Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Sample Name:	LI180_win-1.5.1.exe
Analysis ID:	358582
MD5:	77d64242fbd270b5363d383b51075783
SHA1:	4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256:	a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
Infos:
Most interesting Screenshot:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

May use the Tor software to hide its network traffic

Sample is not signed and drops a device driver

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to detect Joe Sandbox

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 6.3.LI180_win-1.5.1.exe.524107f.7.unpack

Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf

Binary contains paths to debug symbols

Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	3_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C9F8 FindFirstFileW,FindClose,	5_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424B48 FindFirstFileW,GetLastError,	5_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	5_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424548 FindFirstFileW,FindClose,	5_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424764 FindFirstFileW,FindClose,	5_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794720 FindFirstFileW,FindClose,	5_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C9F8 FindFirstFileW,FindClose,	7_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424B48 FindFirstFileW,GetLastError,	7_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424548 FindFirstFileW,FindClose,	7_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424764 FindFirstFileW,FindClose,	7_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794720 FindFirstFileW,FindClose,	7_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C9F8 FindFirstFileW,FindClose,	9_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424B48 FindFirstFileW,GetLastError,	9_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	9_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424548 FindFirstFileW,FindClose,	9_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424764 FindFirstFileW,FindClose,	9_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794720 FindFirstFileW,FindClose,	9_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

5_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking:

Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: LI-180_Installer.exe	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.steema.com
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zip
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipM_VER_LAUNCH_INSTALLER_AFTER_DOWNLOAD
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=&keyword=00SOFTWARE_PCUSPECTRUMLI-180
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: LI180_win-1.5.1.exe	String found in binary or memory: http://www.installaware.com
Source: LI-180_Installer.exe	String found in binary or memory: http://www.installaware.com/
Source: LI180_win-1.5.1.exe, 00000000.00000000.207294394.0000000000446000.00000002.00020000.sdmp, LI180_win-1.5.1.exe, 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000000.229057375.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp	String found in binary or memory: http://www.installaware.comz
Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.435540527.0000000002A04000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.com
Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.com1g
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.comAbacusPosAP
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.comPut
Source: LI180_win-1.5.1.exe, 00000006.00000003.246440181.00000000041E8000.00000004.00000001.sdmp	String found in binary or memory: http://www.quickreport.co.uk
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.steema.com/exceptions/add.php?ide=
Source: LI180_win-1.5.1.exe, 00000006.00000003.246598775.0000000004253000.00000004.00000001.sdmp	String found in binary or memory: http://www.uprtek.com
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: https://www.licor.com/

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\SET2959.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp	Jump to dropped file

System Summary:

Creates driver files

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File created: C:\Windows\Fonts\mdd_0.ttf

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415060	0_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D0E1	0_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416135	0_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041A3D8	0_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415535	0_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D67F	0_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040F949	0_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415909	0_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CA77	0_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CB18	0_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CCB9	0_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415D15	0_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040EE50	0_2_0040EE50
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415060	3_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040D0E1	3_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416135	3_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041A3D8	3_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415535	3_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040D67F	3_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040F949	3_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415909	3_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CA77	3_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CB18	3_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CCB9	3_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415D15	3_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040EE50	3_2_0040EE50
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A6132	6_2_006A6132
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A36F9	6_2_006A36F9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A6394	6_2_006A6394

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00417B6C appears 72 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00408BFB appears 78 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00419DCD appears 40 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 0040110F appears 42 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00416B21 appears 328 times

PE file contains strange resources

Source: LI180_win-1.5.1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: LI180_win-1.5.1.exe, 00000000.00000002.373951660.0000000006290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exed" vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe\|. vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exex, vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exep( vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exev+ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exel& vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exef# vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe~/ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250931265.000000000510A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiUSBXp.dll^ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInstall Fonts EXE-PlugIn.dllb vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiLib.sys: vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiUSBXp.sys4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7za.dll, vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameahadmin_.dll4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamez vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDriverUninstaller.EXE\ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250472439.0000000004DC3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDriverInstaller.EXEX vs LI180_win-1.5.1.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Uses 32bit PE files

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Yara signature match

Source: 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.4a26f2d.2.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.4a6de91.1.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.49efe49.0.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)

Source: classification engine

Classification label: sus24.evad.winEXE@25/329@0/0

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_004580E4 FindResourceW,LoadResource,SizeofResource,LockResource,

5_2_004580E4

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File created: C:\Users\user\AppData\Local\III

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp

Jump to behavior

Source: Yara match	File source: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.220729543.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.240817220.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.257055940.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: dropped/LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: dropped/LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: 9.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: X~H	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ;!@InstallEnd@!	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: BB	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Title	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Directory	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: RunProgram	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ExecuteFile	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: setup.exe	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T\	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ;!@InstallEnd@!	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: BB	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Title	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Directory	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: RunProgram	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ExecuteFile	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: setup.exe	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T\	3_2_00413F63

Source: LI180_win-1.5.1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>
Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>
Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File read: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' -install
Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /install
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /load
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 71E95B410ABC515A6ABA0566A4073125
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001BC' 'WinSta0\Default' '00000000000001C0' '208' 'c:\progra~2\li-180~1\driver'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CCF296E1DF7FA7E357D3B10A86C0BEB2
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCA266DDB967C0E28D252C5FC68B1467
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File written: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Window found: window name: TButton

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LI180_win-1.5.1.exe

Static file information: File size 10630347 > 1048576

Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0041C3CC

PE file contains an invalid checksum

Source: 7z6C81.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7z.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7z9094.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7zAEDA.tmp.9.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: LI180_win-1.5.1.exe	Static PE information: real checksum: 0x4db7e should be:

PE file contains sections with non-standard names

Source: 7z6C81.tmp.5.dr	Static PE information: section name: .sxdata
Source: 7z.dll.5.dr	Static PE information: section name: .sxdata
Source: 7z9094.tmp.7.dr	Static PE information: section name: .sxdata
Source: 7zAEDA.tmp.9.dr	Static PE information: section name: .sxdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416BF9 push ecx; ret	0_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00417BB1 push ecx; ret	0_2_00417BC4
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416BF9 push ecx; ret	3_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00417BB1 push ecx; ret	3_2_00417BC4
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0076889C push 00768B24h; ret	5_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0076839C push 007686BAh; ret	5_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0045116C push ecx; mov dword ptr [esp], edx	5_2_00451171
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A407C push es; retf 0000h	6_2_006A4096
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A404D push es; ret	6_2_006A404E
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A8C38 push ecx; retf	6_2_006A8CC2
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006AE408 pushfd ; retn 0000h	6_2_006AE409
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006B14B8 push esp; retf	6_2_006B14B9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A409B push es; retf	6_2_006A409E
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006AEAC4 push eax; ret	6_2_006AEAC5
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006B136C push ds; retf	6_2_006B1371
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0076889C push 00768B24h; ret	7_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0076839C push 007686BAh; ret	7_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0045116C push ecx; mov dword ptr [esp], edx	7_2_00451171
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0076889C push 00768B24h; ret	9_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0076839C push 007686BAh; ret	9_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0045116C push ecx; mov dword ptr [esp], edx	9_2_00451171

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zAEDA.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7z6C81.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\III\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7z9094.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf

Hooking and other Techniques for Hiding and Protection:

May use the Tor software to hide its network traffic

Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp

Binary or memory string: torConnect

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\SysWOW64\msiexec.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Tries to detect Joe Sandbox

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File operation: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SiUSBXp.sys
Source: C:\Windows\System32\drvinst.exe	File operation: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SiUSBXp.sys

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	3_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C9F8 FindFirstFileW,FindClose,	5_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424B48 FindFirstFileW,GetLastError,	5_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	5_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424548 FindFirstFileW,FindClose,	5_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424764 FindFirstFileW,FindClose,	5_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794720 FindFirstFileW,FindClose,	5_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C9F8 FindFirstFileW,FindClose,	7_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424B48 FindFirstFileW,GetLastError,	7_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424548 FindFirstFileW,FindClose,	7_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424764 FindFirstFileW,FindClose,	7_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794720 FindFirstFileW,FindClose,	7_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C9F8 FindFirstFileW,FindClose,	9_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424B48 FindFirstFileW,GetLastError,	9_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	9_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424548 FindFirstFileW,FindClose,	9_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424764 FindFirstFileW,FindClose,	9_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794720 FindFirstFileW,FindClose,	9_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

5_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	API call chain: ExitProcess graph end node

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041B20D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

0_2_0041C3CC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B945 SetUnhandledExceptionFilter,	0_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00416B12
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041B945 SetUnhandledExceptionFilter,	3_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00416B12

HIPS / PFW / Operating System Protection Evasion:

Source: LI-180_Installer.exe	Binary or memory string: Shell_TrayWnd
Source: LI-180_Installer.exe	Binary or memory string: Progman
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: ProgmanU
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndU
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndS
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0040DA29 cpuid

0_2_0040DA29

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: GetLocaleInfoA,	0_2_004204E7
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: GetLocaleInfoA,	3_2_004204E7
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040BFD8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	7_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0040BFD8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	9_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0040BFD8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SiUSBXp.cat VolumeInformation

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041C0BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C0BC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 6.3.LI180_win-1.5.1.exe.524107f.7.unpack

Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf

Binary contains paths to debug symbols

Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	3_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C9F8 FindFirstFileW,FindClose,	5_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424B48 FindFirstFileW,GetLastError,	5_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	5_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424548 FindFirstFileW,FindClose,	5_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424764 FindFirstFileW,FindClose,	5_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794720 FindFirstFileW,FindClose,	5_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C9F8 FindFirstFileW,FindClose,	7_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424B48 FindFirstFileW,GetLastError,	7_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424548 FindFirstFileW,FindClose,	7_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424764 FindFirstFileW,FindClose,	7_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794720 FindFirstFileW,FindClose,	7_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C9F8 FindFirstFileW,FindClose,	9_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424B48 FindFirstFileW,GetLastError,	9_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	9_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424548 FindFirstFileW,FindClose,	9_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424764 FindFirstFileW,FindClose,	9_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794720 FindFirstFileW,FindClose,	9_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

5_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking:

Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: LI-180_Installer.exe	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.steema.com
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zip
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/uSpectrum_Installer.zipM_VER_LAUNCH_INSTALLER_AFTER_DOWNLOAD
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://support.uprtek.com/DB/uploads/SW/versions.asp?section=&keyword=00SOFTWARE_PCUSPECTRUMLI-180
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: LI180_win-1.5.1.exe	String found in binary or memory: http://www.installaware.com
Source: LI-180_Installer.exe	String found in binary or memory: http://www.installaware.com/
Source: LI180_win-1.5.1.exe, 00000000.00000000.207294394.0000000000446000.00000002.00020000.sdmp, LI180_win-1.5.1.exe, 00000003.00000002.440771700.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000000.229057375.0000000000446000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp	String found in binary or memory: http://www.installaware.comz
Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.435540527.0000000002A04000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.com
Source: LI-180_Installer.exe, 00000005.00000003.363557816.00000000028E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.com1g
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.comAbacusPosAP
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.licor.comPut
Source: LI180_win-1.5.1.exe, 00000006.00000003.246440181.00000000041E8000.00000004.00000001.sdmp	String found in binary or memory: http://www.quickreport.co.uk
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	String found in binary or memory: http://www.steema.com/exceptions/add.php?ide=
Source: LI180_win-1.5.1.exe, 00000006.00000003.246598775.0000000004253000.00000004.00000001.sdmp	String found in binary or memory: http://www.uprtek.com
Source: LI180_win-1.5.1.exe, 00000006.00000003.241211436.0000000002D18000.00000004.00000001.sdmp	String found in binary or memory: https://www.licor.com/

E-Banking Fraud:

Drops certificate files (DER)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\SET2959.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp	Jump to dropped file

System Summary:

Creates driver files

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File created: C:\Windows\Fonts\mdd_0.ttf

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SET2CF3.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415060	0_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D0E1	0_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416135	0_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041A3D8	0_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415535	0_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040D67F	0_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040F949	0_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415909	0_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CA77	0_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CB18	0_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040CCB9	0_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00415D15	0_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0040EE50	0_2_0040EE50
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415060	3_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040D0E1	3_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416135	3_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041A3D8	3_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415535	3_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040D67F	3_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040F949	3_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415909	3_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CA77	3_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CB18	3_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040CCB9	3_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00415D15	3_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0040EE50	3_2_0040EE50
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A6132	6_2_006A6132
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A36F9	6_2_006A36F9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A6394	6_2_006A6394

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00417B6C appears 72 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00408BFB appears 78 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00419DCD appears 40 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 0040110F appears 42 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: String function: 00416B21 appears 328 times

PE file contains strange resources

Source: LI180_win-1.5.1.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z6C81.tmp.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z9094.tmp.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7zAEDA.tmp.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: LI180_win-1.5.1.exe, 00000000.00000002.373951660.0000000006290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exed" vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe\|. vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exex, vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exep( vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exev+ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exel& vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exef# vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDPInst.exe~/ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250931265.000000000510A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiUSBXp.dll^ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251496835.000000000549A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameInstall Fonts EXE-PlugIn.dllb vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiLib.sys: vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSiUSBXp.sys4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename7za.dll, vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameahadmin_.dll4 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamez vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDriverUninstaller.EXE\ vs LI180_win-1.5.1.exe
Source: LI180_win-1.5.1.exe, 00000006.00000003.250472439.0000000004DC3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDriverInstaller.EXEX vs LI180_win-1.5.1.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Uses 32bit PE files

Source: LI180_win-1.5.1.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Yara signature match

Source: 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.4a26f2d.2.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.4a6de91.1.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)
Source: 6.3.LI180_win-1.5.1.exe.49efe49.0.raw.unpack, type: UNPACKEDPE	Matched rule: wce author = Benjamin DELPY (gentilkiwi), description = wce, tool_author = Hernan Ochoa (hernano)

Source: classification engine

Classification label: sus24.evad.winEXE@25/329@0/0

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_004580E4 FindResourceW,LoadResource,SizeofResource,LockResource,

5_2_004580E4

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File created: C:\Users\user\AppData\Local\III

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp

Jump to behavior

Source: Yara match	File source: 00000007.00000002.436036201.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.220729543.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.240817220.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.365949465.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.257055940.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.405809578.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: dropped/LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: dropped/LI-180_Installer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match	File source: 9.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: X~H	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ;!@InstallEnd@!	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: BB	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Title	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Directory	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: RunProgram	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ExecuteFile	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: setup.exe	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T\	0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "-k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: -k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: /k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: "/k=	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ;!@InstallEnd@!	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: BB	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Title	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: Directory	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: RunProgram	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: ExecuteFile	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: setup.exe	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T	3_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Command line argument: %%T\	3_2_00413F63

Source: LI180_win-1.5.1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\msiexec.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>
Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>
Source: LI-180_Installer.exe	String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe	String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe	String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe	String found in binary or memory: </InstallAware>

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File read: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' -install
Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /install
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe' /load
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 71E95B410ABC515A6ABA0566A4073125
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001BC' 'WinSta0\Default' '00000000000001C0' '208' 'c:\progra~2\li-180~1\driver'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CCF296E1DF7FA7E357D3B10A86C0BEB2
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCA266DDB967C0E28D252C5FC68B1467
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe .\LI-180_Installer.exe -install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /install /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /load /m='C:\Users\user\Desktop\LI180_~1.EXE' /k=''	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

File written: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Window found: window name: TButton

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: LI180_win-1.5.1.exe

Static file information: File size 10630347 > 1048576

Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbH source: LI180_win-1.5.1.exe, 00000006.00000003.250489597.0000000004DF2000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.251103027.0000000005237000.00000004.00000001.sdmp
Source:	Binary string: DpInst.pdb source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp
Source:	Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000005.00000003.225588284.000000007FD68000.00000004.00000001.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.249999611.00000000049C9000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000002.436696888.0000000000909000.00000002.00020000.sdmp, LI-180_Installer.exe, 00000009.00000000.258035124.0000000000909000.00000002.00020000.sdmp
Source:	Binary string: DpInst.pdbp source: LI180_win-1.5.1.exe, 00000006.00000003.250538857.0000000004E7F000.00000004.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

0_2_0041C3CC

PE file contains an invalid checksum

Source: 7z6C81.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7z.dll.5.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7z9094.tmp.7.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: 7zAEDA.tmp.9.dr	Static PE information: real checksum: 0x0 should be: 0xe8565
Source: LI180_win-1.5.1.exe	Static PE information: real checksum: 0x4db7e should be:

PE file contains sections with non-standard names

Source: 7z6C81.tmp.5.dr	Static PE information: section name: .sxdata
Source: 7z.dll.5.dr	Static PE information: section name: .sxdata
Source: 7z9094.tmp.7.dr	Static PE information: section name: .sxdata
Source: 7zAEDA.tmp.9.dr	Static PE information: section name: .sxdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416BF9 push ecx; ret	0_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00417BB1 push ecx; ret	0_2_00417BC4
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416BF9 push ecx; ret	3_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00417BB1 push ecx; ret	3_2_00417BC4
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0076889C push 00768B24h; ret	5_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0076839C push 007686BAh; ret	5_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0045116C push ecx; mov dword ptr [esp], edx	5_2_00451171
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A407C push es; retf 0000h	6_2_006A4096
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A404D push es; ret	6_2_006A404E
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A8C38 push ecx; retf	6_2_006A8CC2
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006AE408 pushfd ; retn 0000h	6_2_006AE409
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006B14B8 push esp; retf	6_2_006B14B9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006A409B push es; retf	6_2_006A409E
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006AEAC4 push eax; ret	6_2_006AEAC5
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 6_2_006B136C push ds; retf	6_2_006B1371
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0076889C push 00768B24h; ret	7_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0076839C push 007686BAh; ret	7_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0045116C push ecx; mov dword ptr [esp], edx	7_2_00451171
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0076889C push 00768B24h; ret	9_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0076839C push 007686BAh; ret	9_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0045116C push ecx; mov dword ptr [esp], edx	9_2_00451171

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to behavior

Drops PE files

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7zAEDA.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7z6C81.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\III\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File created: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\7z9094.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp			Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	File created: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\license.rtf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	File created: C:\Users\user\AppData\Local\Temp\mia3\license.rtf

Hooking and other Techniques for Hiding and Protection:

May use the Tor software to hide its network traffic

Binary or memory string: torConnect

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Windows\SysWOW64\msiexec.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET295B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SET298B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D34.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SET2D33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia3\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IAW4D1E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409

Tries to detect Joe Sandbox

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe	File operation: C:\Users\user\AppData\Local\Temp\{13f65283-831c-8c4d-923b-fdfe8501521e}\x64\SiUSBXp.sys
Source: C:\Windows\System32\drvinst.exe	File operation: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\x64\SiUSBXp.sys

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	0_2_00409263
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW,	3_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C9F8 FindFirstFileW,FindClose,	5_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424B48 FindFirstFileW,GetLastError,	5_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	5_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424548 FindFirstFileW,FindClose,	5_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00424764 FindFirstFileW,FindClose,	5_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794720 FindFirstFileW,FindClose,	5_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: 5_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	5_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C9F8 FindFirstFileW,FindClose,	7_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424B48 FindFirstFileW,GetLastError,	7_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	7_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424548 FindFirstFileW,FindClose,	7_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00424764 FindFirstFileW,FindClose,	7_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794720 FindFirstFileW,FindClose,	7_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: 7_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	7_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C9F8 FindFirstFileW,FindClose,	9_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424B48 FindFirstFileW,GetLastError,	9_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,	9_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424548 FindFirstFileW,FindClose,	9_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00424764 FindFirstFileW,FindClose,	9_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794720 FindFirstFileW,FindClose,	9_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: 9_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose,	9_2_00794724

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe

Code function: 5_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW,

5_2_00422390

Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	API call chain: ExitProcess graph end node

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041B20D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

0_2_0041C3CC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_0041B945 SetUnhandledExceptionFilter,	0_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 0_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00416B12
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_0041B945 SetUnhandledExceptionFilter,	3_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: 3_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00416B12

HIPS / PFW / Operating System Protection Evasion:

Source: LI-180_Installer.exe	Binary or memory string: Shell_TrayWnd
Source: LI-180_Installer.exe	Binary or memory string: Progman
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: ProgmanU
Source: LI-180_Installer.exe, 00000005.00000002.366025602.000000000041A000.00000020.00020000.sdmp, LI180_win-1.5.1.exe, 00000006.00000003.247441410.00000000045B7000.00000004.00000001.sdmp, LI-180_Installer.exe, 00000007.00000003.243305718.000000007F8E9000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndU
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndS
Source: LI180_win-1.5.1.exe, 00000006.00000003.242473510.0000000003513000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0040DA29 cpuid

0_2_0040DA29

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: GetLocaleInfoA,	0_2_004204E7
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe	Code function: GetLocaleInfoA,	3_2_004204E7
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS51C5.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040BFD8
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	7_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS64E0.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0040BFD8
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	9_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS7952.tmp\LI-180_Installer.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0040BFD8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{c6046bf1-6c64-0e48-bda1-28966b32d534}\SiUSBXp.cat VolumeInformation

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_0041C0BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C0BC

Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe

Code function: 0_2_00413849 GetVersion,CoCreateInstance,

0_2_00413849

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

ID:	358582
Product:	CloudBasic
Start time:	21:52:55
Start date:	25.02.2021
Sample:	LI180_win-1.5.1.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	77d64242fbd270b5363d383b51075783
SHA1:	4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256:	a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map