08d
0x0040f093
0x00000000
0x00000000
0x0040f0a4
0x0040f0a7
0x0040f0aa
0x00000000
0x0040f0aa
0x0040f065
0x0040f069
0x0040f06b
0x0040f071
0x00000000
0x0040f071
0x0040f02a
0x0040f030
0x00000000
0x00000000
0x0040f041
0x0040f044
0x0040f047
0x00000000
0x0040f047
0x0040eecd
0x0040eedc
0x0040eedf
0x0040eee7
0x0040eeec
0x0040eeee
0x0040eeee
0x0040eefd
0x0040ef1a
0x0040ef1a
0x0040ef20
0x0040ef7b
0x0040ef7e
0x0040ef83
0x0040ef8a
0x0040ef85
0x0040ef85
0x0040ef85
0x0040ef99
0x0040ef9c
0x0040efa3
0x0040efa4
0x0040efa9
0x0040efa9
0x0040efaf
0x0040efbf
0x0040efc4
0x00000000
0x00000000
0x0040efc6
0x0040efcc
0x00000000
0x00000000
0x0040efdd
0x0040efe0
0x0040efe3
0x0040efe6
0x0040efeb
0x0040eff2
0x0040effc
0x0040effe
0x0040f001
0x0040eff4
0x0040eff4
0x0040eff6
0x0040eff8
0x0040eff8
0x0040f005
0x0040f008
0x00000000
0x0040ef22
0x0040ef24
0x0040ef25
0x0040ef2a
0x0040ef2d
0x0040ef2f
0x0040ef35
0x00000000
0x00000000
0x0040ef37
0x0040ef3d
0x00000000
0x00000000
0x0040ef4e
0x0040ef51
0x0040ef54
0x0040ef57
0x0040ef5c
0x0040ef62
0x0040ef68
0x0040ef6b
0x0040ef6d
0x0040ef64
0x0040ef64
0x0040ef64
0x0040ef6e
0x0040f010
0x0040f010
0x00000000
0x0040f010
0x0040ef20
0x0040ee98
0x0040ee9e
0x0040eeb2
0x0040eeb5
0x0040eeb8
0x00000000
0x0040eeb8
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23632c936667db84b4985c6fb5177f9679dbdd5064871ff45c40afa9e7e0a2cb
Instruction ID: e96d94f9f021feee69bd0f16c8b626058d6116cb84d32cf07f2a7404c6f20ea9
Opcode Fuzzy Hash: 23632c936667db84b4985c6fb5177f9679dbdd5064871ff45c40afa9e7e0a2cb
Instruction Fuzzy Hash: B812AF31D00129DFCB18CF69C6905ACBBB2EF85345F2585BED856BB680D3389E85DB84

Uniqueness

Uniqueness Score: -1.00%

Function 00416135, Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00416135(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x00416135
0x00416135
0x0041613b
0x004161bb
0x004161bd
0x004161bf
0x00000000
0x00000000
0x004161c5
0x004161cb
0x0041624a
0x0041624c
0x0041624e
0x00000000
0x00000000
0x00416254
0x0041625a
0x004162d9
0x004162db
0x004162dd
0x00000000
0x00000000
0x004162e3
0x004162e9
0x00416368
0x0041636a
0x0041636c
0x00000000
0x00000000
0x00416378
0x004163f8
0x004163fa
0x004163fc
0x00000000
0x00000000
0x00416402
0x00416408
0x00416487
0x00416489
0x0041648b
0x00000000
0x00000000
0x00416491
0x00416497
0x00416516
0x00416518
0x0041651a
0x00000000
0x00000000
0x00416528
0x0041652a
0x0041610d
0x00416115
0x00416117
0x00415cf3
0x00415cfb
0x00415cfd
0x00415d0e
0x00415d0e
0x00415903
0x0041665f
0x0041665f
0x00416124
0x0041612a
0x00416543
0x00416543
0x00000000
0x00416130
0x00000000
0x00416130
0x0041612a
0x00416537
0x0041653d
0x00000000
0x00000000
0x00000000
0x0041653d
0x004164a0
0x004164a2
0x004164b9
0x004164c1
0x004164c3
0x004164da
0x004164e2
0x004164e4
0x004164fb
0x00416503
0x00416505
0x00416512
0x00416512
0x00000000
0x00416505
0x004164f1
0x004164f5
0x00000000
0x00000000
0x00000000
0x004164f5
0x004164d0
0x004164d4
0x00000000
0x00000000
0x00000000
0x004164d4
0x004164af
0x004164b3
0x00000000
0x00000000
0x00000000
0x004164b3
0x00416411
0x00416413
0x0041642a
0x00416432
0x00416434
0x0041644b
0x00416453
0x00416455
0x0041646c
0x00416474
0x00416476
0x00416483
0x00416483
0x00000000
0x00416476
0x00416462
0x00416466
0x00000000
0x00000000
0x00000000
0x00416466
0x00416441
0x00416445
0x00000000
0x00000000
0x00000000
0x00416445
0x00416420
0x00416424
0x00000000
0x00000000
0x00000000
0x00416424
0x00416382
0x00416384
0x0041639b
0x004163a3
0x004163a5
0x004163bc
0x004163c4
0x004163c6
0x004163dd
0x004163e5
0x004163e7
0x004163f4
0x004163f4
0x00000000
0x004163e7
0x004163d3
0x004163d7
0x00000000
0x00000000
0x00000000
0x004163d7
0x004163b2
0x004163b6
0x00000000
0x00000000
0x00000000
0x004163b6
0x00416391
0x00416395
0x00000000
0x00000000
0x00000000
0x00416395
0x004162f2
0x004162f4
0x0041630b
0x00416313
0x00416315
0x0041632c
0x00416334
0x00416336
0x0041634d
0x00416355
0x00416357
0x00416364
0x00416364
0x00000000
0x00416357
0x00416343
0x00416347
0x00000000
0x00000000
0x00000000
0x00416347
0x00416322
0x00416326
0x00000000
0x00000000
0x00000000
0x00416326
0x00416301
0x00416305
0x00000000
0x00000000
0x00000000
0x00416305
0x00416263
0x00416265
0x0041627c
0x00416284
0x00416286
0x0041629d
0x004162a5
0x004162a7
0x004162be
0x004162c6
0x004162c8
0x004162d5
0x004162d5
0x00000000
0x004162c8
0x004162b4
0x004162b8
0x00000000
0x00000000
0x00000000
0x004162b8
0x00416293
0x00416297
0x00000000
0x00000000
0x00000000
0x00416297
0x00416272
0x00416276
0x00000000
0x00000000
0x00000000
0x00416276
0x004161d4
0x004161d6
0x004161ed
0x004161f5
0x004161f7
0x0041620e
0x00416216
0x00416218
0x0041622f
0x00416237
0x00416239
0x00416246
0x00416246
0x00000000
0x00416239
0x00416225
0x00416229
0x00000000
0x00000000
0x00000000
0x00416229
0x00416204
0x00416208
0x00000000
0x00000000
0x00000000
0x00416208
0x004161e3
0x004161e7
0x00000000
0x00000000
0x00000000
0x0041613d
0x0041613d
0x00416141
0x00416145
0x00416147
0x0041615e
0x0041615e
0x00416162
0x00416166
0x00416168
0x0041617f
0x0041617f
0x00416183
0x00416187
0x00416189
0x004161a0
0x004161a0
0x004161a4
0x004161a8
0x004161aa
0x004161b0
0x004161b3
0x004161b7
0x004161b7
0x00000000
0x004161aa
0x0041618f
0x00416192
0x00416196
0x0041619a
0x00000000
0x00000000
0x00000000
0x0041619a
0x0041616e
0x00416171
0x00416175
0x00416179
0x00000000
0x00000000
0x00000000
0x00416179
0x0041614d
0x00416150
0x00416154
0x00416158
0x00000000
0x00000000
0x00000000
0x00416158
0x0041552e
0x0041552e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 8345204ae003dfb015fc851f0818e3b3c6fff625dc7de4c686bcf5d3db8f6dee
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 42D16E73C0A9B38A8735812D50681BBEE636FD165131FC3E2DCE42F38D922A9D9196D4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D15, Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00415D15(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x00415d15
0x00415d15
0x00415d1b
0x00415d9a
0x00415d9c
0x00415d9e
0x00000000
0x00000000
0x00415da4
0x00415daa
0x00415e29
0x00415e2b
0x00415e2d
0x00000000
0x00000000
0x00415e33
0x00415e39
0x00415eb8
0x00415eba
0x00415ebc
0x00000000
0x00000000
0x00415ec2
0x00415ec8
0x00415f47
0x00415f49
0x00415f4b
0x00000000
0x00000000
0x00415f51
0x00415f57
0x00415fd6
0x00415fd8
0x00415fda
0x00000000
0x00000000
0x00415fe6
0x00416066
0x00416068
0x0041606a
0x00000000
0x00000000
0x00416070
0x00416076
0x004160f5
0x004160f7
0x004160f9
0x00000000
0x00000000
0x00416107
0x00415901
0x00415903
0x0041665f
0x0041665f
0x00416115
0x00416117
0x00415cf3
0x00415cfb
0x00415cfd
0x00415d0e
0x00415d0e
0x00000000
0x00415cfd
0x00416124
0x0041612a
0x00416543
0x00000000
0x00416543
0x00000000
0x00416130
0x0041607f
0x00416081
0x00416098
0x004160a0
0x004160a2
0x004160b9
0x004160c1
0x004160c3
0x004160da
0x004160e2
0x004160e4
0x004160f1
0x004160f1
0x00000000
0x004160e4
0x004160d0
0x004160d4
0x00000000
0x00000000
0x00000000
0x004160d4
0x004160af
0x004160b3
0x00000000
0x00000000
0x00000000
0x004160b3
0x0041608e
0x00416092
0x00000000
0x00000000
0x00000000
0x00416092
0x00415ff0
0x00415ff2
0x00416009
0x00416011
0x00416013
0x0041602a
0x00416032
0x00416034
0x0041604b
0x00416053
0x00416055
0x00416062
0x00416062
0x00000000
0x00416055
0x00416041
0x00416045
0x00000000
0x00000000
0x00000000
0x00416045
0x00416020
0x00416024
0x00000000
0x00000000
0x00000000
0x00416024
0x00415fff
0x00416003
0x00000000
0x00000000
0x00000000
0x00416003
0x00415f60
0x00415f62
0x00415f79
0x00415f81
0x00415f83
0x00415f9a
0x00415fa2
0x00415fa4
0x00415fbb
0x00415fc3
0x00415fc5
0x00415fd2
0x00415fd2
0x00000000
0x00415fc5
0x00415fb1
0x00415fb5
0x00000000
0x00000000
0x00000000
0x00415fb5
0x00415f90
0x00415f94
0x00000000
0x00000000
0x00000000
0x00415f94
0x00415f6f
0x00415f73
0x00000000
0x00000000
0x00000000
0x00415f73
0x00415ed1
0x00415ed3
0x00415eea
0x00415ef2
0x00415ef4
0x00415f0b
0x00415f13
0x00415f15
0x00415f2c
0x00415f34
0x00415f36
0x00415f43
0x00415f43
0x00000000
0x00415f36
0x00415f22
0x00415f26
0x00000000
0x00000000
0x00000000
0x00415f26
0x00415f01
0x00415f05
0x00000000
0x00000000
0x00000000
0x00415f05
0x00415ee0
0x00415ee4
0x00000000
0x00000000
0x00000000
0x00415ee4
0x00415e42
0x00415e44
0x00415e5b
0x00415e63
0x00415e65
0x00415e7c
0x00415e84
0x00415e86
0x00415e9d
0x00415ea5
0x00415ea7
0x00415eb4
0x00415eb4
0x00000000
0x00415ea7
0x00415e93
0x00415e97
0x00000000
0x00000000
0x00000000
0x00415e97
0x00415e72
0x00415e76
0x00000000
0x00000000
0x00000000
0x00415e76
0x00415e51
0x00415e55
0x00000000
0x00000000
0x00000000
0x00415e55
0x00415db3
0x00415db5
0x00415dcc
0x00415dd4
0x00415dd6
0x00415ded
0x00415df5
0x00415df7
0x00415e0e
0x00415e16
0x00415e18
0x00415e25
0x00415e25
0x00000000
0x00415e18
0x00415e04
0x00415e08
0x00000000
0x00000000
0x00000000
0x00415e08
0x00415de3
0x00415de7
0x00000000
0x00000000
0x00000000
0x00415de7
0x00415dc2
0x00415dc6
0x00000000
0x00000000
0x00000000
0x00415d1d
0x00415d1d
0x00415d20
0x00415d24
0x00415d26
0x00415d3d
0x00415d3d
0x00415d41
0x00415d45
0x00415d47
0x00415d5e
0x00415d5e
0x00415d62
0x00415d66
0x00415d68
0x00415d7f
0x00415d7f
0x00415d83
0x00415d87
0x00415d89
0x00415d8f
0x00415d92
0x00415d96
0x00415d96
0x00000000
0x00415d89
0x00415d6e
0x00415d71
0x00415d75
0x00415d79
0x00000000
0x00000000
0x00000000
0x00415d79
0x00415d4d
0x00415d50
0x00415d54
0x00415d58
0x00000000
0x00000000
0x00000000
0x00415d58
0x00415d2c
0x00415d2f
0x00415d33
0x00415d37
0x00000000
0x00000000
0x00000000
0x00415d37
0x0041552e
0x0041552e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 7f1d1b7dba172a90adad90693823d38eedfde463e86eb79e2711e55fff790ed3
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 07D17D73C0A9B38A8736812D50582BBEE636FD165031FC3E2CCD42F38DD62A9D8196D4

Uniqueness

Uniqueness Score: -1.00%

Function 00415909, Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00415909(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x00415909
0x00415909
0x0041590f
0x0041598e
0x00415990
0x00415992
0x00000000
0x00000000
0x00415998
0x0041599e
0x00415a1d
0x00415a1f
0x00415a21
0x00000000
0x00000000
0x00415a27
0x00415a2d
0x00415aac
0x00415aae
0x00415ab0
0x00000000
0x00000000
0x00415ab6
0x00415abc
0x00415b3b
0x00415b3d
0x00415b3f
0x00000000
0x00000000
0x00415b45
0x00415b4b
0x00415bca
0x00415bcc
0x00415bce
0x00000000
0x00000000
0x00415bda
0x00415c5a
0x00415c5c
0x00415c5e
0x00000000
0x00000000
0x00415c64
0x00415c6a
0x00415ce9
0x00415ceb
0x00415ced
0x00000000
0x00000000
0x00415cfb
0x00415cfd
0x00415d0e
0x00415d0e
0x00415903
0x0041665f
0x0041665f
0x00415c73
0x00415c75
0x00415c8c
0x00415c94
0x00415c96
0x00415cad
0x00415cb5
0x00415cb7
0x00415cce
0x00415cd6
0x00415cd8
0x00415ce5
0x00415ce5
0x00000000
0x00415cd8
0x00415cc4
0x00415cc8
0x00000000
0x00000000
0x00000000
0x00415cc8
0x00415ca3
0x00415ca7
0x00000000
0x00000000
0x00000000
0x00415ca7
0x00415c82
0x00415c86
0x00000000
0x00000000
0x00000000
0x00415c86
0x00415be4
0x00415be6
0x00415bfd
0x00415c05
0x00415c07
0x00415c1e
0x00415c26
0x00415c28
0x00415c3f
0x00415c47
0x00415c49
0x00415c56
0x00415c56
0x00000000
0x00415c49
0x00415c35
0x00415c39
0x00000000
0x00000000
0x00000000
0x00415c39
0x00415c14
0x00415c18
0x00000000
0x00000000
0x00000000
0x00415c18
0x00415bf3
0x00415bf7
0x00000000
0x00000000
0x00000000
0x00415bf7
0x00415b54
0x00415b56
0x00415b6d
0x00415b75
0x00415b77
0x00415b8e
0x00415b96
0x00415b98
0x00415baf
0x00415bb7
0x00415bb9
0x00415bc6
0x00415bc6
0x00000000
0x00415bb9
0x00415ba5
0x00415ba9
0x00000000
0x00000000
0x00000000
0x00415ba9
0x00415b84
0x00415b88
0x00000000
0x00000000
0x00000000
0x00415b88
0x00415b63
0x00415b67
0x00000000
0x00000000
0x00000000
0x00415b67
0x00415ac5
0x00415ac7
0x00415ade
0x00415ae6
0x00415ae8
0x00415aff
0x00415b07
0x00415b09
0x00415b20
0x00415b28
0x00415b2a
0x00415b37
0x00415b37
0x00000000
0x00415b2a
0x00415b16
0x00415b1a
0x00000000
0x00000000
0x00000000
0x00415b1a
0x00415af5
0x00415af9
0x00000000
0x00000000
0x00000000
0x00415af9
0x00415ad4
0x00415ad8
0x00000000
0x00000000
0x00000000
0x00415ad8
0x00415a36
0x00415a38
0x00415a4f
0x00415a57
0x00415a59
0x00415a70
0x00415a78
0x00415a7a
0x00415a91
0x00415a99
0x00415a9b
0x00415aa8
0x00415aa8
0x00000000
0x00415a9b
0x00415a87
0x00415a8b
0x00000000
0x00000000
0x00000000
0x00415a8b
0x00415a66
0x00415a6a
0x00000000
0x00000000
0x00000000
0x00415a6a
0x00415a45
0x00415a49
0x00000000
0x00000000
0x00000000
0x00415a49
0x004159a7
0x004159a9
0x004159c0
0x004159c8
0x004159ca
0x004159e1
0x004159e9
0x004159eb
0x00415a02
0x00415a0a
0x00415a0c
0x00415a19
0x00415a19
0x00000000
0x00415a0c
0x004159f8
0x004159fc
0x00000000
0x00000000
0x00000000
0x004159fc
0x004159d7
0x004159db
0x00000000
0x00000000
0x00000000
0x004159db
0x004159b6
0x004159ba
0x00000000
0x00000000
0x00000000
0x00415911
0x00415911
0x00415914
0x00415918
0x0041591a
0x00415931
0x00415931
0x00415935
0x00415939
0x0041593b
0x00415952
0x00415952
0x00415956
0x0041595a
0x0041595c
0x00415973
0x00415973
0x00415977
0x0041597b
0x0041597d
0x00415983
0x00415986
0x0041598a
0x0041598a
0x00000000
0x0041597d
0x00415962
0x00415965
0x00415969
0x0041596d
0x00000000
0x00000000
0x00000000
0x0041596d
0x00415941
0x00415944
0x00415948
0x0041594c
0x00000000
0x00000000
0x00000000
0x0041594c
0x00415920
0x00415923
0x00415927
0x0041592b
0x00000000
0x00000000
0x00000000
0x0041592b
0x0041552e
0x0041552e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: e46aa74bb020d9ebbc0fb3bbbf14fe3e865da12592543abdb7407e22bac6dcd0
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: EDC16E73D1AEB38A8735812D50681FBEE636FD165031EC3E28CE43F38D912A9D8196D4

Uniqueness

Uniqueness Score: -1.00%

Function 00415535, Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00415535(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x00415535
0x00415535
0x0041553b
0x004155ae
0x004155b0
0x004155b2
0x00000000
0x00000000
0x004155b8
0x004155be
0x0041563d
0x0041563f
0x00415641
0x00000000
0x00000000
0x00415647
0x0041564d
0x004156cc
0x004156ce
0x004156d0
0x00000000
0x00000000
0x004156d6
0x004156dc
0x0041575b
0x0041575d
0x0041575f
0x00000000
0x00000000
0x0041576b
0x004157eb
0x004157ed
0x004157ef
0x00000000
0x00000000
0x004157f5
0x004157fb
0x0041587a
0x0041587c
0x0041587e
0x00000000
0x00000000
0x00415884
0x0041588a
0x004158fb
0x004158fd
0x004158ff
0x00415901
0x00415901
0x00415903
0x0041665f
0x0041665f
0x00415893
0x00415895
0x004158a6
0x004158ae
0x004158b0
0x004158c1
0x004158c9
0x004158cb
0x004158e0
0x004158e8
0x004158ea
0x004158f7
0x004158f7
0x00000000
0x004158ea
0x004158d4
0x004158da
0x00000000
0x00000000
0x004158dc
0x004158dc
0x00000000
0x004158dc
0x004158b9
0x004158bf
0x00000000
0x00000000
0x00000000
0x004158bf
0x0041589e
0x004158a4
0x00000000
0x00000000
0x00000000
0x004158a4
0x00415804
0x00415806
0x0041581d
0x00415825
0x00415827
0x0041583e
0x00415846
0x00415848
0x0041585f
0x00415867
0x00415869
0x00415876
0x00415876
0x00000000
0x00415869
0x00415855
0x00415859
0x00000000
0x00000000
0x00000000
0x00415859
0x00415834
0x00415838
0x00000000
0x00000000
0x00000000
0x00415838
0x00415813
0x00415817
0x00000000
0x00000000
0x00000000
0x00415817
0x00415775
0x00415777
0x0041578e
0x00415796
0x00415798
0x004157af
0x004157b7
0x004157b9
0x004157d0
0x004157d8
0x004157da
0x004157e7
0x004157e7
0x00000000
0x004157da
0x004157c6
0x004157ca
0x00000000
0x00000000
0x00000000
0x004157ca
0x004157a5
0x004157a9
0x00000000
0x00000000
0x00000000
0x004157a9
0x00415784
0x00415788
0x00000000
0x00000000
0x00000000
0x00415788
0x004156e5
0x004156e7
0x004156fe
0x00415706
0x00415708
0x0041571f
0x00415727
0x00415729
0x00415740
0x00415748
0x0041574a
0x00415757
0x00415757
0x00000000
0x0041574a
0x00415736
0x0041573a
0x00000000
0x00000000
0x00000000
0x0041573a
0x00415715
0x00415719
0x00000000
0x00000000
0x00000000
0x00415719
0x004156f4
0x004156f8
0x00000000
0x00000000
0x00000000
0x004156f8
0x00415656
0x00415658
0x0041566f
0x00415677
0x00415679
0x00415690
0x00415698
0x0041569a
0x004156b1
0x004156b9
0x004156bb
0x004156c8
0x004156c8
0x00000000
0x004156bb
0x004156a7
0x004156ab
0x00000000
0x00000000
0x00000000
0x004156ab
0x00415686
0x0041568a
0x00000000
0x00000000
0x00000000
0x0041568a
0x00415665
0x00415669
0x00000000
0x00000000
0x00000000
0x00415669
0x004155c7
0x004155c9
0x004155e0
0x004155e8
0x004155ea
0x00415601
0x00415609
0x0041560b
0x00415622
0x0041562a
0x0041562c
0x00415639
0x00415639
0x00000000
0x0041562c
0x00415618
0x0041561c
0x00000000
0x00000000
0x00000000
0x0041561c
0x004155f7
0x004155fb
0x00000000
0x00000000
0x00000000
0x004155fb
0x004155d6
0x004155da
0x00000000
0x00000000
0x00000000
0x0041553d
0x0041553d
0x00415540
0x00415544
0x00415546
0x00415559
0x00415559
0x0041555d
0x00415561
0x00415563
0x00415576
0x00415576
0x0041557a
0x0041557e
0x00415580
0x00415593
0x00415593
0x00415597
0x0041559b
0x0041559d
0x004155a3
0x004155a6
0x004155aa
0x004155aa
0x00000000
0x0041559d
0x00415586
0x00415589
0x0041558d
0x00415591
0x00000000
0x00000000
0x00000000
0x00415591
0x00415569
0x0041556c
0x00415570
0x00415574
0x00000000
0x00000000
0x00000000
0x00415574
0x0041554c
0x0041554f
0x00415553
0x00415557
0x00000000
0x00000000
0x00000000
0x00415557
0x0041552e
0x0041552e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 2c3bfc351a61054c374a8fd5be6a54f1f18552b71571a465d5411a81f20003fa
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 7DC16E73D1ADB38A8735812D50582FBEE636FD174031EC3A29CE42F38DD22A9D9196D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0E1, Relevance: .3, Instructions: 306
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040D0E1(signed int* __eax, signed int* __ecx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				unsigned int _v28;
				unsigned int _v32;
				unsigned int _v44;
				signed int _t195;
				unsigned int _t198;
				signed int* _t284;
				signed int* _t285;
				signed int _t286;
				unsigned int _t289;
				unsigned int _t304;
				unsigned int _t328;
				unsigned int _t350;
				signed int* _t385;
				signed int _t417;
				unsigned int _t421;
				unsigned int _t435;

				_t286 =  *__ecx;
				_v8 = _t286;
				_t284 = __ecx + (_t286 << 5) + 0x10;
				_t289 = _t284[2] ^ __eax[2];
				_t198 =  *_t284 ^  *__eax;
				_t421 = _t284[1] ^ __eax[1];
				_t328 = _t284[3] ^ __eax[3];
				_v20 = _t289;
				_v16 = _t328;
				_v12 = _t289 >> 0x00000010 & 0x000000ff;
				_t285 = _t284 - 0x20;
				_v44 =  *(0x42f7b0 + (_t328 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + _v12 * 4) ^  *(0x42ffb0 + (_t421 >> 0x18) * 4) ^  *(0x42f3b0 + (_t198 & 0x000000ff) * 4) ^ _t285[4];
				_v24 = _t421;
				_t350 =  *(0x42f7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t421 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t198 >> 0x18) * 4) ^  *(0x42f3b0 + (_v16 & 0x000000ff) * 4) ^ _t285[7];
				_t304 =  *(0x42f7b0 + (_t421 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t198 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v16 >> 0x18) * 4) ^  *(0x42f3b0 + (_v20 & 0x000000ff) * 4) ^ _t285[6];
				_v32 = _t350;
				_t435 =  *(0x42fbb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_t198 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v20 >> 0x18) * 4) ^  *(0x42f3b0 + (_v24 & 0x000000ff) * 4) ^ _t285[5];
				_t60 =  &_v8;
				 *_t60 = _v8 - 1;
				if( *_t60 != 0) {
					while(1) {
						_v28 =  *(0x42f7b0 + (_t350 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t304 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t435 >> 0x18) * 4) ^  *(0x42f3b0 + (_v44 & 0x000000ff) * 4) ^  *_t285;
						_v20 =  *(0x42f7b0 + (_t435 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v44 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v32 >> 0x18) * 4) ^  *(0x42f3b0 + (_t304 & 0x000000ff) * 4) ^ _t285[2];
						_v16 =  *(0x42fbb0 + (_t435 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_t304 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v44 >> 0x18) * 4) ^  *(0x42f3b0 + (_v32 & 0x000000ff) * 4) ^ _t285[3];
						_t285 = _t285 - 0x20;
						_t417 =  *(0x42fbb0 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_v44 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t304 >> 0x18) * 4) ^  *(0x42f3b0 + (_t435 & 0x000000ff) * 4) ^ _t285[9];
						_v44 =  *(0x42f7b0 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_t417 >> 0x18) * 4) ^  *(0x42f3b0 + (_v28 & 0x000000ff) * 4) ^ _t285[4];
						_t304 =  *(0x42f7b0 + (_t417 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v16 >> 0x18) * 4) ^  *(0x42f3b0 + (_v20 & 0x000000ff) * 4) ^ _t285[6];
						_v32 =  *(0x42f7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42fbb0 + (_t417 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v28 >> 0x18) * 4) ^  *(0x42f3b0 + (_v16 & 0x000000ff) * 4) ^ _t285[7];
						_t158 =  &_v8;
						 *_t158 = _v8 - 1;
						_t435 =  *(0x42fbb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42f7b0 + (_v28 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ffb0 + (_v20 >> 0x18) * 4) ^  *(0x42f3b0 + (_t417 & 0x000000ff) * 4) ^ _t285[5];
						if( *_t158 == 0) {
							goto L4;
						}
						_t350 = _v32;
					}
				}
				L4:
				 *_a4 = ((( *((_t304 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_t435 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v32 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_v44 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^  *_t285;
				_a4[1] = ((( *((_v32 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_t304 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v44 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_t435 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^ _t285[1];
				_t385 = _a4;
				_t385[2] = ((( *((_v44 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_v32 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t435 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 |  *((_t304 & 0x000000ff) + 0x4303b0) & 0x000000ff) ^ _t285[2];
				_t195 =  *((_v32 & 0x000000ff) + 0x4303b0) & 0x000000ff;
				_t385[3] = ((( *((_t435 >> 0x00000010 & 0x000000ff) + 0x4303b0) & 0x000000ff | ( *((_v44 >> 0x18) + 0x4303b0) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t304 >> 0x00000008 & 0x000000ff) + 0x4303b0) & 0x000000ff) << 0x00000008 | _t195) ^ _t285[3];
				return _t195;
			}

0x0040d0e7
0x0040d0e9
0x0040d0ef
0x0040d0f6
0x0040d0fc
0x0040d102
0x0040d109
0x0040d10c
0x0040d10f
0x0040d121
0x0040d14c
0x0040d157
0x0040d18d
0x0040d1c3
0x0040d1c6
0x0040d1fa
0x0040d1fd
0x0040d200
0x0040d200
0x0040d203
0x0040d20e
0x0040d248
0x0040d282
0x0040d2be
0x0040d2de
0x0040d2f5
0x0040d32e
0x0040d3a0
0x0040d3a3
0x0040d3da
0x0040d3da
0x0040d3dd
0x0040d3df
0x00000000
0x00000000
0x0040d20b
0x0040d20b
0x0040d20e
0x0040d3e5
0x0040d42e
0x0040d47a
0x0040d4c4
0x0040d4cc
0x0040d4fe
0x0040d50d
0x0040d514

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cfc6000c62d7bd4ad52ff40bd66c3b0a36c2a62a8a423c049686098c6414be0
Instruction ID: 76f220414fc603ce51afa1bac02335ee47805ea7e198b4a5cd840bd89b385469
Opcode Fuzzy Hash: 0cfc6000c62d7bd4ad52ff40bd66c3b0a36c2a62a8a423c049686098c6414be0
Instruction Fuzzy Hash: 8FD13D77E106658BDB50CFA9DCD0149B7B2BB89320B9F82B4CA5467216C234B913CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCB9, Relevance: .3, Instructions: 302
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040CCB9(signed int* __eax, intOrPtr* __ecx, signed int* _a4) {
				char _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _t188;
				unsigned int _t191;
				signed int* _t275;
				signed int* _t276;
				signed int* _t277;
				unsigned int _t282;
				unsigned int _t297;
				unsigned int _t341;
				signed int* _t377;
				signed int _t409;
				unsigned int _t413;
				unsigned int _t427;

				_v8 =  *__ecx;
				_t275 = __ecx + 0x10;
				_v20 =  *(__ecx + 0x14) ^ __eax[1];
				_t282 = _t275[3] ^ __eax[3];
				_t191 = _t275[2] ^ __eax[2];
				_t413 =  *_t275 ^  *__eax;
				_v12 = _t282;
				_t276 =  &(_t275[4]);
				_v32 =  *(0x42e7b0 + (_t282 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_t413 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v20 >> 0x18) * 4) ^  *(0x42e3b0 + (_t191 & 0x000000ff) * 4) ^ _t275[6];
				_v24 = _t413;
				_t297 =  *(0x42ebb0 + (_t191 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v12 >> 0x18) * 4) ^  *(0x42e3b0 + (_t413 & 0x000000ff) * 4) ^  *_t276;
				_t341 =  *(0x42ebb0 + (_v20 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t413 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t191 >> 0x18) * 4) ^  *(0x42e3b0 + (_v12 & 0x000000ff) * 4) ^ _t276[3];
				_v28 = _t341;
				_t427 =  *(0x42ebb0 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t191 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v24 >> 0x18) * 4) ^  *(0x42e3b0 + (_v20 & 0x000000ff) * 4) ^ _t276[1];
				while(1) {
					_t56 =  &_v8;
					 *_t56 = _v8 - 1;
					if( *_t56 == 0) {
						break;
					}
					_v16 =  *(0x42e7b0 + (_t341 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_t297 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t427 >> 0x18) * 4) ^  *(0x42e3b0 + (_v32 & 0x000000ff) * 4) ^ _t276[6];
					_v24 =  *(0x42e7b0 + (_t427 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v28 >> 0x18) * 4) ^  *(0x42e3b0 + (_t297 & 0x000000ff) * 4) ^ _t276[4];
					_v12 =  *(0x42ebb0 + (_t427 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t297 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v32 >> 0x18) * 4) ^  *(0x42e3b0 + (_v28 & 0x000000ff) * 4) ^ _t276[7];
					_t276 =  &(_t276[8]);
					_t409 =  *(0x42ebb0 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v32 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t297 >> 0x18) * 4) ^  *(0x42e3b0 + (_t427 & 0x000000ff) * 4) ^  *(_t276 - 0xc);
					_v32 =  *(0x42e7b0 + (_v12 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42ebb0 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42efb0 + (_t409 >> 0x18) * 4) ^  *(0x42e3b0 + (_v16 & 0x000000ff) * 4) ^ _t276[2];
					_t297 =  *(0x42ebb0 + (_v16 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_t409 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v12 >> 0x18) * 4) ^  *(0x42e3b0 + (_v24 & 0x000000ff) * 4) ^  *_t276;
					_v28 =  *(0x42ebb0 + (_t409 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v16 >> 0x18) * 4) ^  *(0x42e3b0 + (_v12 & 0x000000ff) * 4) ^ _t276[3];
					_t341 = _v28;
					_t427 =  *(0x42ebb0 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x42e7b0 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x42efb0 + (_v24 >> 0x18) * 4) ^  *(0x42e3b0 + (_t409 & 0x000000ff) * 4) ^ _t276[1];
				}
				_t277 =  &(_t276[4]);
				 *_a4 = ((( *((_v32 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t341 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t427 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t297 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^  *_t277;
				_a4[1] = ((( *((_v28 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t297 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v32 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t427 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^ _t277[1];
				_t377 = _a4;
				_t377[2] = ((( *((_t297 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t427 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_v28 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_v32 & 0x000000ff) + 0x42cdd8) & 0x000000ff) ^ _t277[2];
				_t188 =  *((_v28 & 0x000000ff) + 0x42cdd8) & 0x000000ff;
				_t377[3] = ((( *((_t427 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_v32 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t297 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 | _t188) ^ _t277[3];
				return _t188;
			}

0x0040ccc1
0x0040ccca
0x0040cccd
0x0040ccd3
0x0040ccda
0x0040cce0
0x0040cce3
0x0040cd23
0x0040cd29
0x0040cd5e
0x0040cd88
0x0040cd96
0x0040cdca
0x0040cdcd
0x0040cdd0
0x0040cdd0
0x0040cdd0
0x0040cdd3
0x00000000
0x00000000
0x0040ce14
0x0040ce4e
0x0040ce8a
0x0040ceaa
0x0040cec1
0x0040cef9
0x0040cf6c
0x0040cf6e
0x0040cfa2
0x0040cfa8
0x0040cfa8
0x0040cff3
0x0040cff8
0x0040d044
0x0040d08e
0x0040d096
0x0040d0c8
0x0040d0d7
0x0040d0de

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9c7050ca94e8298667664901ff717b58675a00e7e2e33fca0e0cfc9411951c
Instruction ID: e55cd98cb9f967dd300f2e58628a4cb6cdbaafe22551165e888f1a22e7b5183d
Opcode Fuzzy Hash: 8c9c7050ca94e8298667664901ff717b58675a00e7e2e33fca0e0cfc9411951c
Instruction Fuzzy Hash: 44D11E37E106658BDB50CFAADCC0159B7A3BFC9320B9F86A8CA5467256C2347913CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D67F, Relevance: .1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0040D67F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				char _t34;
				signed int _t41;
				signed int _t54;
				signed int _t55;
				void* _t62;
				signed int _t70;
				signed int _t96;
				signed int _t99;
				signed int _t107;
				signed int _t113;
				signed int _t124;
				signed int _t125;
				signed int _t127;
				signed int _t134;
				signed int _t137;
				signed int _t138;
				signed int _t143;
				signed int _t145;

				_t34 = 0;
				do {
					_t1 = _t34 + 0x42cdd8; // 0x7b777c63
					 *((char*)(( *_t1 & 0x000000ff) + 0x4303b0)) = _t34;
					_t34 = _t34 + 1;
				} while (_t34 < 0x100);
				_v8 = _v8 & 0x00000000;
				do {
					_t6 = _v8 + 0x42cdd8; // 0x7b777c63
					_t137 =  *_t6 & 0x000000ff;
					asm("sbb eax, eax");
					_t41 = ( ~(_t137 & 0x80) & 0x0000001b ^ _t137 + _t137) & 0x000000ff;
					_t99 = _t41 ^ _t137;
					_v12 = _t99;
					_t96 = _v8 << 2;
					 *(_t96 + 0x42e3b0) = ((_t99 << 0x00000008 | _t137) << 0x00000008 | _t137) << 0x00000008 | _t41;
					_t107 = _t137 << 8;
					 *(_t96 + 0x42e7b0) = ((_t107 | _t137) << 0x00000008 | _t41) << 0x00000008 | _v12;
					_t70 = _v8;
					_t15 = _t70 + 0x42cdd8; // 0x7b777c63
					_t138 =  *_t15 & 0x000000ff;
					 *(_t96 + 0x42ebb0) = ((_t107 | _t41) << 0x00000008 | _v12) << 0x00000008 | _t138;
					_t17 = _t70 + 0x4303b0; // 0xd56a0952
					_t113 =  *_t17 & 0x000000ff;
					 *(_t96 + 0x42efb0) = ((_t41 << 0x00000008 | _v12) << 0x00000008 | _t138) << 0x00000008 | _t138;
					_v12 = _t113;
					asm("sbb eax, eax");
					_t54 = ( ~(_t113 & 0x80) & 0x0000001b ^ _t113 + _t113) & 0x000000ff;
					asm("sbb esi, esi");
					_t143 = ( ~(_t54 & 0x80) & 0x0000001b ^ _t54 + _t54) & 0x000000ff;
					asm("sbb edx, edx");
					_t124 = ( ~(_t143 & 0x80) & 0x0000001b ^ _t143 + _t143) & 0x000000ff;
					_v16 = _t124 ^ _v12;
					_t134 = _t124 ^ _t54 ^ _v12;
					_t125 = _t124 ^ _t143;
					_t145 = _t125 ^ _v12;
					_t55 = _t125 ^ _t54;
					_t127 = _v16;
					 *(_t96 + 0x42f3b0) = ((_t134 << 0x00000008 | _t145) << 0x00000008 | _t127) << 0x00000008 | _t55;
					 *(_t96 + 0x42f7b0) = ((_t145 << 0x00000008 | _t127) << 0x00000008 | _t55) << 0x00000008 | _t134;
					_v8 = _v8 + 1;
					_t150 = _v8 - 0x100;
					 *(_t96 + 0x42fbb0) = ((_t127 << 0x00000008 | _t55) << 0x00000008 | _t134) << 0x00000008 | _t145;
					 *(_t96 + 0x42ffb0) = ((_t55 << 0x00000008 | _t134) << 0x00000008 | _t145) << 0x00000008 | _t127;
				} while (_v8 < 0x100);
				 *0x431158 = E0040D534;
				 *0x431160 = E0040D58C;
				 *0x43115c = E0040D60E;
				_t62 = E0040DBBE(_t145, _t150);
				if(_t62 != 0) {
					 *0x431158 = 0x4106ae;
					 *0x431160 = 0x4106b3;
					 *0x43115c = 0x4106b8;
					return _t62;
				}
				return _t62;
			}

0x0040d685
0x0040d687
0x0040d687
0x0040d68e
0x0040d694
0x0040d695
0x0040d69c
0x0040d6a3
0x0040d6a6
0x0040d6a6
0x0040d6b6
0x0040d6c5
0x0040d6c9
0x0040d6cb
0x0040d6dd
0x0040d6e0
0x0040d6e8
0x0040d70e
0x0040d714
0x0040d717
0x0040d717
0x0040d722
0x0040d728
0x0040d728
0x0040d734
0x0040d73e
0x0040d746
0x0040d74f
0x0040d75b
0x0040d765
0x0040d771
0x0040d77b
0x0040d782
0x0040d789
0x0040d78c
0x0040d790
0x0040d79f
0x0040d7a1
0x0040d7ab
0x0040d7c2
0x0040d7e8
0x0040d7eb
0x0040d7f2
0x0040d7f8
0x0040d7f8
0x0040d804
0x0040d80e
0x0040d818
0x0040d822
0x0040d82c
0x0040d82e
0x0040d838
0x0040d842
0x00000000
0x0040d842
0x0040d84d

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee69a52f2e05a42dc781db024eb72f8ab53ffe79c266a6572178bcad1af81da
Instruction ID: 6a22c5127146d23af461cc2f65cf440ff924ceb3262248ac72f561739daf3693
Opcode Fuzzy Hash: aee69a52f2e05a42dc781db024eb72f8ab53ffe79c266a6572178bcad1af81da
Instruction Fuzzy Hash: 2251D432F206704AF700CAAA8CC41897FE3EBC8345759C67AC954DB285C7BC4557CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB18, Relevance: .1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040CB18(intOrPtr* __ecx, signed int* __edx, signed int _a4) {
				signed int* _v8;
				signed int _v12;
				intOrPtr _v16;
				unsigned int _t37;
				signed int _t38;
				signed int _t40;
				void* _t72;
				signed int* _t73;
				signed int _t77;
				intOrPtr _t90;
				signed int _t91;
				signed int _t100;

				_t73 = __edx;
				_t37 = _a4;
				_t90 = _t37 + 0x1c;
				_t38 = _t37 >> 2;
				 *__ecx = (_t38 >> 1) + 3;
				_t72 = __ecx + 0x10;
				_t100 = 0;
				_v16 = _t90;
				_a4 = _t38;
				if(_t38 <= 0) {
					L2:
					if(_t100 >= _t90) {
						L10:
						return _t38;
					}
					_v8 = _t72 + (_t100 - _t38) * 4;
					do {
						_t40 = _t100;
						_t77 = _t40 % _a4;
						_t91 =  *(_t72 + _t100 * 4 - 4);
						_v12 = _t40 / _a4;
						if(_t77 != 0) {
							if(_a4 > 6 && _t77 == 4) {
								_t91 = (( *((_t91 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff | ( *((_t91 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008) << 0x00000008 |  *((_t91 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 & 0x000000ff) + 0x42cdd8) & 0x000000ff;
							}
						} else {
							_t91 = ((( *((_t91 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x18) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x00000010 & 0x000000ff) + 0x42cdd8) & 0x000000ff) << 0x00000008 |  *((_t91 >> 0x00000008 & 0x000000ff) + 0x42cdd8) & 0x000000ff ^  *(_v12 + 0x42ced8) & 0x000000ff;
						}
						_v8 =  &(_v8[1]);
						_t38 =  *_v8 ^ _t91;
						 *(_t72 + _t100 * 4) = _t38;
						_t100 = _t100 + 1;
					} while (_t100 < _v16);
					goto L10;
				} else {
					goto L1;
				}
				do {
					L1:
					 *(_t72 + _t100 * 4) =  *_t73;
					_t100 = _t100 + 1;
					_t73 =  &(_t73[1]);
				} while (_t100 < _t38);
				goto L2;
			}

0x0040cb18
0x0040cb1e
0x0040cb24
0x0040cb27
0x0040cb31
0x0040cb33
0x0040cb36
0x0040cb38
0x0040cb3b
0x0040cb40
0x0040cb4f
0x0040cb51
0x0040cc36
0x0040cc36
0x0040cc36
0x0040cb5e
0x0040cb61
0x0040cb63
0x0040cb65
0x0040cb68
0x0040cb6c
0x0040cb71
0x0040cbcc
0x0040cc18
0x0040cc18
0x0040cb73
0x0040cbc4
0x0040cbc4
0x0040cc1f
0x0040cc23
0x0040cc25
0x0040cc28
0x0040cc29
0x00000000
0x00000000
0x00000000
0x00000000
0x0040cb42
0x0040cb42
0x0040cb44
0x0040cb47
0x0040cb48
0x0040cb4b
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b0f386d1f83ac84247768cd47b6c21ba11a82ca0a77180d09c64650b95f758e
Instruction ID: 4a51ee0899f6aa877cb982f23d933457a9856b6070a88fcefa5a6ad76c6c8c19
Opcode Fuzzy Hash: 0b0f386d1f83ac84247768cd47b6c21ba11a82ca0a77180d09c64650b95f758e
Instruction Fuzzy Hash: 0C313632F506218BE7118F6E8CC005DBFE3AFC521075882B6D9A4DB386D938EA52C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA77, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040CA77(signed int __ecx, signed char __edx, unsigned int _a4, unsigned int _a8) {
				signed int _t32;
				unsigned int _t34;
				signed char _t45;
				unsigned int _t65;

				_t65 = _a8;
				_t32 = __ecx;
				_t45 = __edx;
				while(_a4 > 0) {
					if((_t45 & 0x00000003) != 0) {
						_t32 = _t32 >> 0x00000008 ^  *(_t65 + (( *_t45 & 0x000000ff ^ _t32) & 0x000000ff) * 4);
						_a4 = _a4 - 1;
						_t45 = _t45 + 1;
						continue;
					}
					break;
				}
				if(_a4 >= 4) {
					_a8 = _a4 >> 2;
					do {
						_t34 = _t32 ^  *_t45;
						_a4 = _a4 - 4;
						_t45 = _t45 + 4;
						_t25 =  &_a8;
						 *_t25 = _a8 - 1;
						_t32 =  *(_t65 + 0x800 + (_t34 >> 0x00000008 & 0x000000ff) * 4) ^  *(_t65 + 0x400 + (_t34 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t65 + 0xc00 + (_t34 & 0x000000ff) * 4) ^  *(_t65 + (_t34 >> 0x18) * 4);
					} while ( *_t25 != 0);
					L9:
					while(_a4 > 0) {
						_t32 = _t32 >> 0x00000008 ^  *(_t65 + (( *_t45 & 0x000000ff ^ _t32) & 0x000000ff) * 4);
						_a4 = _a4 - 1;
						_t45 = _t45 + 1;
					}
					return _t32;
				}
				goto L9;
			}

0x0040ca7b
0x0040ca7e
0x0040ca80
0x0040caa0
0x0040ca8d
0x0040ca99
0x0040ca9c
0x0040ca9f
0x00000000
0x0040ca9f
0x00000000
0x0040ca8d
0x0040caaa
0x0040cab2
0x0040cab6
0x0040cab6
0x0040cab8
0x0040cae9
0x0040caec
0x0040caec
0x0040caef
0x0040caef
0x00000000
0x0040cb07
0x0040cb00
0x0040cb03
0x0040cb06
0x0040cb06
0x0040cb10
0x0040cb10
0x00000000

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba07dcea3c86158cd3bd6dc6ecf5688b8c76a034248f7408b1467d4b0ce7cb9
Instruction ID: 4b2e18279380e8e2ea2cade48a7a33503f3b558ca5dd1125519b5dc0726fd5de
Opcode Fuzzy Hash: 5ba07dcea3c86158cd3bd6dc6ecf5688b8c76a034248f7408b1467d4b0ce7cb9
Instruction Fuzzy Hash: 87110433210619DBD715CF29D880397B3E2EBC4359F2AC13AED455B241C638F582CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA29, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040DA29(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t18;

				asm("cpuid");
				_v8 = _a4;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				 *_a8 = _v8;
				 *_a12 = _v12;
				 *_a16 = _v16;
				_t18 = _v20;
				 *_a20 = _t18;
				return _t18;
			}

0x0040da39
0x0040da3b
0x0040da3e
0x0040da41
0x0040da44
0x0040da4d
0x0040da55
0x0040da5d
0x0040da5f
0x0040da65
0x0040da69

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f640c13c4a1a1083acb58eab2e31c20d3daad36dbe5f2c12d2aea573353dbb
Instruction ID: 77ecadd4a482efa7565a9f0d42a66e586b69bcb13aa4452082738fb18a71dae5
Opcode Fuzzy Hash: 71f640c13c4a1a1083acb58eab2e31c20d3daad36dbe5f2c12d2aea573353dbb
Instruction Fuzzy Hash: 46F074B5A05209EFCB09CFA9C49199EFBF5FF49304B1084A9E819E7350E731AA11CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004187A8, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E004187A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x42a518);
				E00417B6C(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0041A9CE(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x424b30;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42d840;
				E00419EA7(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0041887D();
				E00419EA7(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0041C7F2( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E00417BB1(E00418886());
			}

0x004187a8
0x004187a8
0x004187aa
0x004187af
0x004187b4
0x004187ba
0x004187c2
0x004187c5
0x004187ca
0x004187cb
0x004187ce
0x004187d1
0x004187db
0x004187e0
0x004187e8
0x004187f0
0x00418800
0x00418800
0x00418806
0x00418809
0x00418810
0x00418817
0x00418820
0x00418826
0x0041882d
0x00418833
0x0041883a
0x00418841
0x00418847
0x0041884a
0x0041884d
0x00418852
0x00418854
0x00418859
0x00418859
0x0041885f
0x00418865
0x00418876

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042A518,0000000C,004188E3,00000000,00000000,?,0041ADD9,?,00000001,?,?,00419E31,00000018,0042A720,0000000C), ref: 004187BA
__crt_waiting_on_module_handle.LIBCMT ref: 004187C5

Part of subcall function 0041A9CE: Sleep.KERNEL32(000003E8,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9DA
Part of subcall function 0041A9CE: GetModuleHandleW.KERNEL32(?,?,?,004186CE,KERNEL32.DLL,?,0041873A,?,00417A43), ref: 0041A9E3

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004187EE
GetProcAddress.KERNEL32(?,DecodePointer), ref: 004187FE
__lock.LIBCMT ref: 00418820
InterlockedIncrement.KERNEL32(0042D840), ref: 0041882D
__lock.LIBCMT ref: 00418841
___addlocaleref.LIBCMT ref: 0041885F

Strings

EncodePointer, xrefs: 004187E2
DecodePointer, xrefs: 004187F6
KERNEL32.DLL, xrefs: 004187B4, 004187B9, 004187C4
0KB, xrefs: 004187D1

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: 0KB$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-1715683212
Opcode ID: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
Instruction ID: 4d8d1e5cb8e65c047eab52f700794214e88104f2c80f6a1ae4ac75198ce655ca
Opcode Fuzzy Hash: 4eb2d2d8578cbe2392ac86c1bfc58d6bd58baf4d5e2e4a7a381ae62765332dd5
Instruction Fuzzy Hash: 65117571A44701AED720EF76E845B9ABBF0AF44318F60452FE46993291CB7CA981CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A76E, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040A76E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t40;

				_push(8);
				E00416B21(E00421764, __ebx, __edi, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x423648;
				 *((intOrPtr*)(__ecx + 8)) = 0x423320;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423848;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x423434;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x423860;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x423874;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423634;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x42391c;
				 *((intOrPtr*)(__ecx + 4)) = 0x423904;
				 *((intOrPtr*)(__ecx + 8)) = 0x4238f0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4238d8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x4238c4;
				 *((intOrPtr*)(__ecx + 0x14)) = 0x4238b0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x42389c;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x423888;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t40 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((char*)(_t40 - 4)) = 4;
				_t29 = E0040D873(0x20000);
				 *((intOrPtr*)(__ecx + 0x24)) = _t29;
				if(_t29 == 0) {
					 *((intOrPtr*)(_t40 - 0x10)) = 1;
					E004166E0(_t40 - 0x10, 0x4286f8);
				}
				return E00416BF9(_t39);
			}

0x0040a76e
0x0040a775
0x0040a77a
0x0040a77c
0x0040a77f
0x0040a786
0x0040a78d
0x0040a794
0x0040a79b
0x0040a7a2
0x0040a7a9
0x0040a7b2
0x0040a7b5
0x0040a7bb
0x0040a7c2
0x0040a7c9
0x0040a7d0
0x0040a7d7
0x0040a7de
0x0040a7e5
0x0040a7ec
0x0040a7ef
0x0040a7f2
0x0040a7f5
0x0040a7f8
0x0040a7fb
0x0040a803
0x0040a807
0x0040a80c
0x0040a811
0x0040a81c
0x0040a823
0x0040a823
0x0040a82f

APIs

__EH_prolog3.LIBCMT ref: 0040A775
__CxxThrowException@8.LIBCMT ref: 0040A823

Part of subcall function 004166E0: RaiseException.KERNEL32(?,?,?,00000001), ref: 00416722

Strings

44B, xrefs: 0040A794
3B, xrefs: 0040A786
H8B, xrefs: 0040A78D
46B, xrefs: 0040A7A9
H6B, xrefs: 0040A77F
`8B, xrefs: 0040A79B
t8B, xrefs: 0040A7A2

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: 3B$44B$46B$H6B$H8B$`8B$t8B
API String ID: 1961742612-2761110864
Opcode ID: 8d49567196da936ebbc0d9ea60041d4412a75d13e74f9ea9f58c624d0a3c3cca
Instruction ID: c0ed3f570d0a6da7dbc72ff777c841338a477779ef8172924cce9f6de6350eef
Opcode Fuzzy Hash: 8d49567196da936ebbc0d9ea60041d4412a75d13e74f9ea9f58c624d0a3c3cca
Instruction Fuzzy Hash: 4F11B4B0A01B649EC720EF56A40414AFAF4BF50709B90C90FE0969BA11C7FCA649CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0041397A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66
memorystringwindowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041397A(void* __ecx) {
				WCHAR* _t12;
				signed short _t15;
				signed int _t18;
				short* _t19;
				wchar_t* _t21;
				short* _t25;
				void* _t29;
				intOrPtr _t30;
				WCHAR* _t31;

				_t29 = __ecx;
				_t31 = __ecx + 0xc;
				if( *_t31 == 0) {
					FormatMessageW(0x1300, 0,  *(__ecx + 4), 0x400, _t31, 0, 0);
					_t12 =  *_t31;
					if(_t12 == 0) {
						_t21 = LocalAlloc(0, 0x40);
						 *_t31 = _t21;
						if(_t21 != 0) {
							_t30 =  *((intOrPtr*)(_t29 + 4));
							_t15 = E00413828(_t30) & 0x0000ffff;
							if(_t15 == 0) {
								_push(_t30);
								_push(L"Unknown error 0x%0lX");
							} else {
								_push(_t15 & 0x0000ffff);
								_push(L"IDispatch error #%d");
							}
							swprintf(_t21, 0x20);
						}
					} else {
						_t18 = lstrlenW(_t12);
						if(_t18 > 1) {
							_t25 =  *_t31 + _t18 * 2 - 2;
							if( *_t25 == 0xa) {
								 *_t25 = 0;
								_t19 =  *_t31 + _t18 * 2 - 4;
								if( *_t19 == 0xd) {
									 *_t19 = 0;
								}
							}
						}
					}
				}
				return  *_t31;
			}

0x0041397d
0x0041397f
0x00413986
0x0041399d
0x004139a3
0x004139a7
0x004139e3
0x004139e5
0x004139e9
0x004139eb
0x004139f4
0x004139fa
0x00413a07
0x00413a08
0x004139fc
0x004139ff
0x00413a00
0x00413a00
0x00413a10
0x00413a15
0x004139a9
0x004139aa
0x004139b3
0x004139b7
0x004139bf
0x004139c3
0x004139c8
0x004139d0
0x004139d4
0x004139d4
0x004139d0
0x004139bf
0x004139b3
0x004139a7
0x00413a1e

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000), ref: 0041399D
lstrlenW.KERNEL32(00000000), ref: 004139AA
LocalAlloc.KERNEL32(00000000,00000040), ref: 004139DD
swprintf.LIBCMT ref: 00413A10

Strings

Unknown error 0x%0lX, xrefs: 00413A08
IDispatch error #%d, xrefs: 00413A00

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AllocFormatLocalMessagelstrlenswprintf
String ID: IDispatch error #%d$Unknown error 0x%0lX
API String ID: 2315917530-2934499512
Opcode ID: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
Instruction ID: f10323cc770acb026687d76090fc9bd105fa0f7589f96fb523d81ed819a8aa42
Opcode Fuzzy Hash: 1007b1d4e643293475a76aff5da773719591f5f1a5e5eba02f0138274c1fd98f
Instruction Fuzzy Hash: CD110475200214ABC3209F96EC40DB777A9EF4538A760045FF185A7241C379AE92C7B8

Uniqueness

Uniqueness Score: -1.00%

Function 004138BE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004138BE(void* __ebx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t15;
				long _t26;
				void* _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;
				void* _t40;

				_t31 = __edx;
				_t38 = _t40 - 0x1f8c;
				E00417EA0(0x200c);
				_t15 = M0042D330; // 0xdf8f31de
				 *(_t38 + 0x1f88) = _t15 ^ _t38;
				E00417D60(0x2000, _t38 - 0x78, 0, 0x2000);
				GetModuleFileNameW(0, _t38 - 0x78, 0x2000);
				 *(_t38 - 0x7c) = 0;
				RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted", 0, 0, 0, 0xf003f, 0, _t38 - 0x7c, 0);
				 *(_t38 - 0x80) = 0x20;
				RegSetValueExW( *(_t38 - 0x7c), _t38 - 0x78, 0, 4, _t38 - 0x80, 4);
				_t26 = RegCloseKey( *(_t38 - 0x7c));
				_t34 = _t32;
				_t37 = _t35;
				return E00416B12(_t26, __ebx,  *(_t38 + 0x1f88) ^ _t38, _t31, _t34, _t37);
			}

0x004138be
0x004138bf
0x004138cb
0x004138d0
0x004138d7
0x004138ec
0x004138fa
0x00413918
0x0041391b
0x00413931
0x00413938
0x00413941
0x0041394d
0x00413950
0x0041395d

APIs

_memset.LIBCMT ref: 004138EC
GetModuleFileNameW.KERNEL32(00000000,?,00002000), ref: 004138FA
RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0041391B
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 00413938
RegCloseKey.ADVAPI32(?), ref: 00413941

Strings

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted, xrefs: 0041390E

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CloseCreateFileModuleNameValue_memset
String ID: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
API String ID: 2280741871-1848367592
Opcode ID: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
Instruction ID: c7f43e50d42ea44c9d94cf56d05aa8b030a1cd6eea72f480556a558956673729
Opcode Fuzzy Hash: 8082dd58de45f4dff7bdfc74514df0a5a51cbff410d03d1bd434bab7d9ddbba1
Instruction Fuzzy Hash: A9112E72A00118AAE7309FA1EC48EEEBF7CEF45355F50002AFA15A3145D7345644CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00411A77, Relevance: 9.1, APIs: 6, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00411A77(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				void* _t58;
				void* _t65;
				void* _t72;
				void* _t102;
				void* _t103;
				void* _t106;

				_t106 = __eflags;
				_t83 = __ebx;
				_push(0x3c);
				E00416B21(E00421EB1, __ebx, __edi, __esi);
				_t102 = __ecx;
				 *((intOrPtr*)(_t102 + 0x20)) = GetDlgItem( *(__ecx + 4), 0x3e9);
				E00411A09(_t102 + 0x20,  *((intOrPtr*)(_t102 + 0x28)));
				E0040320A(_t103 - 0x3c);
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				_t51 = E0040C825(_t103 - 0x3c, _t103 - 0x30, 0x45);
				 *(_t103 - 4) = 1;
				E00408639(_t103 - 0x3c, _t103, _t51);
				_push( *(_t103 - 0x30));
				 *(_t103 - 4) = 0;
				L00408BFB(__ebx, __edi, _t102, _t106);
				SetWindowTextW( *(_t102 + 4),  *(_t103 - 0x3c));
				E0040320A(_t103 - 0x30);
				 *(_t103 - 4) = 2;
				_t58 = E0040C825(_t103 - 0x30, _t103 - 0x24, 0x13);
				 *(_t103 - 4) = 3;
				E00408639(_t103 - 0x30, _t103, _t58);
				_push( *(_t103 - 0x24));
				 *(_t103 - 4) = 2;
				L00408BFB(__ebx, __edi, _t102, _t106);
				_t100 = SetDlgItemTextW;
				SetDlgItemTextW( *(_t102 + 4), 0x3e8,  *(_t103 - 0x30));
				E0040320A(_t103 - 0x24);
				 *(_t103 - 4) = 4;
				_t65 = E0040C825(_t103 - 0x24, _t103 - 0x18, 0x14);
				 *(_t103 - 4) = 5;
				E00408639(_t103 - 0x24, _t103, _t65);
				_push( *(_t103 - 0x18));
				 *(_t103 - 4) = 4;
				L00408BFB(__ebx, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 1,  *(_t103 - 0x24));
				E0040320A(_t103 - 0x18);
				 *(_t103 - 4) = 6;
				_t72 = E0040C825(_t103 - 0x18, _t103 - 0x48, 0x15);
				 *(_t103 - 4) = 7;
				E00408639(_t103 - 0x18, _t103, _t72);
				_push( *((intOrPtr*)(_t103 - 0x48)));
				 *(_t103 - 4) = 6;
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				SetDlgItemTextW( *(_t102 + 4), 2,  *(_t103 - 0x18));
				E00410729(_t102);
				_push( *(_t103 - 0x18));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x24));
				L00408BFB(_t83, SetDlgItemTextW, _t102, _t106);
				_push( *(_t103 - 0x30));
				L00408BFB(_t83, _t100, _t102, _t106);
				_push( *(_t103 - 0x3c));
				L00408BFB(_t83, _t100, _t102, _t106);
				return E00416BF9(0);
			}

0x00411a77
0x00411a77
0x00411a77
0x00411a7e
0x00411a83
0x00411a99
0x00411a9b
0x00411aa3
0x00411aa8
0x00411ab2
0x00411abb
0x00411abf
0x00411ac4
0x00411ac7
0x00411acb
0x00411ad8
0x00411ae1
0x00411aec
0x00411af0
0x00411af9
0x00411afd
0x00411b02
0x00411b05
0x00411b09
0x00411b11
0x00411b21
0x00411b26
0x00411b31
0x00411b35
0x00411b3e
0x00411b42
0x00411b47
0x00411b4a
0x00411b4e
0x00411b5d
0x00411b62
0x00411b6d
0x00411b71
0x00411b7a
0x00411b7e
0x00411b83
0x00411b86
0x00411b8a
0x00411b98
0x00411b9c
0x00411ba1
0x00411ba4
0x00411ba9
0x00411bac
0x00411bb1
0x00411bb4
0x00411bb9
0x00411bbc
0x00411bcb

APIs

__EH_prolog3.LIBCMT ref: 00411A7E
GetDlgItem.USER32 ref: 00411A8D

Part of subcall function 00411A09: SetWindowTextW.USER32(?,?), ref: 00411A0F

SetWindowTextW.USER32(00000000,?), ref: 00411AD8
SetDlgItemTextW.USER32 ref: 00411B21
SetDlgItemTextW.USER32 ref: 00411B5D
SetDlgItemTextW.USER32 ref: 00411B98

Part of subcall function 00410729: SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00410735

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Text$Item$Window$H_prolog3MessageSend
String ID:
API String ID: 928829568-0
Opcode ID: 802c91afe97d1eade87020117d9fdee0a4cfe7031478d465e4457d5fb8506098
Instruction ID: b35731b5b207d9e68d92d03bfb8da29b4d9b2404adce00c662d50eeccadc7d86
Opcode Fuzzy Hash: 802c91afe97d1eade87020117d9fdee0a4cfe7031478d465e4457d5fb8506098
Instruction Fuzzy Hash: 46417C71800248EEDB01FBA5CD46EDDBBB8AF18319F10406EF145721E2DE796A05AB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412298, Relevance: 9.1, APIs: 6, Instructions: 51
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412298(void* __ecx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				signed int _v8;
				WCHAR* _v12;
				void* _v16;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					MessageBoxW(0, _a4, _a8, _a12 | 0x00012000);
				} else {
					WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
					_v16 = _a4;
					_v12 = _a8;
					_v8 = _a12;
					 *(_t37 + 0x14) = CreateEventW(0, 1, 0, 0);
					SendMessageW( *(_t37 + 4),  *(_t37 + 0x10), 0,  &_v16);
					CloseHandle( *(_t37 + 0x14));
					WaitForSingleObject( *(_t37 + 0x14), 0xffffffff);
				}
				return  *((intOrPtr*)(_t37 + 0xc));
			}

0x004122a0
0x004122a7
0x0041230b
0x004122a9
0x004122b5
0x004122bb
0x004122c2
0x004122cb
0x004122d4
0x004122e2
0x004122eb
0x004122f6
0x004122f8
0x00412317

APIs

WaitForSingleObject.KERNEL32(000000FF,000000FF), ref: 004122B5
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 004122CE
SendMessageW.USER32(?,?,00000000,?), ref: 004122E2
CloseHandle.KERNEL32(?), ref: 004122EB
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004122F6
MessageBoxW.USER32(00000000,?,?,?), ref: 0041230B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: MessageObjectSingleWait$CloseCreateEventHandleSend
String ID:
API String ID: 3833482109-0
Opcode ID: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
Instruction ID: 05a45f98d4f0a9b26814a01a8a2d873a3ab4fc0ac20ff3765e6b91abeb90003f
Opcode Fuzzy Hash: 44920d0e2901c177dbfc16c8892598c63b16038f6ad1b0fd031c99cde1ba5956
Instruction Fuzzy Hash: B1111E76600208FFCB21DFA8DD84D9ABBF9FB083117108629F566D2160D774E9159F64

Uniqueness

Uniqueness Score: -1.00%

Function 00418FBB, Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00418FBB(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x42a608);
				E00417B6C(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00416A0D(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00418908(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00418908(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00418908(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00416AB2(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E004190E1(_t48, _t53, _t55, _t57, _t61);
				return E00417BB1( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x00418fbb
0x00418fbb
0x00418fbb
0x00418fbd
0x00418fc2
0x00418fc7
0x00418fc9
0x00418fcc
0x00418fcf
0x00418fd2
0x00418fd9
0x00418fea
0x00418ff8
0x00419006
0x0041900e
0x0041901c
0x00419022
0x00419029
0x0041902c
0x00419042
0x00419045
0x004190ba
0x004190c1
0x004190c8
0x004190d5

APIs

__CreateFrameInfo.LIBCMT ref: 00418FE3

Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A1B
Part of subcall function 00416A0D: __getptd.LIBCMT ref: 00416A29

__getptd.LIBCMT ref: 00418FED

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

__getptd.LIBCMT ref: 00418FFB
__getptd.LIBCMT ref: 00419009
__getptd.LIBCMT ref: 00419014
_CallCatchBlock2.LIBCMT ref: 0041903A

Part of subcall function 00416AB2: __CallSettingFrame@12.LIBCMT ref: 00416AFE

Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190F0
Part of subcall function 004190E1: __getptd.LIBCMT ref: 004190FE

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
Instruction ID: 6df8628facb7d4bd9ee04be2732a904581002fda0bb0b1463858a6040737a04e
Opcode Fuzzy Hash: 579217b7b214393cdbf3c318ed8681e717d909f332bb998e76287aaa26f99446
Instruction Fuzzy Hash: EF11D7B1D10209DFDB00EFA5C846AED7BB4FF09318F50806EF854AB251DB389A919F59

Uniqueness

Uniqueness Score: -1.00%

Function 00412207, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412207(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t15;

				_t15 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a4;
				 *__ecx = 0x423e38;
				 *((char*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(_t15 + 0x1c)) = CreateEventW(0, 1, 0, 0);
				 *((intOrPtr*)(_t15 + 8)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MODAL_DLG");
				 *((intOrPtr*)(_t15 + 0x10)) = RegisterWindowMessageW(L"CDialog::MSG_CREATE_MESSAGE_BOX");
				return _t15;
			}

0x0041220c
0x0041220f
0x00412219
0x0041221f
0x00412233
0x0041223d
0x00412242
0x00412249

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412222
RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MODAL_DLG,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412236
RegisterWindowMessageW.USER32(CDialog::MSG_CREATE_MESSAGE_BOX,?,00412462,00000000,?,00412918,00000004,00412DAA), ref: 00412240

Strings

CDialog::MSG_CREATE_MESSAGE_BOX, xrefs: 00412238
CDialog::MSG_CREATE_MODAL_DLG, xrefs: 0041222E

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: MessageRegisterWindow$CreateEvent
String ID: CDialog::MSG_CREATE_MESSAGE_BOX$CDialog::MSG_CREATE_MODAL_DLG
API String ID: 2418267205-1515309323
Opcode ID: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
Instruction ID: 7a56bd6417bd55e6eff5826dd3db06749024ae003c45236857a91da1aefad182
Opcode Fuzzy Hash: a1f4990a0d09b2e152a2986f9456ecd0e7071f3338bf2d159a5823b6b1520f03
Instruction Fuzzy Hash: EEE06DB2710350AFD3309F79AC04927FAF8EF55701791892FF491D3210D2B8E9058B94

Uniqueness

Uniqueness Score: -1.00%

Function 00418D0A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00418D0A(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00418908(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00418908(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x42a6c0);
						E00417B6C(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E00418908(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E00417BB1(E004182E8(_t23, _t24, _t25, _t26));
					}
				}
			}

0x00418d0a
0x00418d0a
0x00418d14
0x00418d1b
0x00418d3a
0x00418d41
0x00418d48
0x00418d4d
0x00418d4d
0x00418d4d
0x00000000
0x00418d1d
0x00418d1d
0x00418d22
0x00418d4f
0x00418d4f
0x00418d52
0x00418d24
0x00418d29
0x00419914
0x00419916
0x0041991b
0x00419925
0x0041992a
0x0041992c
0x00419930
0x0041993b
0x0041993b
0x0041994c
0x0041994c
0x00418d22

APIs

__getptd.LIBCMT ref: 00418D24

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

__getptd.LIBCMT ref: 00418D35
__getptd.LIBCMT ref: 00418D43

Strings

csm, xrefs: 00418D1D
MOC, xrefs: 00418D16

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
Instruction ID: 27ff82cd3330833795aa0bae25d065d47b14e5a22e3d47f3feb9cea4d9ff3d65
Opcode Fuzzy Hash: 248be03a206c6a55057d12ce47396a5383d0cb7058c7b3fb3aa76f8b972b7f58
Instruction Fuzzy Hash: E9E01AB12202088FC710AA65D44ABA933A8AB58318F1600AAE408CF363CB3CD8C0955B

Uniqueness

Uniqueness Score: -1.00%

Function 0041CBF4, Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0041CBF4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x42a800);
				E00417B6C(__ebx, __edi, __esi);
				_t31 = E00418908(__ebx, __edx, __edi, _t35);
				_t15 =  *0x42e020; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00419EA7(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42dc68; // 0x22a1620
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42d840;
								if(__eflags != 0) {
									_push(_t33);
									E004174DE(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42dc68; // 0x22a1620
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42dc68; // 0x22a1620
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0041CC8F();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0041A9FE(_t29, _t31, 0x20);
				}
				return E00417BB1(_t33);
			}

0x0041cbf4
0x0041cbf4
0x0041cbf4
0x0041cbf4
0x0041cbf6
0x0041cbfb
0x0041cc05
0x0041cc07
0x0041cc0f
0x0041cc30
0x0041cc36
0x0041cc3a
0x0041cc3d
0x0041cc40
0x0041cc46
0x0041cc48
0x0041cc4a
0x0041cc4d
0x0041cc53
0x0041cc55
0x0041cc57
0x0041cc5d
0x0041cc5f
0x0041cc60
0x0041cc65
0x0041cc5d
0x0041cc55
0x0041cc66
0x0041cc6b
0x0041cc6e
0x0041cc74
0x0041cc78
0x0041cc78
0x0041cc7e
0x0041cc85
0x0041cc17
0x0041cc17
0x0041cc17
0x0041cc1c
0x0041cc20
0x0041cc25
0x0041cc2d

APIs

__getptd.LIBCMT ref: 0041CC00

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

__amsg_exit.LIBCMT ref: 0041CC20
__lock.LIBCMT ref: 0041CC30
InterlockedDecrement.KERNEL32(?), ref: 0041CC4D
InterlockedIncrement.KERNEL32(022A1620), ref: 0041CC78

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
Instruction ID: 342b5fc9f3facb3c44125a49419e8c9e1354d52a9280f9b853240e0c54386efc
Opcode Fuzzy Hash: 0d130036e55c6d8c92cbe47bde502ac891a0113e34d28d943e827f390023fd41
Instruction Fuzzy Hash: CF018E31E84721ABD720AF2A9C8979A7760AF04B15F50011BE80467390DB3C6DD2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00417A2C, Relevance: 7.5, APIs: 5, Instructions: 24
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00417A2C(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				intOrPtr _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E0041AC84(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E0041871A();
				_t30 = E004186FA(E00418714());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) =  *((intOrPtr*)(_t54 + 4));
					E00418922(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E0041874E(E00418714(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x434300;
				if( *0x434300 != 0) {
					_t45 = E0041AFE0(_t79, 0x434300);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x434300(); // executed
					}
				}
				E004179F7(_t61, _t64, _t67, _t80); // executed
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t65 = _v4;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E0041871A();
					_t68 = E0041AE0D(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L17:
						_push(_t68);
						E004174DE(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E0041AD6E(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E00418908(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E004187A8(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t41 =  &_a8;
						}
						_t36 = CreateThread(_v0, _a4, E00417A38, _t68, _a16, _t41); // executed
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t43 = E0041AD48(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E0041B335(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}

0x00417a2c
0x00417a2c
0x00417a2c
0x00417a32
0x00417a37
0x00417a3b
0x00417a3d
0x00417a3e
0x00417a49
0x00417a50
0x00417a7c
0x00417a82
0x00417a88
0x00417a8b
0x00417a8e
0x00417a8f
0x00417a92
0x00417a52
0x00417a52
0x00417a63
0x00417a6c
0x00417a6c
0x00417a78
0x00417a78
0x00417a97
0x00417a9e
0x00417aa5
0x00417aaa
0x00417aab
0x00417aad
0x00417aaf
0x00417aaf
0x00417aad
0x00417ab5
0x00417aba
0x00417abd
0x00417ac0
0x00417ac1
0x00417ac2
0x00417ac3
0x00417ac8
0x00417acb
0x00417acd
0x00417aeb
0x00417aec
0x00417afd
0x00417b01
0x00417b03
0x00417b4f
0x00417b4f
0x00417b50
0x00417b56
0x00417b59
0x00417b5e
0x00417b63
0x00417b64
0x00417b64
0x00417b05
0x00417b0a
0x00417b0d
0x00417b0e
0x00417b16
0x00417b1a
0x00417b1d
0x00417b22
0x00417b25
0x00417b27
0x00417b29
0x00417b29
0x00417b3c
0x00417b42
0x00417b44
0x00417b4c
0x00000000
0x00417b4c
0x00417b44
0x00417acf
0x00417acf
0x00417ad4
0x00417ad5
0x00417ad6
0x00417ad7
0x00417ad8
0x00417ad9
0x00417adf
0x00417ae7
0x00417ae7
0x00417b6a

APIs

Part of subcall function 0041AC84: _doexit.LIBCMT ref: 0041AC90

___set_flsgetvalue.LIBCMT ref: 00417A3E

Part of subcall function 0041871A: TlsGetValue.KERNEL32(?,00417A43), ref: 00418723
Part of subcall function 0041871A: __decode_pointer.LIBCMT ref: 00418735
Part of subcall function 0041871A: TlsSetValue.KERNEL32(00000000,00417A43), ref: 00418744

___fls_getvalue@4.LIBCMT ref: 00417A49

Part of subcall function 004186FA: TlsGetValue.KERNEL32(?,?,00417A4E,00000000), ref: 00418708

___fls_setvalue@8.LIBCMT ref: 00417A5C

Part of subcall function 0041874E: __decode_pointer.LIBCMT ref: 0041875F

GetLastError.KERNEL32(00000000,?,00000000), ref: 00417A65
ExitThread.KERNEL32 ref: 00417A6C
GetCurrentThreadId.KERNEL32 ref: 00417A72
__freefls@4.LIBCMT ref: 00417A92
__IsNonwritableInCurrentImage.LIBCMT ref: 00417AA5

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 132634196-0
Opcode ID: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
Instruction ID: a767db3d9a0cbb97adf9c0627760bb36d5894593ed74e0cff43f53381f065771
Opcode Fuzzy Hash: 59a878c804150c6aee79d0defe103255293982fc60a67c3d91ea100309f4ac37
Instruction Fuzzy Hash: 2EE0B671904205A7CF103BF38C4A8DF7A7DAE05399B20042EB92093552EF2DDA9246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00419368, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E00419368(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E004192D6(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00416765(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00418D53(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E00418FBB(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E0041672C(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x00419368
0x00419368
0x00419368
0x00419368
0x00419368
0x0041936d
0x00419371
0x00419373
0x00419376
0x00419377
0x00419378
0x0041937b
0x00419380
0x00419380
0x00419383
0x00419387
0x0041938a
0x0041938f
0x0041938c
0x0041938c
0x0041938c
0x00419392
0x00419397
0x00419399
0x0041939c
0x0041939f
0x004193a0
0x004193a8
0x004193ad
0x004193b1
0x004193b4
0x004193b7
0x004193bd
0x004193be
0x004193c1
0x004193cb
0x004193cf
0x00000000
0x004193cf
0x004193d5

APIs

___BuildCatchObject.LIBCMT ref: 0041937B

Part of subcall function 004192D6: ___BuildCatchObjectHelper.LIBCMT ref: 0041930C

_UnwindNestedFrames.LIBCMT ref: 00419392
___FrameUnwindToState.LIBCMT ref: 004193A0

Strings

csm, xrefs: 00419377, 0041938C, 0041939F, 004193BD, 004193CD

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
Instruction ID: e7868efc18412c9e077cac95ed549032f2f14645f1f76b68ebafbd800c385fcd
Opcode Fuzzy Hash: 63a8c01b2cfbc2af873947d8df69a081f22c1dca01e2e4dd082ec105b9986c10
Instruction Fuzzy Hash: B301E831000109BBDF126E52CC45EEB7F6AEF48358F04811AFD28151A1DB7AD9A1DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB73, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040BB73(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;

				_push(4);
				E00416B21(E0042198A, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t37 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x4239bc;
				 *((intOrPtr*)(__ecx + 8)) = 0x4239d4;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x4239e8;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x423a54;
				 *((intOrPtr*)(__ecx + 4)) = 0x423a3c;
				 *((intOrPtr*)(__ecx + 8)) = 0x423a28;
				 *((intOrPtr*)(__ecx + 0xc)) = 0x423a14;
				E0040320A(__ecx + 0x14);
				 *((intOrPtr*)(_t37 - 4)) = 0;
				E0040320A(__ecx + 0x48);
				 *((char*)(_t37 - 4)) = 1;
				E0040320A(__ecx + 0x5c);
				 *((intOrPtr*)(__ecx + 0x6c)) = 0;
				 *((intOrPtr*)(__ecx + 0x70)) = 0;
				 *((intOrPtr*)(__ecx + 0x74)) = 0;
				 *((intOrPtr*)(__ecx + 0x78)) = 4;
				 *((intOrPtr*)(__ecx + 0x68)) = 0x423798;
				 *((intOrPtr*)(__ecx + 0x7c)) = 0;
				 *((intOrPtr*)(__ecx + 0x80)) = 0;
				return E00416BF9(__ecx);
			}

0x0040bb73
0x0040bb7a
0x0040bb81
0x0040bb84
0x0040bb8b
0x0040bb92
0x0040bb9b
0x0040bba1
0x0040bba7
0x0040bbae
0x0040bbb5
0x0040bbbc
0x0040bbc4
0x0040bbc7
0x0040bbcf
0x0040bbd3
0x0040bbd8
0x0040bbdb
0x0040bbde
0x0040bbe1
0x0040bbe8
0x0040bbef
0x0040bbf2
0x0040bbff

APIs

__EH_prolog3.LIBCMT ref: 0040BB7A

Strings

(:B, xrefs: 0040BBAE
<:B, xrefs: 0040BBA7
9B, xrefs: 0040BB92

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: H_prolog3
String ID: (:B$<:B$9B
API String ID: 431132790-4150366847
Opcode ID: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
Instruction ID: 14911f69345f63bfd26f3c457765aa6d4ab56a5ca1e715dcb9b32a0d5c853c2d
Opcode Fuzzy Hash: 5fb88bcb03bd3d23b32fda4363389a208182e758c4177cff56519ff8fdf4f310
Instruction Fuzzy Hash: 4D01C5F0600B608EC720DF56D04525AFBF4AF54709B80C95F95E697A61C7BCA248CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0041E2B2, Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041E2B2(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041B6F9( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E0041E3E3( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041AD48(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0041e2bc
0x0041e2c3
0x0041e2da
0x00000000
0x0041e2ca
0x0041e2cc
0x0041e2e6
0x0041e2eb
0x0041e2ee
0x0041e2f1
0x0041e31a
0x0041e321
0x0041e323
0x0041e3a4
0x0041e3bf
0x0041e3c1
0x0041e301
0x0041e301
0x0041e304
0x0041e306
0x0041e309
0x0041e309
0x0041e309
0x0041e309
0x00000000
0x0041e30f
0x0041e383
0x0041e383
0x0041e388
0x0041e38e
0x0041e391
0x0041e393
0x0041e396
0x0041e396
0x0041e396
0x0041e396
0x00000000
0x0041e39a
0x0041e325
0x0041e328
0x0041e32e
0x0041e331
0x0041e358
0x0041e35b
0x0041e361
0x00000000
0x00000000
0x0041e363
0x0041e366
0x00000000
0x00000000
0x0041e368
0x0041e368
0x0041e36e
0x0041e371
0x0041e2df
0x0041e2df
0x0041e37a
0x00000000
0x0041e37a
0x0041e333
0x0041e336
0x00000000
0x00000000
0x0041e33a
0x0041e34b
0x0041e351
0x0041e353
0x0041e356
0x00000000
0x00000000
0x00000000
0x0041e356
0x0041e2f3
0x0041e2f6
0x0041e2f8
0x0041e2fe
0x0041e2fe
0x00000000
0x0041e2ce
0x0041e2ce
0x0041e2d3
0x0041e2d7
0x0041e2d7
0x00000000
0x0041e2d3
0x0041e2cc

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041E2E6
__isleadbyte_l.LIBCMT ref: 0041E31A
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000), ref: 0041E34B
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 0041E3B9

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: be60e5bc3276526cafd4324fb80848b8e6529c5dcdf0c46daefd0c765e7f89f9
Instruction ID: 06cc490f68b29341d32c057b6d3aa829f801d5644f6318d0223809272f2e9e98
Opcode Fuzzy Hash: be60e5bc3276526cafd4324fb80848b8e6529c5dcdf0c46daefd0c765e7f89f9
Instruction Fuzzy Hash: C3310E34A0028AEFDB20CF66C891DEE7BA5BF01311F1445AAECA48B290D334DD81DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412D6E, Relevance: 6.1, APIs: 4, Instructions: 87
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00412D6E(intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v16;
				char _v32;
				char _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t28;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr* _t42;
				intOrPtr _t46;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t60;

				_t42 = __imp__#4;
				_t58 = _a4;
				if( *((char*)(_t58 + 0x118)) != 0) {
					L11:
					_t59 =  *((intOrPtr*)(_t58 + 0x11c));
					 *_a8 =  *_t42(_t59, E00417DDA(_t59));
					__eflags = 0;
					return 0;
				}
				_t56 = _t58 + 0x131;
				if( *_t56 == 0) {
					E00412902(_t42,  &_v56, _t56, _t58, __eflags);
					_t46 =  *((intOrPtr*)(_t58 + 0x6c));
					_v32 =  *_t56;
					 *((intOrPtr*)(_t58 + 0x12c)) = _t46;
					_t28 =  *0x430640; // 0x4c77a8
					__eflags = _t28;
					if(_t28 != 0) {
						 *((intOrPtr*)( *_t28 + 0x28))(_t28, _t46, 8);
					}
					E0040FC41( *((intOrPtr*)(_t58 + 0xbc)));
					_t31 =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0x68))))( &_v56, 0x1f5);
					__eflags = _t31 - 2;
					_t32 =  *0x430640; // 0x4c77a8
					if(_t31 != 2) {
						__eflags = _t32;
						if(_t32 != 0) {
							 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 2);
						}
						goto L10;
					} else {
						__eflags = _t32;
						if(__eflags == 0) {
							L10:
							_t57 = _v16;
							E004090CA(_t58 + 0x11c, _t60,  *_t42(_t57, E00417DDA(_t57)));
							_push(_v16);
							 *((char*)(_t58 + 0x118)) = 1;
							L00408BFB(_t42, _t57, _t58, __eflags);
							goto L11;
						}
						 *((intOrPtr*)( *_t32 + 0x28))(_t32,  *((intOrPtr*)(_t58 + 0x12c)), 4);
						_push(_v16);
						L00408BFB(_t42, _t56, _t58, __eflags);
						goto L2;
					}
				}
				L2:
				return 0x80004004;
			}

0x00412d75
0x00412d7c
0x00412d87
0x00412e48
0x00412e48
0x00412e5c
0x00412e5e
0x00000000
0x00412e5e
0x00412d8d
0x00412d96
0x00412da5
0x00412dac
0x00412daf
0x00412db2
0x00412db8
0x00412dbd
0x00412dbf
0x00412dc7
0x00412dc7
0x00412dd0
0x00412de3
0x00412de5
0x00412de8
0x00412ded
0x00412e0c
0x00412e0e
0x00412e1b
0x00412e1b
0x00000000
0x00412def
0x00412def
0x00412df1
0x00412e1e
0x00412e1e
0x00412e33
0x00412e38
0x00412e3b
0x00412e42
0x00000000
0x00412e47
0x00412dfe
0x00412e01
0x00412e04
0x00000000
0x00412e09
0x00412ded
0x00412d98
0x00000000

APIs

_wcslen.LIBCMT ref: 00412E22
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E2A
_wcslen.LIBCMT ref: 00412E4F
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412E57

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: AllocString_wcslen
String ID:
API String ID: 1837159753-0
Opcode ID: 298656c507d06036b1fbaa9dae0638851fbf6b523aa8c6bd6d5c9b9fe53f1b68
Instruction ID: e9c7c381ef061b1e0d686df2e615424e472c72a5b61756d386b86c00ce312959
Opcode Fuzzy Hash: 298656c507d06036b1fbaa9dae0638851fbf6b523aa8c6bd6d5c9b9fe53f1b68
Instruction Fuzzy Hash: 1E31D171200304AFD715DB60D841FEA77B9AF49310F10846EF685D7291CB78ADA1CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409C01, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00409C01(struct HWND__** __ecx, intOrPtr* _a4) {
				int _t10;
				signed int _t11;
				signed int _t12;
				signed int _t13;
				signed int _t15;
				int _t17;
				struct HWND__** _t25;
				intOrPtr _t26;
				intOrPtr* _t28;

				_t28 = _a4;
				 *(_t28 + 4) =  *(_t28 + 4) & 0x00000000;
				_t25 = __ecx;
				 *((short*)( *_t28)) = 0;
				_t17 = GetWindowTextLengthW( *__ecx);
				if(_t17 != 0) {
					_t10 = GetWindowTextW( *_t25, E00403FA3(_t28, _t17), _t17 + 1);
					_t26 =  *_t28;
					_t11 = E0040116F(_t26);
					 *((short*)(_t26 + _t11 * 2)) = 0;
					 *(_t28 + 4) = _t11;
					if(_t10 != 0) {
						_t12 = 1;
					} else {
						_t13 = GetLastError();
						asm("sbb eax, eax");
						_t12 =  ~( ~_t13);
					}
				} else {
					_t15 = GetLastError();
					asm("sbb eax, eax");
					_t12 =  ~_t15 + 1;
				}
				return _t12;
			}

0x00409c03
0x00409c07
0x00409c0e
0x00409c12
0x00409c1d
0x00409c21
0x00409c3d
0x00409c43
0x00409c48
0x00409c4f
0x00409c53
0x00409c58
0x00409c68
0x00409c5a
0x00409c5a
0x00409c62
0x00409c64
0x00409c64
0x00409c23
0x00409c23
0x00409c2b
0x00409c2d
0x00409c2d
0x00409c6d

APIs

GetWindowTextLengthW.USER32 ref: 00409C17
GetLastError.KERNEL32 ref: 00409C23
GetWindowTextW.USER32 ref: 00409C3D
GetLastError.KERNEL32(?,?,00000000,00000000,00000000), ref: 00409C5A

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ErrorLastTextWindow$Length
String ID:
API String ID: 3440162706-0
Opcode ID: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
Instruction ID: 0b3f5f8dc11d9cb6f52a592932b536abcf6f7bd2eff94a09abaf9dd0597dadaa
Opcode Fuzzy Hash: d29d1dabf7f37da445bba4c44006a9e540a00eec02cc97a31967c6722456d859
Instruction Fuzzy Hash: 5E018675714202ABD7205F78D888826B3FCEF59716710443AF447D32A0DF759C128B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C958, Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0041C958(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x42a7e0);
				E00417B6C(__ebx, __edi, __esi);
				_t28 = E00418908(__ebx, __edx, __edi, _t30);
				_t13 =  *0x42e020; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E00419EA7(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x42d830; // 0x42d758
					 *((intOrPtr*)(_t29 - 0x1c)) = E0041C91A(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0041C9C2();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E00418908(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0041A9FE(_t25, _t26, 0x20);
				}
				return E00417BB1(_t28);
			}

0x0041c958
0x0041c958
0x0041c958
0x0041c958
0x0041c958
0x0041c95a
0x0041c95f
0x0041c969
0x0041c96b
0x0041c973
0x0041c997
0x0041c999
0x0041c99f
0x0041c9a3
0x0041c9a6
0x0041c9b1
0x0041c9b4
0x0041c9bb
0x0041c975
0x0041c975
0x0041c979
0x00000000
0x0041c97b
0x0041c980
0x0041c980
0x0041c979
0x0041c985
0x0041c989
0x0041c98e
0x0041c996

APIs

__getptd.LIBCMT ref: 0041C964

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

__getptd.LIBCMT ref: 0041C97B
__amsg_exit.LIBCMT ref: 0041C989
__lock.LIBCMT ref: 0041C999

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
Instruction ID: cd17e753ec4a28575be3e050727088d2e2c04aa294c6b3e927e7230be7d31612
Opcode Fuzzy Hash: 949d4ace6e436c1979df6c52288330fee53b2dc502489d74444a9079756289a3
Instruction Fuzzy Hash: 30F062B2EA07048AD720BB6688427DD76A06B00718F50415FE454672D1CF3C69C18B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041224C, Relevance: 6.0, APIs: 4, Instructions: 28
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041224C(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t20;

				_t20 = __ecx;
				WaitForSingleObject( *(__ecx + 0x1c), 0xffffffff);
				 *(_t20 + 0x14) = CreateEventW(0, 1, 0, 0);
				E00411C40(_t20 + 4,  *((intOrPtr*)(_t20 + 8)), _a8, _a4);
				WaitForSingleObject( *(_t20 + 0x14), 0xffffffff);
				CloseHandle( *(_t20 + 0x14));
				return  *((intOrPtr*)(_t20 + 0xc));
			}

0x00412254
0x0041225b
0x00412275
0x0041227b
0x00412285
0x0041228a
0x00412295

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041225B
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00412264

Part of subcall function 00411C40: PostMessageW.USER32(?,?,?,?), ref: 00411C4E

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00412285
CloseHandle.KERNEL32(?), ref: 0041228A

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventHandleMessagePost
String ID:
API String ID: 1259710111-0
Opcode ID: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
Instruction ID: 587c63874120dfd8d7cb41ac1519f56cfecb811f02ec18e29ab156a93c3206fa
Opcode Fuzzy Hash: 688a9044c8813bffc1647393a113ac4df378807a7bac1586038bcedb71cd57a5
Instruction Fuzzy Hash: 3BF0F835104601AFDB31AF25ED04C67BBB9EB847217108A29F8A2926B4CA31A8169B71

Uniqueness

Uniqueness Score: -1.00%

Function 00404EF2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404EF2(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed char _t106;
				intOrPtr _t116;
				signed char* _t124;
				void* _t130;
				void* _t141;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				signed char* _t163;
				signed char* _t165;
				signed int _t167;
				void* _t168;

				_t159 = __edx;
				_push(0x5c);
				E00416B8A(E00421117, __ebx, __edi, __esi);
				_t165 =  *(_t168 + 8);
				_t141 = __ecx;
				 *(_t168 - 0x2c) = _t165;
				 *((intOrPtr*)(_t168 - 0x3c)) = E00403D5E( *((intOrPtr*)(__ecx + 0x18)), __edx, __edi);
				E00408B5A();
				E00408A61(_t165,  *((intOrPtr*)(_t168 - 0x3c)));
				_t161 = 0;
				 *(_t168 - 0x30) = 0;
				 *((intOrPtr*)(_t168 - 0x44)) = 0;
				 *((intOrPtr*)(_t168 - 0x48)) = 0;
				if( *((intOrPtr*)(_t168 - 0x3c)) > 0) {
					while(1) {
						 *((intOrPtr*)(_t168 - 0x60)) = 0x423364;
						 *(_t168 - 0x5c) = _t161;
						 *(_t168 - 0x58) = _t161;
						_push(_t168 - 0x68);
						 *(_t168 - 4) = _t161;
						E00404E79(_t141, _t165, _t161, _t165, __eflags);
						 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
						_push(_t161);
						L00408BFB(_t141, _t161, _t165, __eflags);
						_t162 =  *(_t165[0xc] + _t165[8] * 4 - 4);
						_t106 = L00403C4E( *(_t141 + 0x18), _t162);
						_t150 =  *(_t141 + 0x18);
						 *(_t168 - 0x21) = _t106;
						_t167 = _t106 & 0xf;
						E00403C65( *(_t141 + 0x18), _t168 - 0x20, _t167);
						__eflags = _t167 - 8;
						if(_t167 > 8) {
							goto L23;
						}
						__eflags = _t167;
						 *(_t168 - 0x38) = 0;
						 *(_t168 - 0x34) = 0;
						if(_t167 > 0) {
							 *(_t168 - 0x40) = 0;
							 *(_t168 - 0x28) = _t168 + _t167 - 0x21;
							do {
								_t150 =  *(_t168 - 0x40);
								asm("cdq");
								 *(_t168 - 0x38) =  *(_t168 - 0x38) | E00416FA0( *( *(_t168 - 0x28)) & 0x000000ff,  *(_t168 - 0x40), _t159);
								 *(_t168 - 0x34) =  *(_t168 - 0x34) | _t159;
								 *(_t168 - 0x28) =  *(_t168 - 0x28) - 1;
								 *(_t168 - 0x40) =  &(( *(_t168 - 0x40))[8]);
								_t167 = _t167 - 1;
								__eflags = _t167;
							} while (_t167 != 0);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000010;
						 *_t162 =  *(_t168 - 0x38);
						 *(_t162 + 4) =  *(_t168 - 0x34);
						if(( *(_t168 - 0x21) & 0x00000010) == 0) {
							_t116 = 1;
							__eflags = 1;
							 *((intOrPtr*)(_t162 + 0x14)) = 1;
						} else {
							 *((intOrPtr*)(_t162 + 0x14)) = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t150 =  *(_t141 + 0x18);
							_t116 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000020;
						 *((intOrPtr*)(_t162 + 0x18)) = _t116;
						if(( *(_t168 - 0x21) & 0x00000020) != 0) {
							_t167 = E00403D5E( *(_t141 + 0x18), _t159, _t162);
							_t76 = _t162 + 8; // 0x107
							E0040140A(_t76, _t168, _t167);
							_t150 =  *(_t141 + 0x18);
							E00403C65( *(_t141 + 0x18),  *((intOrPtr*)(_t162 + 0x10)), _t167);
						}
						__eflags =  *(_t168 - 0x21) & 0x00000080;
						if(( *(_t168 - 0x21) & 0x00000080) != 0) {
							goto L23;
						} else {
							 *(_t168 - 0x30) =  *(_t168 - 0x30) +  *((intOrPtr*)(_t162 + 0x14));
							 *((intOrPtr*)(_t168 - 0x44)) =  *((intOrPtr*)(_t168 - 0x44)) +  *((intOrPtr*)(_t162 + 0x18));
							 *((intOrPtr*)(_t168 - 0x48)) =  *((intOrPtr*)(_t168 - 0x48)) + 1;
							_t165 =  *(_t168 - 0x2c);
							__eflags =  *((intOrPtr*)(_t168 - 0x48)) -  *((intOrPtr*)(_t168 - 0x3c));
							if( *((intOrPtr*)(_t168 - 0x48)) <  *((intOrPtr*)(_t168 - 0x3c))) {
								_t161 = 0;
								__eflags = 0;
								continue;
							} else {
								goto L1;
							}
						}
						goto L29;
					}
					goto L23;
				} else {
					L1:
					_t163 =  &(_t165[0x14]);
					 *(_t168 - 0x28) =  *((intOrPtr*)(_t168 - 0x44)) - 1;
					E00408B5A();
					_t150 = _t163;
					E00408A61(_t163,  *(_t168 - 0x28));
					_t124 =  *(_t168 - 0x28);
					if(_t124 > 0) {
						 *(_t168 - 0x2c) = _t124;
						do {
							 *(_t168 - 0x38) = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t130 = E00403D5E( *(_t141 + 0x18), _t159, _t163);
							_t150 = _t163;
							E00403DE7(_t163,  *(_t168 - 0x38), _t130);
							_t20 = _t168 - 0x2c;
							 *_t20 =  *(_t168 - 0x2c) - 1;
						} while ( *_t20 != 0);
					}
					_t162 =  *(_t168 - 0x30);
					if(_t162 <  *(_t168 - 0x28)) {
						L23:
						E00403C2E(_t150, _t162);
						goto L24;
					} else {
						_t162 = _t162 -  *(_t168 - 0x28);
						_t150 =  &(_t165[0x28]);
						 *(_t168 - 0x2c) =  &(_t165[0x28]);
						E00408A61( &(_t165[0x28]), _t162);
						if(_t162 != 1) {
							__eflags = _t162;
							if(_t162 > 0) {
								do {
									E0040105E( *(_t168 - 0x2c), E00403D5E( *(_t141 + 0x18), _t159, _t162));
									_t162 = _t162 - 1;
									__eflags = _t162;
								} while (_t162 != 0);
							}
						} else {
							_t162 = 0;
							if( *(_t168 - 0x30) > 0) {
								while(1) {
									_t150 = _t165;
									if(E00401237(_t165, _t162) < 0) {
										break;
									}
									_t162 = _t162 + 1;
									if(_t162 <  *(_t168 - 0x30)) {
										continue;
									} else {
									}
									goto L25;
								}
								L24:
								_t150 =  *(_t168 - 0x2c);
								E0040105E( *(_t168 - 0x2c), _t162);
							}
							L25:
							if( *((intOrPtr*)(_t167 + 0x30)) != 1) {
								goto L23;
							}
						}
					}
				}
				L29:
				return E00416C0D(_t141, _t162, _t167);
			}

0x00404ef2
0x00404ef2
0x00404ef9
0x00404efe
0x00404f01
0x00404f06
0x00404f10
0x00404f13
0x00404f1d
0x00404f22
0x00404f24
0x00404f27
0x00404f2a
0x00404f30
0x00404fca
0x00404fca
0x00404fd1
0x00404fd4
0x00404fda
0x00404fdd
0x00404fe0
0x00404fe5
0x00404fe9
0x00404fea
0x00404ff6
0x00404ffd
0x00405002
0x00405008
0x0040500b
0x00405013
0x00405018
0x0040501b
0x00000000
0x00000000
0x00405023
0x00405025
0x00405028
0x0040502b
0x0040502d
0x00405034
0x00405037
0x0040503d
0x00405040
0x00405046
0x00405049
0x0040504c
0x0040504f
0x00405053
0x00405053
0x00405053
0x00405037
0x00405056
0x0040505d
0x00405062
0x00405065
0x0040507e
0x0040507e
0x0040507f
0x00405067
0x0040506f
0x00405072
0x00405075
0x00405075
0x00405082
0x00405086
0x00405089
0x00405093
0x00405096
0x00405099
0x0040509e
0x004050a5
0x004050a5
0x004050aa
0x004050ae
0x00000000
0x004050b0
0x004050b3
0x004050b9
0x004050bc
0x004050c2
0x004050c5
0x004050c8
0x00404fc8
0x00404fc8
0x00000000
0x004050ce
0x00000000
0x004050ce
0x004050c8
0x00000000
0x004050ae
0x00000000
0x00404f36
0x00404f36
0x00404f3a
0x00404f3f
0x00404f42
0x00404f4a
0x00404f4c
0x00404f51
0x00404f56
0x00404f58
0x00404f5b
0x00404f66
0x00404f69
0x00404f72
0x00404f74
0x00404f79
0x00404f79
0x00404f79
0x00404f5b
0x00404f7e
0x00404f84
0x004050d3
0x004050d3
0x00000000
0x00404f8a
0x00404f8a
0x00404f8d
0x00404f91
0x00404f94
0x00404f9c
0x004050e9
0x004050eb
0x004050ed
0x004050f9
0x004050fe
0x004050fe
0x004050fe
0x004050ed
0x00404fa2
0x00404fa2
0x00404fa7
0x00404fad
0x00404fae
0x00404fb7
0x00000000
0x00000000
0x00404fbd
0x00404fc1
0x00000000
0x00000000
0x00404fc3
0x00000000
0x00404fc1
0x004050d8
0x004050d8
0x004050dc
0x004050dc
0x004050e1
0x004050e5
0x00000000
0x004050e7
0x004050e5
0x00404f9c
0x00404f84
0x00405101
0x00405106

APIs

__EH_prolog3_GS.LIBCMT ref: 00404EF9

Part of subcall function 00408A61: __CxxThrowException@8.LIBCMT ref: 00408A8C

Strings

, xrefs: 00405082
d3B, xrefs: 00404FCA

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: Exception@8H_prolog3_Throw
String ID: $d3B
API String ID: 2985221223-198493696
Opcode ID: 54861cfddbe82479a82b6fb9b4487ed767c19b1608e9282edcb7803eb3668c76
Instruction ID: 2a29051ba39229ac5af4f25dd9e29a3bb43660fb59363973aee6b4079977c564
Opcode Fuzzy Hash: 54861cfddbe82479a82b6fb9b4487ed767c19b1608e9282edcb7803eb3668c76
Instruction Fuzzy Hash: 30612E71E006189BCF14EFAAC4819EEBBB5FF54314B10412FE855B7295CB38A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409724, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409724(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t33;
				WCHAR* _t35;
				signed int _t36;
				signed int _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				WCHAR* _t55;
				WCHAR* _t58;
				signed short* _t67;
				signed int _t69;
				void* _t71;

				_push(0x30);
				E00416B21(E00421683, __ebx, __edi, __esi);
				_t33 =  *((intOrPtr*)(_t71 + 0xc));
				 *(_t33 + 4) =  *(_t33 + 4) & 0x00000000;
				_t67 =  *(_t71 + 8);
				 *((short*)( *_t33)) = 0;
				_t35 = E0040116F(_t67);
				_t69 =  *_t67 & 0x0000ffff;
				_t55 = _t35;
				if(_t55 < 1 || _t69 == 0x5c || _t69 == 0x2e && (_t55 == 1 || _t55 == 2 && _t67[1] == _t69)) {
					L19:
					_t36 = 1;
					goto L20;
				} else {
					E0040320A(_t71 - 0x18);
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					if(_t55 <= 3 || _t67[1] != 0x3a || _t67[2] != 0x5c) {
						L12:
						if( *((intOrPtr*)(_t71 - 0x10)) <= 0x105) {
							E0040110F(_t71 - 0x18, _t71, 0x105);
						}
						_t55 =  *(_t71 - 0x18);
						_t69 = GetCurrentDirectoryW(0x105, _t55);
						_t40 = E0040116F(_t55);
						_t58 =  &(_t55[_t40]);
						 *_t58 = 0;
						 *(_t71 - 0x14) = _t40;
						if(_t69 == 0 || _t69 > 0x104) {
							_push(_t55);
							L00408BFB(_t55, _t67, _t69, __eflags);
							_t36 = 0;
							L20:
							return E00416BF9(_t36);
						} else {
							_t90 =  *((short*)(_t58 - 2)) - 0x5c;
							if( *((short*)(_t58 - 2)) != 0x5c) {
								E00408670(_t71 - 0x18, 0, _t90, 0x5c);
							}
							goto L18;
						}
					} else {
						if(_t69 < 0x61 || _t69 > 0x7a) {
							if(_t69 <= 0x19) {
								goto L18;
							}
							goto L12;
						} else {
							L18:
							_t42 = E00401647(_t71 - 0x3c, _t71, L"\\\\?\\");
							_push(_t71 - 0x18);
							_push(_t42);
							_push(_t71 - 0x30);
							 *(_t71 - 4) = 1;
							_t44 = E004096A4(_t55, _t67, _t69, _t90);
							_push(_t67);
							_push(_t44);
							_push(_t71 - 0x24);
							 *(_t71 - 4) = 2;
							_t46 = E004096E4(_t55, 0, _t67, _t69, _t90);
							 *(_t71 - 4) = 3;
							E00408639( *((intOrPtr*)(_t71 + 0xc)), _t71, _t46);
							_push( *((intOrPtr*)(_t71 - 0x24)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x30)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *((intOrPtr*)(_t71 - 0x3c)));
							L00408BFB(_t55, _t67, _t69, _t90);
							_push( *(_t71 - 0x18));
							L00408BFB(_t55, _t67, _t69, _t90);
							goto L19;
						}
					}
				}
			}

0x00409724
0x0040972b
0x00409730
0x00409733
0x00409739
0x0040973f
0x00409742
0x00409747
0x0040974a
0x0040974f
0x00409861
0x00409861
0x00000000
0x0040977d
0x00409780
0x00409785
0x0040978c
0x004097b1
0x004097b9
0x004097bf
0x004097bf
0x004097c4
0x004097d0
0x004097d2
0x004097d9
0x004097dc
0x004097df
0x004097e4
0x0040986b
0x0040986c
0x00409872
0x00409863
0x00409868
0x004097f2
0x004097f2
0x004097f7
0x004097fe
0x004097fe
0x00000000
0x004097f7
0x0040979c
0x004097a0
0x004097af
0x00000000
0x00000000
0x00000000
0x00409803
0x00409803
0x0040980b
0x00409813
0x00409814
0x00409818
0x00409819
0x0040981d
0x00409822
0x00409823
0x00409827
0x00409828
0x0040982c
0x00409835
0x00409839
0x0040983e
0x00409841
0x00409846
0x00409849
0x0040984e
0x00409851
0x00409856
0x00409859
0x00000000
0x0040985e
0x004097a0
0x0040978c

APIs

__EH_prolog3.LIBCMT ref: 0040972B
GetCurrentDirectoryW.KERNEL32(00000105,?,00000000,00000030,00409885,004092CF,004092CF,?,004092CF,?,?), ref: 004097C9

Strings

\\?\, xrefs: 00409803

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: CurrentDirectoryH_prolog3
String ID: \\?\
API String ID: 1178058307-4282027825
Opcode ID: 26b88cb7ad327129d7e7fcd7e00729c1e362cdabbfafd732c9d30fcf719cdb45
Instruction ID: 7bce271ab9a2bc83a85faa0d6a69cb040a839cacd886d03d576964d627563978
Opcode Fuzzy Hash: 26b88cb7ad327129d7e7fcd7e00729c1e362cdabbfafd732c9d30fcf719cdb45
Instruction Fuzzy Hash: 3531B172C10215AACB24FBA5C886AEFB778AF15304F10843FE104772E3DB795E858799

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF34, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DF34() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x4341a0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x4341a0 = _t5;
				}
				_t6 = E0041AE0D(_t5, 4);
				 *0x433180 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x42dda0;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x42e020) {
							break;
						}
						_t6 =  *0x433180; // 0x22a2120
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x42ddb0;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x4341c0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x42de10);
					return 0;
				} else {
					 *0x4341a0 = _t26;
					_t6 = E0041AE0D(_t26, 4);
					 *0x433180 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x0041df34
0x0041df3c
0x0041df3f
0x0041df4a
0x0041df4c
0x00000000
0x0041df4c
0x0041df41
0x0041df41
0x0041df4e
0x0041df4e
0x0041df4e
0x0041df56
0x0041df5d
0x0041df64
0x0041df84
0x0041df84
0x0041df86
0x0041df92
0x0041df92
0x0041df95
0x0041df98
0x0041dfa1
0x00000000
0x00000000
0x0041df8d
0x0041df8d
0x0041dfa5
0x0041dfa6
0x0041dfa8
0x0041dfae
0x0041dfc2
0x0041dfc8
0x0041dfd2
0x0041dfd2
0x0041dfd4
0x0041dfd7
0x0041dfd8
0x0041dfe4
0x0041df66
0x0041df69
0x0041df6f
0x0041df76
0x0041df7d
0x00000000
0x0041df7f
0x0041df81
0x0041df83
0x0041df83
0x0041df7d

APIs

__calloc_crt.LIBCMT ref: 0041DF56
__calloc_crt.LIBCMT ref: 0041DF6F

Strings

B, xrefs: 0041DF9B

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __calloc_crt
String ID: B
API String ID: 3494438863-2386870291
Opcode ID: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
Instruction ID: 57d23638a4b1109f3cac8a2ec3f751d66eb44c115c110b22eca0b43510dbea81
Opcode Fuzzy Hash: 9f15f0925eca237c65d6fa70714d8e4b72b97ca9536b99fd2ee5f47634c721da
Instruction Fuzzy Hash: B411A7B1B08A105BEB188E1DBC406E62781AB94338B64423FF117CB2D0E73CD9C2868D

Uniqueness

Uniqueness Score: -1.00%

Function 004190E1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E004190E1(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00416A60(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00418908(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00418908(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00416A39(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00418E79(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x004190e1
0x004190e1
0x004190e1
0x004190e1
0x004190e1
0x004190e4
0x004190ea
0x004190f8
0x004190fe
0x00419106
0x00419112
0x0041911a
0x00419122
0x00419136
0x00419138
0x0041913c
0x00419141
0x00419147
0x00419149
0x0041914b
0x0041914e
0x00000000
0x00419155
0x00419149
0x0041913c
0x00419136
0x00419122
0x00419156

APIs

Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A66
Part of subcall function 00416A60: __getptd.LIBCMT ref: 00416A76

__getptd.LIBCMT ref: 004190F0

Part of subcall function 00418908: __getptd_noexit.LIBCMT ref: 0041890B
Part of subcall function 00418908: __amsg_exit.LIBCMT ref: 00418918

__getptd.LIBCMT ref: 004190FE

Strings

csm, xrefs: 0041910C

Memory Dump Source

Source File: 00000000.00000002.347125014.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.347100725.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347328428.0000000000423000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347380469.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.347459957.0000000000435000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347500596.0000000000438000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.347555179.0000000000446000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LI180_win-1.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
Instruction ID: 862809d12b44138affb2cba2f23c5514b0f11f00af2c3c7d3a6141e5c4f9d8c0
Opcode Fuzzy Hash: 50699f1a80890500d77e109498acb33ef47d3a8ec0fa8618813f53853dd35842
Instruction Fuzzy Hash: 90014F34801206AAEF349F66E5686EEB7B5AF11351F55481FE08166351CB388DC4CB8D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: LI-180_Installer.exe PID: 6652 Parent PID: 6456 LI-180_Installer.exeCOMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1881
Total number of Limit Nodes:	30

Executed Functions

Function 0040CB30, Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB62
GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CBF0,?,?), ref: 0040CB6B

Part of subcall function 0040C9F8: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
Part of subcall function 0040C9F8: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
String ID:
API String ID: 3216391948-0
Opcode ID: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
Instruction ID: 8f8425ef7e003197c548934d68529d5866815bad13d550064fd740d453593948
Opcode Fuzzy Hash: a3ef9113332cd4f103a8e4d8192339c8c971ca8cadefcb096335637e5080e2e5
Instruction Fuzzy Hash: FA119370A042099BDB00EBA5D982AADB3B5EF45304F50057EF514F72D1DB786E05C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F8, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA2B
FindClose.KERNEL32(00000000,00000000,?,00000000,0040CA56,?,00000001), ref: 0040CA3B

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
Instruction ID: 2d6f6286354a10e5bc494812b8926dfd1e7cb371c99a917dddbeb77f05d97bc8
Opcode Fuzzy Hash: 9e1dfe6f42f38fe5fee79ec9a6cfd20d37323d4e53de93dc210a85409fa04306
Instruction Fuzzy Hash: 8DF0B430600208AFC710FF75CD52A4DB3ECDB443147A00576B404F22C1EA389E00995C

Uniqueness

Uniqueness Score: -1.00%

Function 00424B48, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B63
GetLastError.KERNEL32(00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834), ref: 00424B88

Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01

Part of subcall function 00424BBC: FindClose.KERNEL32(?,?,00424B86,00000000,?,?,00000000,00000001,005963FD,00000000,005964DE,?,?,00000000,00000000), ref: 00424BC8

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
Instruction ID: 129b9a8e3a804e3a0b789ce555aedcb953d3dbc06cbad93d92fb841f598433eb
Opcode Fuzzy Hash: 2e5de55aafeed0e3f81a13e10239d89ebfd0b8ad6166b697f13ed275721c6c72
Instruction Fuzzy Hash: 96E065B6B01130074754ABBE68816AA55C8C9C8375359027FB915DB346D52CCC0647D8

Uniqueness

Uniqueness Score: -1.00%

Function 0082D304, Relevance: 67.4, APIs: 8, Strings: 30, Instructions: 882
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(00858B3C,00000000,0082D434,?,00000000,0082EED8,?,?,?,?,00000028,00000000,00000000), ref: 0082D34C

Strings

$DOLLAR$, xrefs: 0082E1C0, 0082E1E0
<SupportDir>, xrefs: 0082DB3A
</ResourcePath>, xrefs: 0082E9EC
mia.lib, xrefs: 0082D4D6, 0082D512
<Dialogs>, xrefs: 0082EA1D
data\, xrefs: 0082E9FB
<StubData>, xrefs: 0082DEBA
</GlobalLists>, xrefs: 0082E750
.msp, xrefs: 0082E961, 0082E98E, 0082E9C6
dxD, xrefs: 0082E28F
mia, xrefs: 0082DB4D, 0082DB8A
<StubSize>, xrefs: 0082DDFA
mia.tmp, xrefs: 0082DF23, 0082E00D, 0082E71D
</StubData>, xrefs: 0082DF8D
.msi, xrefs: 0082E8C7, 0082E8F4, 0082E92C, 0082ED1E
</SupportDir>, xrefs: 0082DBC2
TRUE, xrefs: 0082E542
</StubSize>, xrefs: 0082DEB0
</SetupSplash>, xrefs: 0082ECEF
<ResourcePath>, xrefs: 0082E8AE
lang.loc, xrefs: 0082D4FB
<SetupSplash>, xrefs: 0082DBCC
</Dialogs>, xrefs: 0082EC7E
<RunScript>, xrefs: 0082ECF9
<InstallAware>, xrefs: 0082DB30
.res, xrefs: 0082D579
<ExtractArchive>, xrefs: 0082E75A
</ExtractArchive>, xrefs: 0082E851
<GlobalLists>, xrefs: 0082DF97
$WILD_DOLLAR$, xrefs: 0082E18C, 0082E1AC

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Version
String ID: </Dialogs>$ </ExtractArchive>$ </GlobalLists>$ </ResourcePath>$ </StubData>$ </StubSize>$ </SupportDir>$ <Dialogs>$ <ExtractArchive>$ <GlobalLists>$ <ResourcePath>$ <StubData>$ <StubSize>$ <SupportDir>$ </SetupSplash>$ <RunScript>$ <SetupSplash>$$DOLLAR$$$WILD_DOLLAR$$.msi$.msp$.res$<InstallAware>$TRUE$data\$dxD$lang.loc$mia$mia.lib$mia.tmp
API String ID: 1889659487-1851809426
Opcode ID: 88da696c5d52c7143d72535e4f61e86aa89cda9e77d0a0f632c86962c6c128fc
Instruction ID: da3f706e8fad9170a8dfdb118e7f0e5f4ab879b6b969e9938d5adb5aa6c1a0e2
Opcode Fuzzy Hash: 88da696c5d52c7143d72535e4f61e86aa89cda9e77d0a0f632c86962c6c128fc
Instruction Fuzzy Hash: 06720F74640214CFCB00FBE9E85594937A5FB85316B50407BFA06FB362DE399C49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C628, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 174
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040C84D,?,?), ref: 0040C661
lstrcpynW.KERNEL32(?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C67D
RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D,?,?), ref: 0040C6AA
RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,0040C84D), ref: 0040C6CC
RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?), ref: 0040C6EA
RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C708
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C726
RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C744
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C784
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001), ref: 0040C7AF
RegCloseKey.ADVAPI32(?,0040C837,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040C830,?,80000001,Software\Embarcadero\Locales), ref: 0040C82A

Strings

Software\Embarcadero\Locales, xrefs: 0040C6A0, 0040C6C2
Software\Borland\Delphi\Locales, xrefs: 0040C73A
Software\Borland\Locales, xrefs: 0040C71C
Software\CodeGear\Locales, xrefs: 0040C6E0, 0040C6FE

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Open$QueryValue$CloseFileModuleNamelstrcpyn
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
API String ID: 512384800-3496071916
Opcode ID: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
Instruction ID: bd9ab06692e8d258f654d8dc2864fdf92ebb3c8a55c2e1fb3935c138dac9bbb8
Opcode Fuzzy Hash: bdac962312e14bf69b4cb6d8ebe2f4f8c797028779bae34ed630296ed3d58d69
Instruction Fuzzy Hash: 62512675A40209FEEB10FB95CD86FAF73ACDB08705F60457BB604F61C1D6B89A448A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D88C, Relevance: 13.8, APIs: 9, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D944

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
Instruction ID: f1754b9a30898a739949526b4897abeae061c25df43582866fa3238b20cb1580
Opcode Fuzzy Hash: 1f3db080524931f2a71b78ac2fbcba56dfaf1e55a97ed4bd4606fe5a50a1f930
Instruction Fuzzy Hash: EBA14AB5E002099FDB11DFE8D880BAEB7B5BB48310F14453AE905B7390DB78A949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005A8ED0, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 005A8F2D
SHGetSpecialFolderLocation.SHELL32(00000000,0000002B,?,00000000,005A9083,?,00000000,005A90AD,?,?,?,?,00000000,00000000,?,007D8754), ref: 005A8F33

Strings

CommonFilesDir, xrefs: 005A8FBA
ProgramFilesDir, xrefs: 005A8F9E
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 005A8F89
&, xrefs: 005A8F95

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: DesktopFolderLocationSpecialWindow
String ID: &$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 712084180-1915935699
Opcode ID: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
Instruction ID: 8033c48627882e4f97e082b97ef3ea09083225c8ea2392c17a415e286cff22ce
Opcode Fuzzy Hash: e6e4c29796e67ea4c0d594db5d4910fbf98424d5f6c27b1277bb27276f8e460d
Instruction Fuzzy Hash: 0F515570A002099FCB14EFA5D8869AEBBF5FF8A304F5184BAF500B7651DB38AD44CB55

Uniqueness

Uniqueness Score: -1.00%

Function 005582B4, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 125
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyboardLayoutList.USER32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0055845F), ref: 0055830A
RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000000,00020019,?,00000040,?), ref: 00558372
RegQueryValueExW.ADVAPI32(?,layout text,00000000,00000000,?,00000200), ref: 005583AC
RegCloseKey.ADVAPI32(?,00558422,00000000,?,00000200), ref: 00558415

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0055835C
layout text, xrefs: 005583A3
dxD, xrefs: 005582E6

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$dxD$layout text
API String ID: 1703357764-864307836
Opcode ID: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
Instruction ID: 1a5b79140d81652e6158ed355ff87afb49eefd5a88f3e5e2b5d4434e5af8b85a
Opcode Fuzzy Hash: fb60a5df295c957eb0404e5f092a3a367a012dbe6ae5ca88890075726c5c1705
Instruction Fuzzy Hash: EA416874A00209DFDB51DB95C991BAEB7F9FB08308F9040A6E904E7252DB74AE08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 005A7058, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A708D
SHGetPathFromIDListW.SHELL32(0000002B,?), ref: 005A709E
LoadLibraryW.KERNEL32(shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000,0000002B,?,00000000), ref: 005A70E3
FreeLibrary.KERNEL32(?,?,SHGetPathFromIDListW,shell32.dll,00000000,005A71B5,?,?,?,?,00000003,00000000,00000000,?,005A901E,00000000), ref: 005A7117
GetShortPathNameW.KERNEL32 ref: 005A7123

Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852

Strings

SHGetPathFromIDListW, xrefs: 005A70EF
shell32.dll, xrefs: 005A70DE

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Path$FromLibraryList$AttributesFileFreeLoadNameShort
String ID: SHGetPathFromIDListW$shell32.dll
API String ID: 1716935149-4041819787
Opcode ID: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
Instruction ID: f24a0c27f4c5aba1ac8d85e4b6caa0744ba60476e8af1ded39079c374a10dff6
Opcode Fuzzy Hash: 67e6b3a5649a6259728fbc9b5a399fb55a16764e01cf6bdf8cd1fb77ff14f941
Instruction Fuzzy Hash: BE41FF75B0420DABDB00EBA5CC429DEB7F9FF89308F51446AF500A7256DA789E05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042483C, Relevance: 9.1, APIs: 6, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852
CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000,004249F7), ref: 00424891
CloseHandle.KERNEL32(00000000,00000000,80000000,00000001,00000000,00000003,02000000,00000000,00000000,?,?,?,?,00000001,0042498E,00000000), ref: 0042489C
GetLastError.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 004248E3

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateErrorHandleLast
String ID:
API String ID: 2927643983-0
Opcode ID: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
Instruction ID: dd33b6b9f81e07856ee37e0e43e0baa8863c9efe5c1a136613ce728169e39ad2
Opcode Fuzzy Hash: 020176eec5d6f42be7d37591b5f78666e78e28d94eb01a82540cde32f1bc8a49
Instruction Fuzzy Hash: 6511A379B5527828F53031B96C87BBB1149CBC2324FF9162BFB66BA2D1C19C5CC1611E

Uniqueness

Uniqueness Score: -1.00%

Function 0040345C, Relevance: 9.0, APIs: 7, Instructions: 298
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 00403513
Sleep.KERNEL32(0000000A,00000000), ref: 00403529
Sleep.KERNEL32(00000000), ref: 00403557
Sleep.KERNEL32(0000000A,00000000), ref: 0040356D

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
Instruction ID: 42d35f8e0f18d475b3391309c2a26d93bbc44a93d282e8ffa7c4ba0988d3562c
Opcode Fuzzy Hash: 8a9437801f9726fcd377f658ca86df32b8242f6e17eb2e341aa84f4ed14406a7
Instruction Fuzzy Hash: 8AC157B66017508FCB15CF28D888316BFA8BB86311F1882BFD4549B3D5D778DA81C789

Uniqueness

Uniqueness Score: -1.00%

Function 00424594, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683

Part of subcall function 004227FC: GetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00422849
Part of subcall function 004227FC: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 0042287B
Part of subcall function 004227FC: CloseHandle.KERNEL32(000000FF,004228C4,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00000000,00000001), ref: 004228B7

Strings

FB, xrefs: 0042467E, 00424681

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: File$Attributes$Time$CloseCreateErrorHandleLastLocal
String ID: FB
API String ID: 3059364927-3670039715
Opcode ID: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
Instruction ID: c1c51cff1122fcdef559ddd5f11acc2f09dee7b976e9a9c955d108d858b7bfa2
Opcode Fuzzy Hash: 084c55364e15af505346aa0fcec3a07071e2199f11905a4858fbf33acedc5931
Instruction Fuzzy Hash: 0631C971B00228ABDB10EBA5E981BEEB7A9EF85304F95016AF800E7381D77C5E058658

Uniqueness

Uniqueness Score: -1.00%

Function 004247A4, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5
GetLastError.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 0042480E

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
Instruction ID: df278c05cb5f3b8655f05b97a3e56c02e352920f00e9e136846d1621e0c97303
Opcode Fuzzy Hash: 11423a4d9bf119b3a4665024e0baf30563eacf8fdec8ac240d4fb1c256c0a377
Instruction Fuzzy Hash: C001D43D3602F064DA3431793C867BA4585CFC67A8FB4191BFB62A72E1D78D4843A16E

Uniqueness

Uniqueness Score: -1.00%

Function 00424BD8, Relevance: 7.5, APIs: 5, Instructions: 41
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A
SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C28

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
String ID:
API String ID: 2814369299-0
Opcode ID: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
Instruction ID: 57235278477e78b329d2ce1c3220feee781b43d13fc81f95c73842f3904e5c96
Opcode Fuzzy Hash: 0605bdfd3c34e5159f7918a983dba767ee52ea09f489b57a14fd5e5a3ae7dc66
Instruction Fuzzy Hash: 03F0A76134365119DA10767F28C1EFE114CC9827AFB510B3BFA51D26E2DD5D4C46415D

Uniqueness

Uniqueness Score: -1.00%

Function 0076889C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenListArchive.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 007689D5
CloseListArchive.MIA.LIB(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D), ref: 00768AAF

Part of subcall function 005C9660: FileTimeToLocalFileTime.KERNEL32(00000000,00768B1D,?,?), ref: 005C9677
Part of subcall function 005C9660: FileTimeToDosDateTime.KERNEL32 ref: 005C9688

GetLastArchiveError.MIA.LIB(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00768AE8,?,00000000,00768B1D,?,00000000), ref: 00768AC2

Strings

0, xrefs: 00768AA0

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Time$File$Archive.List$ArchiveCloseDateError.LastLocalOpen
String ID: 0
API String ID: 727730911-4108050209
Opcode ID: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
Instruction ID: e403871301572a310c12965a92a8fe37dd2a7e1fb090b3dc838229259ec1f960
Opcode Fuzzy Hash: 39598fb801144715d430ed12939dcc739c85c6989a4db3fca13b0d22688b50b9
Instruction Fuzzy Hash: 8D811870A00209DFCB01DF99D985ADEBBB6FF48304F54416AF805AB261CB78AD45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00595CDC, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\*.*, xrefs: 00595D67

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: \*.*
API String ID: 1974802433-1173974218
Opcode ID: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
Instruction ID: 1e61872390994e0bab9c5eff1998993cabc17d9ce8fbc3022cf4e5f77fadce7f
Opcode Fuzzy Hash: 3be14c2d8d1d77d037142b6a1f9ff44d141089ae18a6a13563cfbc3b435fd6d6
Instruction Fuzzy Hash: D4613B74A0462A9BDF61EB65CC4AB8CBBB5BB44304F5041EAF40CB2291EB355F958F09

Uniqueness

Uniqueness Score: -1.00%

Function 0047725C, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000,0082EED8), ref: 00477263
GetTempPathW.KERNEL32(00000104,00000000,00000000,?,?,?,005A723E,00000000,005A725E,?,?,00000000,?,0082D4AC,?,00000000), ref: 00477281
GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 00477298
GetLongPathNameW.KERNEL32(00000000,00000000,00000000), ref: 004772AB

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Path$LongName$ErrorLastTemp
String ID:
API String ID: 1475991060-0
Opcode ID: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
Instruction ID: e88bcbabdb9f1ec4bc983cdfe1743da0a5c73edf8f11bfb8c4fa61ea373dfb0a
Opcode Fuzzy Hash: c1a9d14916921fc4882005c76447c95ddc0c88a49f784e3c695ba513b2c89dbf
Instruction Fuzzy Hash: 0AF03031B0421117E610776B8C82FAB11D8CF82B99F40447FB604EF2D7D8BC8C4542AE

Uniqueness

Uniqueness Score: -1.00%

Function 0076839C, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExtractArchive.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 0076860B
GetLastArchiveError.MIA.LIB(00000000,00000001,00000000,?,00000001,00000000,?,00000000,00000000,00000000), ref: 00768614

Strings

dxD, xrefs: 00768481

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ArchiveArchive.Error.ExtractLast
String ID: dxD
API String ID: 1514603430-650693785
Opcode ID: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
Instruction ID: e79ef44e2278ca16fdd0482ddfc8cc6e64af0794872f75f7ec4b65b490efbfd6
Opcode Fuzzy Hash: 9167f4d3a05935a17020eb8cb35b6a608bd2706dc96001d593abfc4359c4743e
Instruction Fuzzy Hash: 2AB14C70A002099FDB00DFA9D985BDEBBB5FF48314F10816AF811A7392DB38AD45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0047DB18, Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DC07
RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0047DC78

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
Instruction ID: 57266824f2d932d1ce5c4895c05120650e97fd81b45d18efe785b2f0bbc7b4cb
Opcode Fuzzy Hash: 8b87bbcb1c312638584391afb04638c45478a71692b4e24da6abdee90267953f
Instruction Fuzzy Hash: 28514030F10208AFDB12EBA5C942BDEB7F9AF48304F15846EA459E3382D6799F05D749

Uniqueness

Uniqueness Score: -1.00%

Function 00408B54, Relevance: 4.6, APIs: 3, Instructions: 92threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00408B85
FreeLibrary.KERNEL32(00400000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C26
ExitProcess.KERNEL32(00000000,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00408C62

Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
Part of subcall function 00408ABC: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
Part of subcall function 00408ABC: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
String ID:
API String ID: 3490077880-0
Opcode ID: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
Instruction ID: 7c56cf2e3186582e7483b00cd751aa50e1ff6530cd52687d5d3be0a2d44efa3c
Opcode Fuzzy Hash: 10eb5ef3f6e2d49a959dfc251fea70abf38e8027b0972acb9da723768b44e474
Instruction Fuzzy Hash: AF311970604B058AEB21AB798A5971B76F0AB55314F14093FE1C1A33D2DF7CA884CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00461CF4, Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0046169C,00000004,00461694,?,?,?,?,?,?,?,?,?,?,00000000,00461DC8), ref: 00461D6C
GetCurrentThread.KERNEL32 ref: 00461DA2
GetCurrentThreadId.KERNEL32 ref: 00461DAA

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorLast
String ID:
API String ID: 4172138867-0
Opcode ID: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
Instruction ID: d81d373b76c93451c357402c9e60c1bf6b253b3e0664b98a1242fea6a3051ec2
Opcode Fuzzy Hash: 46be740d89cc69737b72f33ab050cef0d7a29825237ef2d781c410190c1712a5
Instruction Fuzzy Hash: 9F2103709047556EC301DB76CC41AAABBA9BB45304F48852FE850977E1EB7CB814CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004062B0, Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000,?,?,00000000,004063A9,0081861A,00000000,008186D2), ref: 0040634C
GetStdHandle.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 0040636C
GetLastError.KERNEL32(000000F5,?,?,00000000,004063A9,0081861A,00000000,008186D2,?,?,?,00000000,?,0082D52D,00000000,00000000), ref: 00406380

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CreateErrorFileHandleLast
String ID:
API String ID: 1572049330-0
Opcode ID: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
Instruction ID: a368fc4e3039d73de16522235d6a327499955573feef45f3402d5cf96f548e90
Opcode Fuzzy Hash: 0ecfb6fcaf6b047c2c800e5ce5bba984b39c90ca47f7306dcbf0570d46417eb6
Instruction Fuzzy Hash: DD1105612002008AE724AF58888871B7659EF81314F2AC37BEC0ABF3D5D67DCC5187EE

Uniqueness

Uniqueness Score: -1.00%

Function 0047E88C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0047E8B7

Strings

CommonFilesDir, xrefs: 0047E88C

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: CommonFilesDir
API String ID: 3660427363-2265253956
Opcode ID: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
Instruction ID: 4adf3590c5a9773202cffc0e1bc81eb7fd8e28232d7c0278d08eb1294601ee21
Opcode Fuzzy Hash: 251a255d2a67f89b6c844501079f28390cd893444f6671e183e0700de479fd03
Instruction Fuzzy Hash: AE015275A00208AFC700EFA9DC81ADAB7A8DB49714F00816AF918D7342D6349E0487A9

Uniqueness

Uniqueness Score: -1.00%

Function 0047E294, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,0047E2FC,?,?,CommonFilesDir,00000000,0047E2FC), ref: 0047E2C5

Strings

CommonFilesDir, xrefs: 0047E295

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: CommonFilesDir
API String ID: 3660427363-2265253956
Opcode ID: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
Instruction ID: d6b6cd4c5dc22c8d45e1f2ef645a66dda0b0fdbf6d8587e89431dd27c8b70314
Opcode Fuzzy Hash: 3028f5571a06ce3ac170fd1c26d1d7cab3a52f1c5851f32da90a4e8d191c3a6b
Instruction Fuzzy Hash: 59F030767041006FD704EA6E9C81F9B67DCDB88714F10843FB25CD7242D928CC058369

Uniqueness

Uniqueness Score: -1.00%

Function 0047D9E4, Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA5E
RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,0047DAF5,?,?,00000000), ref: 0047DA98

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
Instruction ID: 15b4c6f32ebf0bcf6cadd7e3f265dedb114a34a479296194b3a9dab7f0d7ab52
Opcode Fuzzy Hash: 9a1e1138cb2937812503d6dad519492d49e6a590dd7c3e42ad58e0a73a4d9705
Instruction Fuzzy Hash: 92318130F14208AFDB11EBA5C842BDEB3F9AF48304F5084BAA419E7282D6789F058759

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBFC, Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CC9D
GetSystemDefaultUILanguage.KERNEL32(00000000,0040CD09,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CD92,00000000,?,00000105), ref: 0040CCC5

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: DefaultLanguage$SystemUser
String ID:
API String ID: 384301227-0
Opcode ID: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
Instruction ID: 5ac65596fced7b910d67bbfefc63cc881f334f4f39f389ce6e4f5fa3aa301617
Opcode Fuzzy Hash: 069904bf99abfa0b83b546b1ed0fe6070e1295d5b798fc899ff7ce37847dbfdb
Instruction Fuzzy Hash: D9312F30A14209DFDB10EBA9C8C2AAEB7B5EF49304F50467BE404B32D1DB789D419B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405484, Relevance: 3.1, APIs: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,00000000,?,0040552D,00000064,00402B50,0000D7B1,?,00000000), ref: 004054AE
GetLastError.KERNEL32(?,0040552D,00000064,00402B50,0000D7B1,?,00000000,?,00818654,00000000,00000000,008186D2,?,?,?,00000000), ref: 004054B5

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
Instruction ID: 58043fc211e287150baae9057470d61647ca602fe4124a230def75f4c210350d
Opcode Fuzzy Hash: 0144cffe5f4022dbbfa19f28a62694fccd9d9f384b429aeac51538f4cc221b03
Instruction Fuzzy Hash: FC112E71704508EFCB40DF69D981A9FB7E9EB98314B108477E809EB284E634EE00DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD18, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileLibraryLoadModuleName
String ID:
API String ID: 1159719554-0
Opcode ID: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
Instruction ID: f95f1c7a7be229697cbd4194ea68f03b1ad684dc9f70ad0e1a70e9e9ecd67c69
Opcode Fuzzy Hash: f49f288b91f74fcd056493bfe9f938fb0be1b07c46389491cba556945b7e8bda
Instruction Fuzzy Hash: 7A115130A4421C9BDB14EB50C986BDE77B9DB48304F5145BAB508F32D1DA785F848A99

Uniqueness

Uniqueness Score: -1.00%

Function 00424B98, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BA3
GetLastError.KERNEL32(?,?,00000001,00596489,00000000,005964DE,?,?,00000000,00000000,?,00596671,?,00596834,?,?), ref: 00424BB5

Part of subcall function 00424AC0: FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
Part of subcall function 00424AC0: FileTimeToDosDateTime.KERNEL32 ref: 00424B01

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
Instruction ID: 94c3d661e99e19b0cf242ad5cc108513695bb429cd69848a77f49ac234955743
Opcode Fuzzy Hash: 249219fde11eba4d8f0847427deaa5469a8e1ed67c38deb41bcea90f0b7b4556
Instruction Fuzzy Hash: D6C012E2300100574B40AFF6A8C1A9722CC5E8820535805ABBA15CA307DE1DD4504618

Uniqueness

Uniqueness Score: -1.00%

Function 00406778, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32(000004E4,?), ref: 00406833

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ByteLead
String ID:
API String ID: 535570690-0
Opcode ID: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
Instruction ID: 90b6fd22d809609ea3004cdd2524d420e27ac6550840b70b8a809d14a669ba94
Opcode Fuzzy Hash: 2f1cb644fb499c63dc5b30d7fec0a20aa9a1c674713672119258b17d28bc32fe
Instruction Fuzzy Hash: 93317C35904184DFDB00D7A8C289BEE7BF1AB11300F1A40F6E845BB2C3D2799F59A715

Uniqueness

Uniqueness Score: -1.00%

Function 0047DB14, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047DCDB,?,?,00000000), ref: 0047DB91

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
Instruction ID: f23ec4b5702853a7ea5987bf2f7fdd18b2bb3f750e5d560e0cf6f6033a68423a
Opcode Fuzzy Hash: 00dcda4b3357fe27e592dec70060977e4b8871651b2a585f5acb668b467a1053
Instruction Fuzzy Hash: 4821A330F14204AFDB12EB65C952BDEB7F99F48304F2184BEA409E3682D6789E059749

Uniqueness

Uniqueness Score: -1.00%

Function 00451E48, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,00000000,0000000A,00000000,?,00000000,?,?,00452014,00000000,0045202C,?,0000FFA4,00000000,00000000), ref: 00451E6A

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
Instruction ID: d8758b5084b721e2e7b8f07ffa62b5cfea11b7d3667cb77975f3ea63007917f4
Opcode Fuzzy Hash: 4159ebc1ff9f4fa63e2dc2a99cbc1145e40678475c0226c159b9e0146ed05156
Instruction Fuzzy Hash: 8801D4313083006BD700DF66EC82E6BB7EDEB89719711047AFD00D7292DA7A9C049658

Uniqueness

Uniqueness Score: -1.00%

Function 0047E93C, Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,0047E9C2), ref: 0047E9A7

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
Instruction ID: 6c2b064bdfea16977048b204395c2f05d037ce64966bcf41a7dd1988fe17c46e
Opcode Fuzzy Hash: d175568d259705272e6aa47e86a25d25f43ae7f404f24f7bcc6ed7cf32099ec8
Instruction Fuzzy Hash: 2701B971B00608AFD700EB66C852ADE73ECDB4C304F5040BAB509E3292EA389E048658

Uniqueness

Uniqueness Score: -1.00%

Function 00408CE0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00408D3A

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
Instruction ID: ef301df739cc694c572c5ee0b50773967ece18fc2577e6befe398edb865a9ec1
Opcode Fuzzy Hash: 29575488970f715b17986a15caf58521d83e83b8c7794ca887fe32ca52364b9b
Instruction Fuzzy Hash: A6015E72B04214AFDB41DB9D9884B4AB7ECAB98360F10817AF548E73D1DA749D408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00408790, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,004087DE,?,00841054,00843B18,00000000,?,00408BF6,?,?,?,?,00408C8A,004049FB,00404A42), ref: 004087CE

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
Instruction ID: 3416b5ca3d522f064810a6436f6233d91ae6f526f1053d7af4a84366dc213eb1
Opcode Fuzzy Hash: 669d9c16f68d7d69e55c837bd1127b50049780d4758f6d47d6ce2fb4150e7957
Instruction Fuzzy Hash: 0BF09036205B159ED3214F1AAE80A13FBECF749760BB5413FD844A3B96DA349800C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00423014, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000400,00000001,00000000,?,00000000,?,?,00000001,0042C450,00000000,0042C3AF,?,00000000,0042C40D), ref: 0042304B

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
Instruction ID: 7d4b6c6e5e0bed3a7d05330ec8cb189f96d8e7c295e251969e5bd50bfcc166b6
Opcode Fuzzy Hash: 1367ec480eb4cb0b958e952430911fc2e6c6f941ff26b9b5787ef9433decb0e0
Instruction Fuzzy Hash: 70E0D8B37413652BE92099AE5CC1FB7669CCB897A6B05017AFF04F7346C9595C0141B4

Uniqueness

Uniqueness Score: -1.00%

Function 0059EC3C, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,0059EC8D,?,00000001,?,?,0082DB80,?,mia,.res,00000000,00000000,00000000,?,00000000), ref: 0059EC63

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
Instruction ID: 270be10a341e33f11dd85db8b8dc784368f0353ba6e026200a026ced54a91c08
Opcode Fuzzy Hash: 4fcf3b4a5b7900d620859b366189a173618c0baed1ed45520c03ae6a57b3418a
Instruction Fuzzy Hash: AEF0E530604208FEDF44EB79CE53CAD7BECFB097187A0097AF450E26E1D6396E04A518

Uniqueness

Uniqueness Score: -1.00%

Function 004246D0, Relevance: 1.5, APIs: 1, Instructions: 31timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 004245CE
Part of subcall function 00424594: GetFileAttributesExW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424631
Part of subcall function 00424594: GetLastError.KERNEL32(00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424640
Part of subcall function 00424594: FileTimeToLocalFileTime.KERNEL32(?,FB,00000000,00000000,?,00000000,004246C0,?,00000000,00000000,?), ref: 00424683

FileTimeToDosDateTime.KERNEL32 ref: 004246F9

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: File$Time$Attributes$DateErrorLastLocal
String ID:
API String ID: 663141457-0
Opcode ID: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
Instruction ID: e04da985f904ea9dfe94d092605b8332e34c08d2116ba371cb577d0f9109872a
Opcode Fuzzy Hash: 277bbfe9d65a59bbddf6dd17e79c36de28946aecbf085cc2aac3b5beac8cee4c
Instruction Fuzzy Hash: 5FF0E535A0020DA78F10CED898808DEB3A8DA86328F604793E934E7281EB369F049794

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAD4, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,0000020A,?,00000000,0040BB41,0041E298,0041E29C,?,0040D5A0), ref: 0040BAF2

Part of subcall function 0040CD18: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A,?,00000000,0040BB41), ref: 0040CD54
Part of subcall function 0040CD18: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CDD2,?,?,00000000,?,0040BB00,?,?,0000020A), ref: 0040CDA5

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileModuleName$LibraryLoad
String ID:
API String ID: 4113206344-0
Opcode ID: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
Instruction ID: a88651896b0ed3a23ea67229964229f1848bdffbb32de574980f9bf0ab694c8b
Opcode Fuzzy Hash: e9047e7e718f9a5106684697ebfde9e3f407d95ad0ce6d1c0455f8f31703f4f1
Instruction Fuzzy Hash: 01E0C971A003109BDB10DE58C9C5A5637A4AF49754F044666AD14EF38AD375D91087D5

Uniqueness

Uniqueness Score: -1.00%

Function 004250E4, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000001,004249D2,00000000,004249F7,?,?,00000000,00000000,00000000,00000000,?,0082D4D3,?,00000000), ref: 004250F1

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
Instruction ID: 8f43151b22b1469bfb9e70a166b3f2c49ff5d4be4b49b84714ba4ddc6eb884e8
Opcode Fuzzy Hash: 383a688f34737a12b868ed746cb1ae341d81b257cb3ad43e14afc6877cde684f
Instruction Fuzzy Hash: 4CB092A27942402AEA0036BA0CC2B6A00CDD79860AF10083AB602D6193E47AC8440014

Uniqueness

Uniqueness Score: -1.00%

Function 0040717C, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
Instruction ID: 41ba22d18321cb76633606a16cf5ad3b717cdc5a2f3560622911eff0241e057f
Opcode Fuzzy Hash: 6a3c7b9f1797a488de21e861749322422cbf90c3622f26d40c67571f13affa8d
Instruction Fuzzy Hash: 34B01270A000415BCE008A11C54C4557B515B5130C31000A4C8018F3D0CE27A804C701

Uniqueness

Uniqueness Score: -1.00%

Function 00464CE8, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,00000000,00000000,?,?,0058503C,005874F0,?,00000000,0058512B,?,00000000,?), ref: 00464D06

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
Instruction ID: 414783f545f013a41a00390d3318c56245cd632fceaf0a69517d536ab90c3cc3
Opcode Fuzzy Hash: 09c544327ed3e2257745a0b1e5b614fcc5909a1661039ce2c3f127fb09c38e11
Instruction Fuzzy Hash: 85115E746007058BC710DF1AD880B42FBE5FF89750F10C53AEA598B385E374E915CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403144, Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00403757), ref: 0040315A

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
Instruction ID: eaab0908dca398bdff0d631121814ce98026ab15d171e95ea26a12bb78313901
Opcode Fuzzy Hash: f216b6ceb9f08cfb8ecaa4418ae988c501d28e156bbf7e1e539a0e26d76dff0d
Instruction Fuzzy Hash: 1EF04FB5B422004BDB14CF798D49302BAD6B78A305F10817EE509DB79CDB748446CB00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040C434, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 151stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000), ref: 0040C451
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C462
lstrcpynW.KERNEL32(?,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,?,00000000,00000105), ref: 0040C492
lstrcpynW.KERNEL32(?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0040C501
lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830,?,80000001), ref: 0040C549
FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000,0040C830), ref: 0040C55C
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F,00000000), ref: 0040C572
lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?,?,?,0040C76F), ref: 0040C57E
lstrcpynW.KERNEL32(0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298,?), ref: 0040C5BA
lstrlenW.KERNEL32(?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,0041E298), ref: 0040C5C6
lstrcpynW.KERNEL32(?,0000005C,?,?,0000005A,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 0040C5E9

Strings

GetLongPathNameW, xrefs: 0040C45C
\, xrefs: 0040C590
kernel32.dll, xrefs: 0040C44C

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameW$\$kernel32.dll
API String ID: 3245196872-3908791685
Opcode ID: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
Instruction ID: 76c12ef7d0d67687ef3a7bd8e91ca30b501443e14e09bb49bd729650117b71ee
Opcode Fuzzy Hash: b04ba5caedf144eeb875c5d634dacea720d2e9b1876c80ca577194fcfae269f7
Instruction Fuzzy Hash: 1A517476900228EBCB10EB94CDC5ADE73BCAF44314F1446B6A505F72C1E678EE409B59

Uniqueness

Uniqueness Score: -1.00%

Function 007942A8, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 260fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000,00000000), ref: 00794367
FindClose.KERNEL32(000000FF,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB,?,?,?,?,00000000), ref: 00794379
FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794536
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 00794547
FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079455C
FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000,007946AB), ref: 0079456E
FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000,?,00000000), ref: 0079466A
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00000000,00000064,00000000,00000000), ref: 0079467B

Part of subcall function 007942A8: FindClose.KERNEL32(000000FF), ref: 0079448A

Strings

$IGNORE$, xrefs: 00794301
*.*, xrefs: 0079434E
dxD, xrefs: 0079430D

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: $IGNORE$$*.*$dxD
API String ID: 3527384056-1668806599
Opcode ID: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
Instruction ID: e1b80d9ff527bd2dbf90f37abcf2fb7d5bc5ee44b63da5edd6403852173e2c8f
Opcode Fuzzy Hash: 0ca9cdae76652d41ac622ccf3a5bcac9f3a953c23b400b37e8c6532243a88ea4
Instruction Fuzzy Hash: E0B16E74A0421A9FCF20EBA5D889FDDB3B5EF45304F1041E6E508A7291DB38AE86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00794724, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 219fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8
FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E), ref: 0079496C
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001), ref: 0079497D
FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000), ref: 00794992
FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000), ref: 007949A4
FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B,?,?,?,?,00000053), ref: 00794A4A
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,00794A8B), ref: 00794A5B

Strings

*.*, xrefs: 0079479D
dxD, xrefs: 0079475C

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: *.*$dxD
API String ID: 1164774033-3064973229
Opcode ID: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
Instruction ID: ff152c514afcea9cfc9e838b5402cdfe4aa7c3f6c782aca87fd93a1163c2126f
Opcode Fuzzy Hash: 48861e728c33fcb31fb06544e2d3f24791516a9b7d6b355fd16156afaa90fea4
Instruction Fuzzy Hash: 1591417490421E9FCF20EBA5D889EDDB7B5EF44308F1041E9E508A7291DB38AE86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00596518, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 182fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965A2
FindClose.KERNEL32(000000FF,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005965B4
FindNextFileW.KERNEL32(000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000,00769010), ref: 005966BD
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000,?,00768DD4,00000000), ref: 005966CE
FindFirstFileW.KERNEL32(00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966E3
FindClose.KERNEL32(000000FF,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000,00000000), ref: 005966F5
FindNextFileW.KERNEL32(000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000,00000000), ref: 0059679B
FindClose.KERNEL32(000000FF,000000FF,?,00000000,?,000000FF,000000FF,?,00000000,?,00000000,005967DC,?,?,00000000,00000000), ref: 005967AC

Strings

*.*, xrefs: 00596589
dxD, xrefs: 00596548

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: *.*$dxD
API String ID: 1164774033-3064973229
Opcode ID: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
Instruction ID: 36c3d6617cd4af2a79d1d750f7a8f62ae953cbc5bd5202a4d3b83fbe1fa0981b
Opcode Fuzzy Hash: 923b812e680f5dd07e6239f800a0fc17d47a8c003e3a36ed88f83db44a91d92a
Instruction Fuzzy Hash: 8371527490421E9FCF10EBA5C889ADDBBB9FF44308F1041E6E508A7295DB34AE89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00794720, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920,00000000), ref: 007947B6
FindClose.KERNEL32(000000FF,00000000,?,00000000,00794A8B,?,?,?,?,00000053,00000000,00000000,00000001,?,007D979E,007D9920), ref: 007947C8

Strings

*.*, xrefs: 0079479D
dxD, xrefs: 0079475C

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Find$CloseFileFirst
String ID: *.*$dxD
API String ID: 2295610775-3064973229
Opcode ID: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
Instruction ID: 1a731755e4436f46a0472c1f2d3eaa4540c5553183ac843544b75001628e15ed
Opcode Fuzzy Hash: f2b3fefebb37129a0a1e6f182d7a70ee6f754dab094e66b77317f835a39bf437
Instruction Fuzzy Hash: 61217F70904249AFDF11EBA4DC86EDEB7B8EF45304F5085AAE504A3291DB385E46CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004580E4, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000,?,00451E89), ref: 004580FB
LoadResource.KERNEL32(00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?,?,00000000), ref: 00458115
SizeofResource.KERNEL32(00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000, E,?), ref: 0045812F
LockResource.KERNEL32(00456D84,00000000,00000000,00458180,00000000,00458180,00000000,?,00000000,0044930C,00000000,00000001,00000000,?,00457FD2,00000000), ref: 00458139

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
Instruction ID: ade0e4e0a8cbb3b7b760c1b632ec3f7ae6df1f7590847d81dfa81050c3fea11b
Opcode Fuzzy Hash: 414d090d51e5c97bb2d7871269b0df026c3f90b3cc5e867df6ac2b737ce49eed
Instruction Fuzzy Hash: 95F04BB26056046F4B44EF6EA881DAB77DCEE88265314016FFE18D7203EE39DD058378

Uniqueness

Uniqueness Score: -1.00%

Function 00422390, Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: DeviceDriveLogicalQueryStrings
String ID:
API String ID: 3173366581-0
Opcode ID: 9563d0ab6aaf4842d0edd40f2f0d35f435b585cc995c796c0a937676d6f7830c
Instruction ID: 354671eaa8e3175f811fc1bd7a604b5dd3e2e35648643b3f32a5b14cd8c5f9cd
Opcode Fuzzy Hash: 9563d0ab6aaf4842d0edd40f2f0d35f435b585cc995c796c0a937676d6f7830c
Instruction Fuzzy Hash: 81319671B00219ABDB20DB64DD81A9EB7B8EF48314F5440AAE904E7351D778DE44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412E5C, Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 132libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(PSAPI.dll,00000000,0041334D,00000000,00000000,00000000,?,00422706,00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000), ref: 00412E70

Strings

GetModuleBaseNameA, xrefs: 00412ECC
GetDeviceDriverBaseNameW, xrefs: 00412F6E, 00412FDA
PSAPI.dll, xrefs: 00412E6B
EnumProcesses, xrefs: 00412E84
GetModuleInformation, xrefs: 00412F14
GetDeviceDriverBaseNameA, xrefs: 00412FA4
EnumDeviceDrivers, xrefs: 00412FFE
GetModuleFileNameExA, xrefs: 00412EDE
GetDeviceDriverFileNameA, xrefs: 00412FB6
EmptyWorkingSet, xrefs: 00412F26
GetModuleBaseNameW, xrefs: 00412EA8, 00412EF0
InitializeProcessForWsWatch, xrefs: 00412F4A
GetDeviceDriverFileNameW, xrefs: 00412F80, 00412FEC
EnumProcessModules, xrefs: 00412E96
QueryWorkingSet, xrefs: 00412F38
GetProcessMemoryInfo, xrefs: 00413010
GetMappedFileNameW, xrefs: 00412F5C, 00412FC8
GetModuleFileNameExW, xrefs: 00412EBA, 00412F02
GetMappedFileNameA, xrefs: 00412F92

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 1029625771-2267155864
Opcode ID: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
Instruction ID: e8ef9a16514465b5e6b2cf852d3bc01d448d5d354a81a289e54fbc754b55e648
Opcode Fuzzy Hash: 6bac1b2b4a319ff33ccb8e8104650400bc02deb93b4b18c6396d2ce78b5e6f7a
Instruction Fuzzy Hash: 6D41FAB8A40318AF9F00EFB69CC6A9537A8BB06705710056FB514DF3A4DA78DA81CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2F0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000,00000000), ref: 0040C30E
LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C332
LeaveCriticalSection.KERNEL32(00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09,?,?,00000000,00000000), ref: 0040C341
IsValidLocale.KERNEL32(00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C353
EnterCriticalSection.KERNEL32(00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA,00000000,0040CD09), ref: 0040C3B0
lstrcpynW.KERNEL32(en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000,?,0040CCAA), ref: 0040C3CE
LeaveCriticalSection.KERNEL32(00843B88,en-US,en,,00000000,000000AA,00843B88,00000000,00000002,00843B88,00843B88,00000000,0040C3F3,?,?,?,00000000), ref: 0040C3D8

Strings

en-US,en,, xrefs: 0040C31E, 0040C3C9

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
String ID: en-US,en,
API String ID: 1058953229-3579323720
Opcode ID: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
Instruction ID: 840befadd27682b71f7f5cd4a757e932a44a81a62cff2673ef979b7a35d4f3a5
Opcode Fuzzy Hash: 633940988bd0bd6c9b287c41c329676b3fc209daa88bbceb5542c180f6a54ac6
Instruction Fuzzy Hash: 8421D834354708A7D7147BA68D57B1E3294EF85758F50453FB840F63D2CABC9D01929E

Uniqueness

Uniqueness Score: -1.00%

Function 00408ABC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AF5
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?,?,00408C8A,004049FB,00404A42), ref: 00408AFB
GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75,?,?,?), ref: 00408B16
WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00408B75), ref: 00408B1C
MessageBoxA.USER32 ref: 00408B3A

Strings

Runtime error at 00000000, xrefs: 00408AEE, 00408B33
Error, xrefs: 00408B2E

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
Instruction ID: 883d27b1f089570435a1ec32665e41e73b0e3fe465dedc934fa18f7fcc10b570
Opcode Fuzzy Hash: d55f0b3ec2b3309b3ec7c4b4bf2282798b450c2c57fb01e50abc9738b356a3b2
Instruction Fuzzy Hash: 98F0A4A1A8024035FE107BA55E1EF56366CA751B19F10463FB160B56D2CABC68C4C619

Uniqueness

Uniqueness Score: -1.00%

Function 004039D8, Relevance: 10.9, APIs: 7, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
Instruction ID: 06de5c44b1e8d66e5792396b36ef80cda03d3281113913fe30758daa7217e7fe
Opcode Fuzzy Hash: ff865de398dabf03235835d6a03df8d6bd4440262de3a292e4e093a064290b02
Instruction Fuzzy Hash: 3EC14A627106000BE714AE7D9D8972EBA8D9BC5326F18823FF144EB3D6DA7CDE458348

Uniqueness

Uniqueness Score: -1.00%

Function 00407B44, Relevance: 10.6, APIs: 7, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00407F3C: GetCurrentThreadId.KERNEL32 ref: 00407F3F

GetTickCount.KERNEL32 ref: 00407B7B
GetTickCount.KERNEL32 ref: 00407B8D
GetCurrentThreadId.KERNEL32 ref: 00407BC0
GetTickCount.KERNEL32 ref: 00407BE7
GetTickCount.KERNEL32 ref: 00407C21
GetTickCount.KERNEL32 ref: 00407C4B
GetCurrentThreadId.KERNEL32 ref: 00407CC1

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CountTick$CurrentThread
String ID:
API String ID: 3968769311-0
Opcode ID: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
Instruction ID: 505cc0ca4ebae022a0f1ed319f5fc283f6d826263fe70601ac970ffa21443408
Opcode Fuzzy Hash: 5369a3ff8cf9b08d90c4e116274b425cc6b0c131ff5b93987916801eede752e2
Instruction Fuzzy Hash: 88418F30A0C3444AE720AE7CC58832F7BD1AB85344F15893FE4D4A73C2DABCA881975B

Uniqueness

Uniqueness Score: -1.00%

Function 005A6F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shfolder.dll,00000000,005A6FF3), ref: 005A6F30

Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800

GetDesktopWindow.USER32 ref: 005A6F69
GetShortPathNameW.KERNEL32 ref: 005A6F96
FreeLibrary.KERNEL32(00000000,00000000,SHGetFolderPathW,shfolder.dll,00000000,005A6FF3), ref: 005A6FD0

Strings

SHGetFolderPathW, xrefs: 005A6F3F
shfolder.dll, xrefs: 005A6F2B

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Library$AddressDesktopFreeLoadNamePathProcShortWindow
String ID: SHGetFolderPathW$shfolder.dll
API String ID: 190074832-3387970553
Opcode ID: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
Instruction ID: ec3bacc96b391dfa64664bada29a1a1cad6acc7f1103c9f38b08fc0397cb3db3
Opcode Fuzzy Hash: 31a51a6c87f614c9f7c1187207f5dc5a0d7fce9b88a45971a8966e53014efcb9
Instruction Fuzzy Hash: 7021C775E4420AAFCB00EBA5DC51AAEBBB8FF46704F14447AF504F7294DB349E008B58

Uniqueness

Uniqueness Score: -1.00%

Function 00407900, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407916
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040791C
GetLastError.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation,00000001), ref: 00407938

Strings

GetLogicalProcessorInformation, xrefs: 0040790C
kernel32.dll, xrefs: 00407911
k, xrefs: 00407950

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GetLogicalProcessorInformation$kernel32.dll$k
API String ID: 4275029093-3824636038
Opcode ID: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
Instruction ID: 3ef7fc8a316c6a40be9ae1a577b33141ba89fc8532ffa234138abc26abf6d127
Opcode Fuzzy Hash: bc1493411cf7a1fdcbc33e286c73cc8e5e4d51c8ea2d0e9cf86bcd57a426165a
Instruction Fuzzy Hash: 72116AB1D0C204AEFB10EBA5DE45B5EB7A9EB44314F20447BE404B22C2D67DB940D66E

Uniqueness

Uniqueness Score: -1.00%

Function 004225AC, Relevance: 9.2, APIs: 6, Instructions: 161fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(?,?), ref: 00422609
CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000001,00000000,?,?), ref: 0042269F
MapViewOfFile.KERNEL32(000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001,00000000,?), ref: 004226CE
GetCurrentProcess.KERNEL32(00000104,00000000,0042275A,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000), ref: 004226F3
UnmapViewOfFile.KERNEL32(00000000,00422761,?,000003EE,00000004,00000000,00000000,00000001,00000000,00422778,?,?,00000000,00000002,00000000,00000001), ref: 00422754

Part of subcall function 00422390: GetLogicalDriveStringsW.KERNEL32(00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223CD
Part of subcall function 00422390: QueryDosDeviceW.KERNEL32(?,?,00000104,00000104,?,00000000,004224B9,?,00000000,00000000,00000000), ref: 004223F7

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: File$View$CreateCurrentDeviceDriveLogicalMappingProcessQuerySizeStringsUnmap
String ID:
API String ID: 435433801-0
Opcode ID: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
Instruction ID: 4187adb91f966debfcf9f471d10a7bce2dda35d7e6eeff07d021d263234a0034
Opcode Fuzzy Hash: 73ae006de74c5a6efbfeb4249140766e4eca8248ed6ba63f726dbea61ff99326
Instruction Fuzzy Hash: 88518F70B04219BFDB10EFA5D985B9EB7B5EB48304F9044EAE504A7291D7B89E80CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00768D4C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 231fileCOMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,?,?,?,00000000,00000000,0000000B,00000000,00000000,00000001,?,007D984A,00000000,007D98E0), ref: 00768E99

Part of subcall function 00424BD8: DeleteFileW.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BE8
Part of subcall function 00424BD8: GetLastError.KERNEL32(00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000,00000000), ref: 00424BF7
Part of subcall function 00424BD8: GetFileAttributesW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000,00000000), ref: 00424BFF
Part of subcall function 00424BD8: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,0082E750,?,0082F194,?,mia,?,mia,.res,00000000), ref: 00424C1A

MoveFileW.KERNEL32(00000000), ref: 00768F33

Part of subcall function 0040717C: KiUserCallbackDispatcher.NTDLL(00408BE6,?,?,?,?,00408C8A,004049FB,00404A42,?,?,00404A5B,?,?,?,00000000,0082EED8), ref: 00407184

Strings

*.*, xrefs: 00768DBD

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: File$Attributes$CallbackDeleteDirectoryDispatcherErrorLastMoveRemoveUser
String ID: *.*
API String ID: 691102307-438819550
Opcode ID: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
Instruction ID: 0fa0777bf0979ef0c8522848ad50890eb5ff942d969ead750916ebb87b8794d9
Opcode Fuzzy Hash: 67e84289ecff61f33034e0fd06d8d97b73431112671c936c531bd7e4000b6789
Instruction Fuzzy Hash: 4691FC30A0010EAFDF01EBA9D845ACDB7B5FF58304F50856AF805B72A5DB35AE05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0043446C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043447B

Strings

|>C, xrefs: 004344BC

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID: |>C
API String ID: 1473721057-213533553
Opcode ID: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
Instruction ID: 20914c188d6625644210769ee22846e9ff66e0570ff4a8d1b76d358979a87ea4
Opcode Fuzzy Hash: f77f160c4784674292fd838c38f5d47e98ced0e3141dfb1bc3a2e06e65c17674
Instruction Fuzzy Hash: 3D01D46070421086DB10AB25DA857E632985FAD308F20357BB0469B253CB7CFC46D76F

Uniqueness

Uniqueness Score: -1.00%

Function 007DBD68, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,?,00794AFA), ref: 007DBD90

Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800

Strings

Wow64DisableWow64FsRedirection, xrefs: 007DBD86
kernel32.dll, xrefs: 007DBD8B
Win32, xrefs: 007DBD7A

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressCurrentProcProcess
String ID: Win32$Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 4003494863-80893164
Opcode ID: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
Instruction ID: b85d9e4078d9ce42f5daec457a4bd7b584622aa0e684e5eccdb4b4bfda696b28
Opcode Fuzzy Hash: 08872e14f903e4fc870fbfef4b6a36aa4199ea15be0b445078baef3c9e14c768
Instruction Fuzzy Hash: 30E02B20B41350E5CE10A7B598167A507B61E4DF8870A0427FD80A73D3DB5CCC0159E8

Uniqueness

Uniqueness Score: -1.00%

Function 007DBE3C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 007D6E80: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C
Part of subcall function 007D6E80: GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E

GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,?,00794B5A,00794B62), ref: 007DBE64

Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800

Strings

Wow64RevertWow64FsRedirection, xrefs: 007DBE5A
Win32, xrefs: 007DBE4E
kernel32.dll, xrefs: 007DBE5F

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressCurrentProcProcess
String ID: Win32$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 4003494863-74661203
Opcode ID: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
Instruction ID: 5d07d555bf60436f01e20604474d777d017adacec3ea30256a2cc30a8457dad9
Opcode Fuzzy Hash: 4b5169e114a068f3f1820069252d1bfd3dd91b72d2f48b51fada0d1a3b731179
Instruction Fuzzy Hash: CDF0E561A013B0D5CE2063795815EE21FB82B45748F0A0927BF8097793D72CCC0D82A9

Uniqueness

Uniqueness Score: -1.00%

Function 007D6E80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E8C

Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800

GetCurrentProcess.KERNEL32(?,00000000,kernel32,IsWow64Process,?,00000001,007DBD71,?,?,00794AFA), ref: 007D6E9E

Strings

IsWow64Process, xrefs: 007D6E82
kernel32, xrefs: 007D6E87

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
Instruction ID: 8f20da8456057496d7b22a05698da9075f8360932483dc278fb67f6f45ead45b
Opcode Fuzzy Hash: fbfa8b9be56232b2a7a050497b9336513c0f72992db566346c55723fb6780570
Instruction Fuzzy Hash: 7FE012BE7647436E6E0077F79C82D6B17AC9A90359710093BF540D0252EAADC855102D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1D4, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C1E5
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C243
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C2A0
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C2D3

Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C251), ref: 0040C1A7
Part of subcall function 0040C190: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C251), ref: 0040C1C4

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
Instruction ID: 5adc0bea2c8af2d65c5d3e99b3eb73bb67b06f85e1b4683f9ecad5d3c1eab476
Opcode Fuzzy Hash: bc24a83227e15b380631f55bd2f426ee2f9d90468bb3ecff20a5d0c17074213b
Instruction Fuzzy Hash: 42310A70E0021ADBDB10EBE9C885AAFB7B8FF48314F4046BAE551F7295D7789A04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00424AC0, Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?,?), ref: 00424AD1
GetLastError.KERNEL32(?,?), ref: 00424ADA
FileTimeToLocalFileTime.KERNEL32(?), ref: 00424AF0
FileTimeToDosDateTime.KERNEL32 ref: 00424B01

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
Instruction ID: fe6fac3a6ac03b6b4440619cae4f2eff92646066b65c4be4ccf9c54d9b613497
Opcode Fuzzy Hash: 9609eb00e04a689bd71bdebf9600531a51fed77c8bea1292b3844d585f781882
Instruction Fuzzy Hash: 5411ADB1700100AFDB44DF69C8C199777ECEF8834475485ABED04CB24EE638DC018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004059B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

oY@, xrefs: 00405A03, 00405A26
X(, xrefs: 004059C8

Memory Dump Source

Source File: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID:
String ID: oY@$X(
API String ID: 0-2454232136
Opcode ID: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
Instruction ID: 657c74bf76a079fdf93a688482b863b4ef09bc5b766970fd558e04562a456c78
Opcode Fuzzy Hash: a3635da41d6ada84ed8f10af34513a83174d4b8c9a070eb1340295e14fa243af
Instruction Fuzzy Hash: F351D431A045A88BCB11DB69C4957AF7BB4DF51304F0801BB9885BB2C7D63C9E05DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424358, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0042483C: GetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000001,0042498E,00000000,004249F7,?,?,00000000,00000000,00000000,00000000), ref: 00424852

GetVolumeInformationW.KERNEL32(00000000,?,00000104,?,?,?,?,00000104,00000000,0042448C,?,00000000,?), ref: 004243F3
GetDriveTypeW.KERNEL32(00000000), ref: 00424418

Part of subcall function 004247A4: GetFileAttributesW.KERNEL32(00000000,?,00000000,?,0042282A,?,00000000,00000001), ref: 004247B5

Strings

d5A, xrefs: 00424445

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AttributesFile$DriveInformationTypeVolume
String ID: d5A
API String ID: 2660071179-326437214
Opcode ID: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
Instruction ID: bd563c539b1aab59f9bd9d3b06265d9c66015eb71dfd5a6194938a33824a214f
Opcode Fuzzy Hash: 2fa643a2496d0fd72efea3c911f6a909d600cda9c01ece4b0853edc21ea82aae
Instruction Fuzzy Hash: CE31D870B002285ADB11FB55E8427DD77A8EF84708FC441ABE904A3292DB3C5F45DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 00434D0C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32 ref: 00434D2D

Part of subcall function 0043446C: VariantClear.OLEAUT32 ref: 0043447B

Strings

|>C, xrefs: 00434DA7

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID: |>C
API String ID: 274517740-213533553
Opcode ID: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
Instruction ID: 6a0268472f155fb589513e0d0a9dd18b4d2ee9e8d712b2481dc583d533d54a34
Opcode Fuzzy Hash: 8771a4346e2b20afc04fff4dabda3d31eb32952cc78d6270db85b0f1906f051e
Instruction Fuzzy Hash: 9B21743030021097DB31AF29E4815E777E69FCD750F10A46BE84A8B356DA3CEC82C66E

Uniqueness

Uniqueness Score: -1.00%

Function 004224C8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(NTDLL.DLL,NtQueryObject,00000000,00000000), ref: 004224EE

Part of subcall function 004117DC: GetProcAddress.KERNEL32(00000000,?), ref: 00411800

Strings

NTDLL.DLL, xrefs: 004224E9
NtQueryObject, xrefs: 004224E4

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$NtQueryObject
API String ID: 1646373207-3865875859
Opcode ID: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
Instruction ID: 9e746bf49908d423d3971de1d80f05601bd15af5f2909352a40ec1968959bb51
Opcode Fuzzy Hash: 39398ca4bf87bed804ca7380330e155dc5bba8e055c56731faf510cc40fa8a3d
Instruction Fuzzy Hash: B511D075B04218BFDB10EB69ED42B9A77A9F748704F908166F504E2690D7B9AF80C64C

Uniqueness

Uniqueness Score: -1.00%

Function 00727788, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 007277C9
EnterCriticalSection.KERNEL32(?,00000000,00000000,00000000,00727CFF,?,?,?,00000000,00000000,?,0079430B,00000000,00000000,00000064,00000000), ref: 007277E7

Strings

MYAH_LastDelegateTick, xrefs: 007277BF

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CountCriticalEnterSectionTick
String ID: MYAH_LastDelegateTick
API String ID: 3768448988-2068939020
Opcode ID: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
Instruction ID: 95fd4d6d8b0e3682352c819f8c199af7319d83189056b2244fd3ddde9cc2d5dd
Opcode Fuzzy Hash: f31822922213138ce3fe090be8c89be9b548e68764eb31a017cd2d7e69c75ab1
Instruction Fuzzy Hash: 7B119A74A00318AFDB04DBA9DD52E9DB7F9FB89704F504476F804E7391DA38AE00CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00430448, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(0047861C,00000000), ref: 00430464
GetCPInfo.KERNEL32(00430548,?,0047861C,00000000), ref: 00430485

Strings

L.A, xrefs: 0043048E

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: Info
String ID: L.A
API String ID: 1807457897-2350765468
Opcode ID: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
Instruction ID: 72b6eb4a1d13dc2dce76246ebe218213dd2c0921c4328f3486b9e526878d4afa
Opcode Fuzzy Hash: f1b999f04b8e8a33df948de643add4a0adb174aea7c6854597c24c0f6f97d03b
Instruction Fuzzy Hash: 2C014972A017058FC320EF69C541997B7E4AF18360B00863FFD95C3361EA39E9008BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00595640, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000,00000000,00000000), ref: 00595661
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,00000000,005956AB,?,00000001,00000001,00000000,?,005957A1,00000000,005957C6,?,00000000), ref: 0059568A

Strings

\\?\, xrefs: 00595677

Memory Dump Source

Source File: 00000001.00000002.340725435.000000000041A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.340683289.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.340715108.0000000000415000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.341205482.0000000000830000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341211202.0000000000831000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341216628.0000000000832000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341222150.0000000000834000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341228731.0000000000837000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341236952.0000000000840000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341242158.0000000000841000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341248001.0000000000845000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341254405.0000000000857000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341261940.000000000085B000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.341268248.000000000085F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.341275301.00000000008B6000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341302726.00000000008FB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.341312774.0000000000909000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_LI-180_Installer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: \\?\
API String ID: 4241100979-4282027825
Opcode ID: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
Instruction ID: 9f5430ab1e94a2cdd9dae8f072e860b2ef55c5aa2821298d1840839241b5f79c
Opcode Fuzzy Hash: e0a3bdc70c04e78168105b659149bbbb16886a6d6c0cca47080108260c0900a7
Instruction Fuzzy Hash: CFF0F0702447047BDF11EBA5CCA2B9D76DDEB86B08F91083AF400E35D1EA799D104669

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Network protocol analysis
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 00413F63, Relevance: 71.0, APIs: 21, Strings: 19, Instructions: 1027
windowprocesssynchronizationCOMMON

Function 00409263, Relevance: 4.6, APIs: 3, Instructions: 62
fileCOMMON

Function 00413849, Relevance: 3.0, APIs: 2, Instructions: 44
comCOMMON

Function 00413A48, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81
registryCOMMON

Function 004107BB, Relevance: 15.1, APIs: 10, Instructions: 129
windowCOMMON

Function 00417A38, Relevance: 12.0, APIs: 8, Instructions: 42
threadCOMMON

Function 0040255F, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 431
COMMON

Function 0040543E, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 272
COMMON

Function 00405E50, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198
COMMON

Function 0041203E, Relevance: 10.6, APIs: 7, Instructions: 93
windowtimeCOMMON

Function 00401ADB, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 607
COMMON

Function 00417ABB, Relevance: 9.1, APIs: 6, Instructions: 71
threadCOMMON

Function 004109DE, Relevance: 7.6, APIs: 5, Instructions: 53
filetimeCOMMON

Function 004174DE, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 00410B45, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Function 004179BA, Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMON

Function 0040BD49, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288
COMMON

Function 00404515, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149
COMMON

Function 00412324, Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Function 004123C2, Relevance: 4.6, APIs: 3, Instructions: 50
COMMON

Function 00409899, Relevance: 4.5, APIs: 3, Instructions: 46
fileCOMMON

Function 00410BBB, Relevance: 4.5, APIs: 3, Instructions: 38
fileCOMMON

Function 00410A7A, Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Function 0040AA23, Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Function 00410AE4, Relevance: 4.5, APIs: 3, Instructions: 32
COMMON

Function 0040177A, Relevance: 4.5, APIs: 3, Instructions: 25
COMMON

Function 0040193F, Relevance: 4.5, APIs: 3, Instructions: 16
COMMON

Function 00413320, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Function 00412970, Relevance: 3.3, APIs: 2, Instructions: 335
COMMON

Function 00410F49, Relevance: 3.1, APIs: 2, Instructions: 146
COMMON

Function 00413CE0, Relevance: 3.1, APIs: 2, Instructions: 136
COMMON

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre